postfix: Reflect latest configuration changes.

  Beware: Alias files and mynetworks are in private gitroot!

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>

postfix/aliases.mail.in.ffho.net

@@ -1,16 +0,0 @@
-# /etc/aliases
-mailer-daemon: postmaster
-postmaster: root
-nobody: root
-hostmaster: root
-usenet: root
-news: root
-webmaster: root
-www: root
-ftp: root
-abuse: root
-noc: root
-security: root
-
-root: ops@ffho.net
-clamav: root

postfix/init.sls

@@ -28,6 +28,16 @@ postfix:
     - watch_in:
       - service: postfix
 
+
+/etc/postfix/main.cf:
+  file.managed:
+    - source:
+      - salt://postfix/main.cf.{{ grains['id'] }}
+      - salt://postfix/main.cf
+    - template: jinja
+    - watch_in:
+      - service: postfix
+
 #
 # Send root mail to ops@ffho.net
 /etc/aliases:
@@ -48,3 +58,33 @@ newaliases:
 /etc/mailname:
   file.managed:
     - contents: "{{ mailname }}"
+
+
+#
+# Manage virtual domains and aliases on MX nodes
+#
+{% if 'mx' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
+/etc/postfix/virtual-domains:
+  file.managed:
+    - source: salt://postfix/virtual-domains
+
+postmap_domains:
+  cmd.wait:
+    - name: /usr/sbin/postmap /etc/postfix/virtual-domains
+    - watch:
+      - file: /etc/postfix/virtual-domains
+
+/etc/postfix/virtual-aliases:
+  file.managed:
+    - source: salt://postfix/virtual-aliases
+
+postmap_aliases:
+  cmd.wait:
+    - name: /usr/sbin/postmap /etc/postfix/virtual-aliases
+    - watch:
+      - file: /etc/postfix/virtual-aliases
+
+/etc/postfix/mynetworks:
+  file.managed:
+    - source: salt://postfix/mynetworks
+{% endif %}

postfix/main.cf

@@ -0,0 +1,41 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ grains['id'] }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = {{ grains['id'] }}, localhost
+relayhost = mail.ffho.net
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all

postfix/main.cf.mail.in.ffho.net

@@ -0,0 +1,87 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/mail.ffho.net.crt
+smtpd_tls_key_file=/etc/ssl/private/mail.ffho.net.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.1 !TLSv1 !SSLv2 !SSLv3
+smtp_tls_mandatory_protocols = TLSv1.2 TLSv1.1 !TLSv1 !SSLv2 !SSLv3
+smtp_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2 !SSLv3
+smtpd_tls_exclude_ciphers = RC4, aNULL
+smtp_tls_exclude_ciphers = RC4, aNULL
+
+# SASL parameters
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = 
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = mail.ffho.net
+alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
+alias_database = hash:/etc/aliases
+virtual_alias_domains = hash:/etc/postfix/virtual-domains
+virtual_alias_maps = hash:/etc/postfix/virtual-aliases
+#, hash:/var/lib/mailman/data/virtual-mailman
+myorigin = /etc/mailname
+mydestination = ffho.net, mail.in.ffho.net, mail.ffho.net, lists.ffho.net, localhost
+relayhost = 
+# TAKE CARE! If using postfix-to-mailman.py:
+# never ever put a (sub)domain into $relay_domains AND $virtual_alias_domains
+#relay_domains = lists.ffho.net
+#relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
+#transport_maps = hash:/etc/postfix/transport
+#mailman_destination_recipient_limit = 1
+#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mynetworks = /etc/postfix/mynetworks
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+ 				
+smtpd_sender_restrictions =     check_sender_access hash:/etc/postfix/sender_checks,   
+				check_sender_access regexp:/etc/postfix/sender_checks_regexp,
+                                reject_non_fqdn_sender,
+                                reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =  check_recipient_access hash:/etc/postfix/access_recipient-rfc,
+                                reject_non_fqdn_recipient,
+                                reject_unknown_recipient_domain, 
+                                permit_mynetworks, 
+                                permit_sasl_authenticated,
+                                reject_unauth_destination, 
+                                reject_unauth_pipelining,
+                                #Local Whitelist to override greylisting and RBL checks
+                                check_client_access hash:/etc/postfix/rbl_override,
+                                #embed policyd-weight daemon: RBL quorum instead of termination by vote of only ONE RBL
+                                check_policy_service inet:127.0.0.1:12525,
+                                #greylisting by greyfix:
+				check_policy_service unix:private/greyfix,
+				permit
+
+#insert MailScanner checks
+header_checks = regexp:/etc/postfix/header_checks
+

postfix/master.cf.mail.in.ffho.net

@@ -37,6 +37,7 @@ smtp      inet  n       -       -       -       -       smtpd
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       -       -       -       qmqpd
+587       inet  n       -       n       -       -       smtpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
@@ -118,9 +119,8 @@ bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
 scalemail-backend unix	-	n	n	-	2	pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
-mailman   unix  -       n       n       -       -       pipe
-  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
-  ${nexthop} ${user}
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list
+#  argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
 greyfix    unix  -       n       n       -       -       spawn
-      user=nobody argv=/usr/local/sbin/greyfix --greylist-delay 60 -/ 24 -6 56
-
+  user=nobody argv=/usr/local/sbin/greyfix --greylist-delay 60 -/ 24 -6 56