tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merged in svimes/puppet-svimes (pull request #24)

Browse source 
Postfix + Cyrus IMAPd Support Improved
This commit is contained in:
Ossi Salmi 2013-03-08 14:55:52 +02:00
commit f688225735
8 changed files with 788 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
cyrus/files/cyrus.conf Normal file
View file

@ -0,0 +1,87 @@
# Debian defaults for Cyrus IMAP server/cluster implementation
# see cyrus.conf(5) for more information
#
# All the tcp services are tcpd-wrapped. see hosts_access(5)
START {
# do not delete this entry!
recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
# this is only necessary if idlemethod is set to "idled" in imapd.conf
#idled cmd="idled"
# this is useful on backend nodes of a Murder cluster
# it causes the backend to syncronize its mailbox list with
# the mupdate master upon startup
#mupdatepush cmd="/usr/sbin/cyrus ctl_mboxlist -m"
# this is recommended if using duplicate delivery suppression
delprune cmd="/usr/sbin/cyrus expire -E 3"
# this is recommended if caching TLS sessions
tlsprune cmd="/usr/sbin/cyrus tls_prune"
}
# UNIX sockets start with a slash and are absolute paths
# you can use a maxchild=# to limit the maximum number of forks of a service
# you can use babysit=true and maxforkrate=# to keep tight tabs on the service
# most services also accept -U (limit number of reuses) and -T (timeout)
SERVICES {
# --- Normal cyrus spool, or Murder backends ---
# add or remove based on preferences
imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
#pop3 cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50
#pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
#nntp cmd="nntpd -U 30" listen="nntp" prefork=0 maxchild=100
#nntps cmd="nntpd -s -U 30" listen="nntps" prefork=0 maxchild=100
# At least one form of LMTP is required for delivery
# (you must keep the Unix socket name in sync with imap.conf)
#lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20
lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20
# ----------------------------------------------
# useful if you need to give users remote access to sieve
# by default, we limit this to localhost in Debian
sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
# this one is needed for the notification services
notify cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
# --- Murder frontends -------------------------
# enable these and disable the matching services above,
# except for sieve (which deals automatically with Murder)
# mupdate database service - must prefork at least 1
# (mupdate slaves)
#mupdate cmd="mupdate" listen=3905 prefork=1
# (mupdate master, only one in the entire cluster)
#mupdate cmd="mupdate -m" listen=3905 prefork=1
# proxies that will connect to the backends
#imap cmd="proxyd" listen="imap" prefork=0 maxchild=100
#imaps cmd="proxyd -s" listen="imaps" prefork=0 maxchild=100
#pop3 cmd="pop3proxyd" listen="pop3" prefork=0 maxchild=50
#pop3s cmd="pop3proxyd -s" listen="pop3s" prefork=0 maxchild=50
#lmtp cmd="lmtpproxyd" listen="lmtp" prefork=1 maxchild=20
# ----------------------------------------------
}
EVENTS {
# this is required
checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401
# this is only necessary if caching TLS sessions
tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401
# indexing of mailboxes for server side fulltext searches
# reindex changed mailboxes (fulltext) approximately every other hour
#squatter_1 cmd="/usr/bin/nice -n 19 /usr/sbin/cyrus squatter -s" period=120
# reindex all mailboxes (fulltext) daily
#squatter_a cmd="/usr/sbin/cyrus squatter" at=0517
}

