Postfix stuff dazu

diff --git a/postfix/common.sls b/postfix/common.sls
new file mode 100644 (file)
index 0000000..008132a
--- /dev/null
+++ b/postfix/common.sls
@@ -0,0 +1,39 @@
+{%- from "postfix/map.jinja" import postfix with context -%}
+
+postfix:
+  pkg.installed:
+    - name: {{ postfix.package }}
+    - watch_in:
+      - service: postfix
+  service.running:
+    - name: {{ postfix.service }}
+    - enable: True
+    - require:
+      - pkg: postfix
+    - watch:
+      - pkg: postfix
+
+/etc/postfix:
+  file.directory:
+    - user: root
+    - group: root
+    - dir_mode: 755
+    - file_mode: 644
+    - makedirs: True
+    - require:
+      - pkg: postfix
+
+/etc/postfix/main.cf:
+  file.managed:
+    - source: salt://postfix/files/main.cf
+    - user: root
+    - group: root
+    - mode: 644
+    - require:
+      - pkg: postfix
+      - file: /etc/postfix
+    - watch_in:
+      - service: postfix
+    - template: jinja
+    - backup: minion
+

diff --git a/postfix/files/aliases b/postfix/files/aliases
new file mode 100644 (file)
index 0000000..a0f99a5
--- /dev/null
+++ b/postfix/files/aliases
@@ -0,0 +1,49 @@
+# See man 5 aliases for format
+MAILER-DAEMON: postmaster
+postmaster:    root
+root:          frank
+
+# General redirections for pseudo accounts.
+adm:           root
+bin:           root
+daemon:                root
+exim:          root
+lp:            root
+mail:          root
+named:         root
+nobody:                root
+postfix:       root
+
+# Well-known aliases -- these should be filled in!
+# root:
+# operator:
+
+# Standard RFC2142 aliases
+abuse:         postmaster
+ftp:           root
+hostmaster:    root
+news:          usenet
+noc:           root
+security:      root
+usenet:                root
+uucp:          root
+webmaster:     root
+www:           webmaster
+
+# trap decode to catch security attacks
+# decode:      /dev/null
+
+# Persönliche Aliase
+
+# Frank Brehm
+frank:         frank@brehm-online.com
+fbr:           frank
+brehm:         frank
+fbrehm:                frank
+f.brehm:       frank
+f-brehm:       frank
+frank.brehm:   frank
+frank-brehm:   frank
+
+
+

