Mercurial > repos > other > Puppet
view modules/postfix/templates/master.cf.epp @ 326:63e0b5149cfb
Add fallback relays to Postfix
This allows us to reliably send to IPv4 servers via Mythic-Beasts'
mailserver rather than getting random IPs from the NAT64 servers.
The firewall rules should ensure Postfix doesn't try to send
email out via NAT64 and falls back to the relay. IPv6 will still
go directly.
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 07 Mar 2020 14:29:34 +0000 |
| parents | 6d719622c72f |
| children | 38bb323e8231 |
line wrap: on
line source
<%- | Stdlib::IP::Address $mailserver_ip, Optional[Stdlib::IP::Address] $mailserver_proxy = undef, Stdlib::IP::Address $lo_ip, Stdlib::IP::Address $lo_networks, Optional[Array[Stdlib::Host]] $fallback_relays = [] | -%> # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== #smtp inet n - n - - smtpd smtpd pass - - n - - smtpd -o smtpd_sasl_auth_enable=no [<%= $lo_ip %>]:smtp inet n - n - 1 smtpd -o smtpd_sasl_auth_enable=yes [<%= $mailserver_ip %>]:smtp inet n - n - 1 postscreen -o receive_override_options=no_address_mappings -o smtpd_sasl_auth_enable=no <%- if $mailserver_proxy != undef { -%> [<%= $mailserver_proxy %>]:smtps inet n - n - - smtpd -o smtpd_upstream_proxy_protocol=haproxy -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING [<%= $mailserver_proxy %>]:submission inet n - n - - smtpd -o smtpd_upstream_proxy_protocol=haproxy -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING <%- } -%> tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog [<%= $mailserver_ip %>]:submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING [<%= $mailserver_ip %>]:smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp <%- if $mailserver_ip =~ Stdlib::IP::Address::V6 { -%> -o smtp_bind_address6=<%= $mailserver_ip %> <%- } else { -%> -o smtp_bind_address=<%= $mailserver_ip %> <%- } -%> <%- if size($fallback_relays) > 0 { -%> -o smtp_fallback_relays=<%= join($fallback_relays.map |$relay| { "[$relay]" }, ", ") %> <%- } -%> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # The Cyrus deliver program has changed incompatibly, multiple times. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} policy unix - n n - 0 spawn user=nobody argv=/usr/bin/perl /usr/local/lib/postfix-policyd-spf-perl/postfix-policyd-spf-perl # # spam/virus section # smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes -o smtp_send_xforward_command=yes [<%= $lo_ip %>]:10025 inet n - y - - smtpd -o content_filter= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=[<%= $lo_networks %>] -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o receive_override_options=no_header_body_checks -o smtpd_helo_required=no -o smtpd_client_restrictions= -o smtpd_restriction_classes= -o disable_vrfy_command=no -o strict_rfc821_envelopes=yes