115
cyrus/manifests/init.pp Normal file
View file

@ -0,0 +1,115 @@
# By default we want to run an IMAP(s) server and disabled pop3 + nntp.
#
# $cyrus_key:
# Path to SSL private key. Defaults to puppet client key.
#
# $cyrus_cert:
# Path to SSL certificate. Defaults to puppet client certificate.
#
# $cyrus_admins:
# List of users "user1 user2", which have admin rights on the IMAP server.
class cyrus {
case $::operatingsystem {
"ubuntu","debian": {}
default: {
fail("cyrus not supported on ${::operatingsystem}")
}
}
include ssl
if !$cyrus_key {
$postfix_key = "${puppet_ssldir}/private_keys/${homename}.pem"
}
if !$cyrus_cert {
$postfix_cert = "${puppet_ssldir}/certs/${homename}.pem"
}
if !$cyrus_admins {
$cyrus_admins = "admin"
}
package { [
"cyrus-imapd-2.4",
"cyrus-clients-2.4",
"cyrus-admin-2.4",
"cyrus-doc-2.4", ]:
ensure => present,
}
service { "cyrus-imapd":
ensure => running,
enable => true,
require => Package["cyrus-imapd-2.4"],
}
file { "${ssl::certs}/cyrus.crt":
ensure => present,
source => $cyrus_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["cyrus-imapd"],
}
file { "${ssl::private}/cyrus.key":
ensure => present,
source => $cyrus_key,
mode => "0640",
owner => "root",
group => "mail",
notify => Service["cyrus-imapd"],
}
exec { "usermod-cyrus-ssl-cert":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "usermod -a -G ssl-cert cyrus",
unless => "id -n -G cyrus | grep '\\bssl-cert\\b'",
notify => Service["cyrus-imapd"],
}
file { "/etc/cyrus.conf":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/cyrus/cyrus.conf",
notify => Service["cyrus-imapd"],
require => Package["cyrus-imapd-2.4"],
}
file { "/etc/imapd.conf":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("cyrus/imapd.conf.erb"),
notify => Service["cyrus-imapd"],
require => Package["cyrus-imapd-2.4"],
}
file { "/run/cyrus/socket":
ensure => directory,
mode => "0750",
owner => "cyrus",
group => "postfix",
}
# Fix broken ubuntu packaging
file { "/run/cyrus/lock":
ensure => directory,
mode => "0750",
owner => "cyrus",
group => "mail",
}
# Fix broken ubuntu packaging
file { "/run/cyrus/proc":
ensure => directory,
mode => "0750",
owner => "cyrus",
group => "mail",
}
}