diff --git a/postfix/files/main.cf b/postfix/files/main.cf
new file mode 100644 (file)
index 0000000..4b00a95
--- /dev/null
+++ b/postfix/files/main.cf
@@ -0,0 +1,137 @@
+{%- from "postfix/map.jinja" import postfix with context -%}
+{%- set config = salt['pillar.get']('postfix:config', {}) -%}
+{%- set banner = salt['pillar.get']('postfix:smtpd_banner', '$myhostname ESMTP $mail_name (Debian/GNU)' ) -%}
+{%- set default_mydestination = [grains['fqdn'], 'localhost', 'localhost.localdomain', grains['domain']] -%}
+{%- set default_mynetworks = ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] -%}
+{%- set is_satellite = salt['pillar.get']('postfix:is_satellite', True ) -%}
+{% set processed_parameters = ['aliases_file', 'virtual', 'sasl_passwd', 'sender_canonical'] %}
+{%- macro set_parameter(parameter, default=None) -%}
+{% set value = config.get(parameter, default) %}
+{%- if value is not none %}
+  {%- if value is number or value is string -%}
+{{ parameter }} = {{ value }}
+  {%- elif value is iterable -%}
+{{ parameter }} =
+    {%- for v in value %}
+       {{ v }},
+    {%- endfor %}
+  {%- endif -%}
+{%- do processed_parameters.append(parameter) %}
+{%- endif %}
+{%- endmacro -%}
+# Managed by config management
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+{{ set_parameter('myorigin', '/etc/mailname') }}
+
+{{ set_parameter('smtpd_banner', banner) }}
+{{ set_parameter('biff', 'no') }}
+{# {{ set_parameter('compatibility_level', '2') }}
+#}
+
+# appending .domain is the MUA's job.
+{{ set_parameter('append_dot_mydomain', 'yes') }}
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+{{ set_parameter('readme_directory', 'no') }}
+
+{%- set relay_restrictions = ['permit_mynetworks'] %}
+{%- set recipient_restrictions = ['permit_mynetworks'] %}
+
+{%- if config.get('smtpd_sasl_auth_enable', 'yes') == 'yes' %}
+# SASL parameters (http://www.postfix.org/SASL_README.html)
+{%- do relay_restrictions.append('permit_sasl_authenticated') %}
+{%- do recipient_restrictions.append('permit_sasl_authenticated') %}
+{{ set_parameter('smtpd_sasl_auth_enable', 'yes') }}
+{{ set_parameter('smtpd_sasl_path', 'smtpd') }}
+{{ set_parameter('smtpd_sasl_type', 'cyrus') }}
+{{ set_parameter('smtpd_sasl_local_domain', '$myhostname') }}
+{{ set_parameter('smtpd_sasl_security_options', ['noanonymous', 'noplaintext']) }}
+{{ set_parameter('smtpd_sasl_tls_security_options', ['noanonymous']) }}
+{{ set_parameter('smtpd_tls_auth_only', 'no') }}
+{%- endif %}
+
+{%- if config.get('smtpd_use_tls', 'yes') == 'yes' %}
+# TLS parameters (http://www.postfix.org/TLS_README.html)
+# Recipient settings
+{{ set_parameter('smtpd_use_tls') }}
+{{ set_parameter('smtpd_tls_loglevel', 1) }}
+{{ set_parameter('smtpd_tls_security_level', 'may') }}
+{{ set_parameter('smtpd_tls_cert_file', '/etc/postfix/postfix.pem') }}
+{{ set_parameter('smtpd_tls_key_file', '/etc/postfix/postfix.pem') }}
+{{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }}
+{{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }}
+{{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }}
+{{ set_parameter('smtpd_tls_mandatory_protocols', ['!SSLv2', '!SSLv3']) }}
+{{ set_parameter('tls_preempt_cipherlist', 'yes') }}
+# Relay/Sender settings
+{{ set_parameter('smtp_tls_loglevel', 1) }}
+{{ set_parameter('smtp_tls_security_level', 'may') }}
+{{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }}
+{{ set_parameter('smtpd_tls_received_header', 'yes') }}
+{{ set_parameter('smtpd_tls_session_cache_timeout', '3600s') }}
+{%- endif %}
+
+{{ set_parameter('myhostname', grains['fqdn']) }}
+{{ set_parameter('alias_maps', 'hash:' ~ postfix.aliases_file) }}
+{{ set_parameter('alias_database', 'hash:' ~ postfix.aliases_file) }}
+{{ set_parameter('mydestination', config.get('mydestination', default_mydestination)) }}
+{{ set_parameter('relayhost', config.get('relayhost', '')) }}
+{{ set_parameter('mynetworks', config.get('mynetworks', default_mynetworks)) }}
+{{ set_parameter('mailbox_command', 'procmail -a "$EXTENSION"') }}
+{{ set_parameter('mailbox_size_limit', '0') }}
+{{ set_parameter('recipient_delimiter', '+') }}
+{%- if is_satellite %}
+{{ set_parameter('inet_interfaces', 'loopback-only') }}
+{% else %}
+{{ set_parameter('inet_interfaces', 'all') }}
+{% endif -%}
+{{ set_parameter('inet_protocols', config.get('inet_protocols', 'all')) }}
+
+{{ set_parameter('message_size_limit', '41943040') }}
+
+{%- if config.get('relayhost') %}
+{% set policyd_spf = salt['pillar.get']('postfix:policyd-spf', {}) %}
+  {%- if policyd_spf.get('enabled', False) %}
+  {%- do relay_restrictions.append('check_policy_server unix:private/policyd-spf') %}
+policy-spf_time_limit = {{ policyd_spf.get('time_limit', '3600s') }}
+  {%- endif %}
+{%- do relay_restrictions.append('defer_unauth_destination') %}
+{{ set_parameter('smtpd_relay_restrictions', relay_restrictions) }}
+{%- endif %}
+
+{#- check_policy_service must be after reject_unauth_destination #}
+{%- do recipient_restrictions.append('reject_unauth_destination') %}
+{%- set postgrey_config = salt['pillar.get']('postfix:postgrey', {}) %}
+{%- if postgrey_config.get('enabled', False) %}
+{%- do recipient_restrictions.append('check_policy_service ' ~ postgrey_config.get('location', 'inet:127.0.0.1:10030')) %}
+{%- endif %}
+{{ set_parameter('smtpd_recipient_restrictions', recipient_restrictions) }}
+
+{%- if 'virtual' in pillar.get('postfix','') %}
+virtual_alias_maps = hash:/etc/postfix/virtual
+{% endif -%}
+
+{% if 'sasl_passwd' in pillar.get('postfix','') %}
+smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
+{% endif %}
+
+{%- if 'sender_canonical' in pillar.get('postfix','') %}
+sender_canonical_maps = hash:/etc/postfix/sender_canonical
+{% endif -%}
+
+{# Accept arbitrary parameters -#}
+{% for parameter in config -%}
+{% if parameter not in processed_parameters -%}
+{{ set_parameter(parameter) }}
+{% endif -%}
+{% endfor %}
+{{ set_parameter('unknown_local_recipient_reject_code', 550) }}
+
+# vim: filetype=pfmain