322
cyrus/templates/imapd.conf.erb Normal file
View file

@ -0,0 +1,322 @@
# Debian Cyrus imapd.conf
# See imapd.conf(5) for more information and more options
# Configuration directory
configdirectory: /var/lib/cyrus
# Directories for proc and lock files
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
# Which partition to use for default mailboxes
defaultpartition: default
partition-default: /var/spool/cyrus/mail
# News setup
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
# Alternate namespace
# If enabled, activate the alternate namespace as documented in
# /usr/share/doc/cyrus-doc-2.4/html/altnamespace.html, where an user's
# subfolders are in the same level as the INBOX
# See also userprefix and sharedprefix on imapd.conf(5)
altnamespace: no
# UNIX Hierarchy Convention
# Set to yes, and cyrus will accept dots in names, and use the forward
# slash "/" to delimit levels of the hierarchy. This is done by converting
# internally all dots to "^", and all "/" to dots. So the "rabbit.holes"
# mailbox of user "helmer.fudd" is stored in "user.elmer^fud.rabbit^holes"
unixhierarchysep: no
# Rejecting illegal characters in headers
# Headers of RFC2882 messages must not have characters with the 8th bit
# set. However, too many badly-written MUAs generate this, including most
# spamware. Enable this to reject such messages.
#reject8bit: yes
# Munging illegal characters in headers
# Headers of RFC2882 messages must not have characters with the 8th bit
# set. However, too many badly-written MUAs generate this, including most
# spamware. If you kept reject8bit disabled, you can choose to leave the
# crappage untouched by disabling this (if you don't care that IMAP SEARCH
# won't work right anymore.
#munge8bit: no
# Forcing recipient user to lowercase
# Cyrus IMAPD is case-sensitive. If all your mail users are in lowercase, it is
# probably a very good idea to set lmtp_downcase_rcpt to true. This is set by
# default, per RFC2821. This was not set by default in debian versions up to
# and including 2.2.12-4.
lmtp_downcase_rcpt: yes
# Uncomment the following and add the space-separated users who
# have admin rights for all services.
admins: <%= cyrus_admins %>
# Space-separated list of users that have lmtp "admin" status (i.e. that
# can deliver email through TCP/IP lmtp). If specified, this parameter
# overrides the "admins" parameter above
#lmtp_admins: postman
# Space-separated list of users that have mupdate "admin" status, in
# addition to those in the admins: entry above. Note that mupdate slaves and
# backends in a Murder cluster need to autenticate against the mupdate master
# as admin users.
#mupdate_admins: mupdateman
# Space-separated list of users that have imapd "admin" status, in
# addition to those in the admins: entry above
#imap_admins: cyrus
# Space-separated list of users that have sieve "admin" status, in
# addition to those in the admins: entry above
#sieve_admins: cyrus
# List of users and groups that are allowed to proxy for other users,
# seperated by spaces. Any user listed in this will be allowed to login
# for any other user. Like "admins:" above, you can have imap_proxyservers
# and sieve_proxyservers.
#proxyservers: cyrus
# No anonymous logins
allowanonymouslogin: no
# Minimum time between POP mail fetches in minutes
popminpoll: 1
# If nonzero, normal users may create their own IMAP accounts by creating
# the mailbox INBOX. The user's quota is set to the value if it is positive,
# otherwise the user has unlimited quota.
autocreatequota: 0
# umask used by Cyrus programs
umask: 077
# Sendmail binary location
# DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim 3.
# For now, to work around the bug, set this to a wrapper that calls
# /usr/sbin/sendmail -dropcr instead if you use Exim 3.
#sendmail: /usr/sbin/sendmail
# If enabled, cyrdeliver will look for Sieve scripts in user's home
# directories: ~user/.sieve.
sieveusehomedir: false
# If sieveusehomedir is false, this directory is searched for Sieve scripts.
sievedir: /var/spool/sieve
# notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL"
# notifications are disabled. Valid methods are: null, log, zephyr
#mailnotifier: zephyr
# notifyd(8) method to use for "SIEVE" notifications. If not set, "SIEVE"
# notifications are disabled. This method is only used when no method is
# specified in the script. Valid methods are null, log, zephyr, mailto
#sievenotifier: zephyr
# DRAC (pop-before-smtp, imap-before-smtp) support
# Set dracinterval to the time in minutes to call DRAC while a user is
# connected to the imap/pop services. Set to 0 to disable DRAC (default)
# Set drachost to the host where the rpc drac service is running
#dracinterval: 0
#drachost: localhost
# If enabled, the partitions will also be hashed, in addition to the hashing
# done on configuration directories. This is recommended if one partition has a
# very bushy mailbox tree.
hashimapspool: true
# Allow plaintext logins by default (SASL PLAIN)
allowplaintext: yes
# Force PLAIN/LOGIN authentication only
# (you need to uncomment this if you are not using an auxprop-based SASL
# mechanism. saslauthd users, that means you!). And pay attention to
# sasl_minimum_layer and allowapop below, too.
sasl_mech_list: PLAIN LOGIN
# Allow use of the POP3 APOP authentication command.
# Note that this command requires that the plaintext passwords are
# available in a SASL auxprop backend (eg. sasldb), and that the system
# can provide enough entropy (eg. from /dev/urandom) to create a challenge
# in the banner.
#allowapop: no
# The minimum SSF that the server will allow a client to negotiate. A
# value of 1 requires integrity protection; any higher value requires some
# amount of encryption.
#sasl_minimum_layer: 0
# The maximum SSF that the server will allow a client to negotiate. A
# value of 1 requires integrity protection; any higher value requires some
# amount of encryption.
#sasl_maximum_layer: 256
# List of remote realms whose users may log in using cross-realm
# authentications. Seperate each realm name by a space. A cross-realm
# identity is considered any identity returned by SASL with an "@" in it.
# NOTE: To support multiple virtual domains on the same interface/IP,
# you need to list them all as loginreals. If you don't list them here,
# (most of) your users probably won't be able to log in.
#loginrealms: example.com
# Enable virtual domain support. If enabled, the user's domain will
# be determined by splitting a fully qualified userid at the last '@'
# or '%' symbol. If the userid is unqualified, and the virtdomains
# option is set to "on", then the domain will be determined by doing
# a reverse lookup on the IP address of the incoming network
# interface, otherwise the user is assumed to be in the default
# domain (if set).
#virtdomains: userid
# The default domain for virtual domain support
# If the domain of a user can't be taken from its login and it can't
# be determined by doing a reverse lookup on the interface IP, this
# domain is used.
#defaultdomain:
#
# SASL library options (these are handled directly by the SASL libraries,
# refer to SASL documentation for an up-to-date list of these)
#
# The mechanism(s) used by the server to verify plaintext passwords. Possible
# values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They
# are tried in order, you can specify more than one, separated by spaces.
#
# Do note that, since sasl will be run as user cyrus, you may have a lot of
# trouble to set this up right.
sasl_pwcheck_method: saslauthd
# What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
# by default, all plugins are tried (which is probably NOT what you want).
#sasl_auxprop_plugin: sasldb
# If enabled, the SASL library will automatically create authentication secrets
# when given a plaintext password. Refer to SASL documentation
sasl_auto_transition: no
#
# SSL/TLS Options
#
# File containing the global certificate used for ALL services (imap, pop3,
# lmtp, sieve)
tls_cert_file: <%= scope.lookupvar('ssl::certs') %>/cyrus.crt
# File containing the private key belonging to the global server certificate.
tls_key_file: <%= scope.lookupvar('ssl::private') %>/cyrus.key
# File containing the certificate used for imap. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for imap.
#imap_tls_cert_file: /etc/ssl/certs/cyrus-imap.pem
# File containing the private key belonging to the imap-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for imap.
#imap_tls_key_file: /etc/ssl/private/cyrus-imap.key
# File containing the certificate used for pop3. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for pop3.
#pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3.pem
# File containing the private key belonging to the pop3-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for pop3.
#pop3_tls_key_file: /etc/ssl/private/cyrus-pop3.key
# File containing the certificate used for lmtp. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for lmtp.
#lmtp_tls_cert_file: /etc/ssl/certs/cyrus-lmtp.pem
# File containing the private key belonging to the lmtp-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for lmtp.
#lmtp_tls_key_file: /etc/ssl/private/cyrus-lmtp.key
# File containing the certificate used for sieve. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for sieve.
#sieve_tls_cert_file: /etc/ssl/certs/cyrus-sieve.pem
# File containing the private key belonging to the sieve-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for sieve.
#sieve_tls_key_file: /etc/ssl/private/cyrus-sieve.key
# File containing one or more Certificate Authority (CA) certificates.
#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
# Path to directory with certificates of CAs.
tls_ca_path: /etc/ssl/certs
# The length of time (in minutes) that a TLS session will be cached for later
# reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will
# disable session caching.
tls_session_timeout: 1440
# The list of SSL/TLS ciphers to allow, in decreasing order of precedence.
# The format of the string is described in ciphers(1). The Debian default
# selects TLSv1 high-security ciphers only, and removes all anonymous ciphers
# from the list (because they provide no defense against man-in-the-middle
# attacks). It also orders the list so that stronger ciphers come first.
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
# Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
#tls_require_cert: false
# Require a client certificate for imap ONLY.
#imap_tls_require_cert: false
# Require a client certificate for pop3 ONLY.
#pop3_tls_require_cert: false
# Require a client certificate for lmtp ONLY.
#lmtp_tls_require_cert: false
# Require a client certificate for sieve ONLY.
#sieve_tls_require_cert: false
#
# Cyrus Murder cluster configuration
#
# Set the following options to the values needed for this server to
# autenticate against the mupdate master server:
# mupdate_server
# mupdate_port
# mupdate_username
# mupdate_authname
# mupdate_realm
# mupdate_password
# mupdate_retry_delay
##
## KEEP THESE IN SYNC WITH cyrus.conf
##
# Unix domain socket that lmtpd listens on.
lmtpsocket: /var/run/cyrus/socket/lmtp
# Unix domain socket that idled listens on.
idlesocket: /var/run/cyrus/socket/idle
# Unix domain socket that the new mail notification daemon listens on.
notifysocket: /var/run/cyrus/socket/notify
# Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap etc.)
syslog_prefix: cyrus
##
## DEBUGGING
##
# Debugging hook. See /usr/share/doc/cyrus-common-2.4/README.Debian.debug
# Keep the hook disabled when it is not in use
#
# gdb Back-traces
#debug_command: /usr/bin/gdb -batch -cd=/tmp -x /usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
#
# system-call traces
#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 &
#
# library traces
#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 &

15
hastymail/manifests/init.pp
View file

@ -1,6 +1,21 @@
class hastymail {
case $::operatingsystem {
"ubuntu","debian": {
package { ["php5", "php5-cli", "php5-common",
"php5-imap", "php5-ldap", "php5-mcrypt"]:
ensure => installed,
}
}
"centos","redhat","fedora": {
}
default: {
fail("cyrus not supported on ${::operatingsystem}")
}
}
if !$hastymail_package {
if $hastymail_package_latest {
$hastymail_package = $hastymail_package_latest

1
postfix/files/smtpd.conf Normal file
View file

@ -0,0 +1 @@
pwcheck_method: saslauthd

137
postfix/manifests/init.pp
View file

@ -5,6 +5,9 @@
# $mail_domain:
# SMTP domain name.
#
# $mydestination:
# Destinations we will accept and relay mail for.
#
# $mail_server:
# Optional smarthost used for sending mail.
#
@ -29,6 +32,17 @@
# $postfix_cert:
# Path to SSL certificate. Defaults to puppet client certificate.
#
# $postfix_chain:
# Path to intermediary CA cert.
#
# $postgrey:
# Whether to run postgrey or not.
#
# $submission:
# Whether to enable submission (and sasl::saslauthd).
#
# $cyrus_lmtp:
# Whether to enable cyrus-lmtp delivery.
class postfix {
include ssl
@ -60,6 +74,61 @@ class postfix {
$postfix_interfaces = "localhost"
}
file { "${ssl::certs}/postfix.crt":
ensure => present,
source => $postfix_cert,
mode => "0644",
owner => "root",
group => "root",
require => Package["postfix"],
notify => Service["postfix"],
}
if $postfix_chain {
file { "${ssl::certs}/postfix-chain.crt":
ensure => present,
source => $postfix_chain,
mode => "0644",
owner => "root",
group => "root",
require => Package["postfix"],
notify => Service["postfix"],
}
}
file { "${ssl::private}/postfix.key":
ensure => present,
source => $postfix_key,
mode => "0640",
owner => "root",
group => "postfix",
require => Package["postfix"],
notify => Service["postfix"],
}
exec { "usermod-postfix-ssl-cert":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "usermod -a -G ssl-cert postfix",
unless => "id -n -G postfix | grep '\\bssl-cert\\b'",
notify => Service["postfix"],
}
if $postgrey {
case $::operatingsystem {
"debian","ubuntu": {
package {"postgrey": ensure => installed,}
exec { "usermod-postfix":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "usermod -a -G mail postfix",
unless => "id -n -G postfix | grep '\\bmail\\b'",
}
}
default: {
fail("Postgrey module not yet supported in ${::operatingsystem}.")
}
}
}
package { "postfix":
ensure => installed,
}
@ -70,23 +139,6 @@ class postfix {
require => Package["postfix"],
}
file { "${ssl::certs}/postfix.crt":
ensure => present,
source => $postfix_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["postfix"],
}
file { "${ssl::private}/postfix.key":
ensure => present,
source => $postfix_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["postfix"],
}
file { "/etc/postfix/main.cf":
ensure => present,
mode => "0644",
@ -97,6 +149,56 @@ class postfix {
require => Package["postfix"],
}
if $submission {
include sasl::saslauthd
file { "/var/spool/postfix/var":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
}
file { "/var/spool/postfix/var/run":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
}
file { "/var/spool/postfix/var/run/saslauthd":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
}
mount { "/var/spool/postfix/var/run/saslauthd":
ensure => mounted,
atboot => true,
device => "/var/run/saslauthd",
options => "bind,noauto",
fstype => "bind",
dump => "0",
pass => "0",
}
file { "/etc/postfix/sasl/smtpd.conf":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/postfix/smtpd.conf",
notify => Service["postfix"],
}
}
file { "/etc/postfix/master.cf":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("postfix/master.cf.erb"),
notify => Service["postfix"],
require => Package["postfix"],
}
file { "/etc/aliases":
ensure => present,
source => [
@ -132,3 +234,4 @@ class postfix {
}
}

14
postfix/templates/main.cf.erb
View file

@ -167,7 +167,11 @@ inet_protocols = all
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
<% if has_variable?("mydestination") -%>
mydestination = <%= mydestination %>
<% else -%>
mydestination = $myhostname, localhost.$mydomain, localhost
<% end -%>
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
@ -480,6 +484,9 @@ mail_spool_directory = /var/mail
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
<% if has_variable?("cyrus_lmtp") -%>
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
<% end -%>
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
@ -564,7 +571,11 @@ smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
<% if has_variable?("postgrey") -%>
check_policy_service inet:127.0.0.1:10023
<% else -%>
check_relay_domains
<% end -%>
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
@ -720,6 +731,9 @@ smtpd_sasl_security_options = noanonymous
# TLS
#
smtpd_use_tls=yes
<% if has_variable?("postfix_chain") -%>
smtpd_tls_CAfile = <%= scope.lookupvar('ssl::certs') %>/postfix-chain.crt
<% end -%>
smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
smtpd_tls_received_header = yes

114
postfix/templates/master.cf.erb Normal file
View file

@ -0,0 +1,114 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
<% if has_variable?("submission") -%>
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
<% end -%>
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}