-
Notifications
You must be signed in to change notification settings - Fork 3
/
smtpd.jinja.conf
111 lines (80 loc) · 4.56 KB
/
smtpd.jinja.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# smtpd.conf for the maurus.networks email config
### set up the selected certificates
pki {{receiver_hostname}} cert "{{receiver_certfile|trim}}"
pki {{receiver_hostname}} key "{{receiver_keyfile|trim}}"
pki {{relay_hostname}} cert "{{relay_certfile|trim}}"
pki {{relay_hostname}} key "{{relay_keyfile|trim}}"
pki {{internal_relay_hostname}} cert "{{internal_relay_certificate|trim}}"
pki {{internal_relay_hostname}} key "{{internal_relay_keyfile|trim}}"
### define our filters
filter "greylistd" proc-exec "/usr/lib/x86_64-linux-gnu/opensmtpd/filter-greylistd"
filter "dnsbl" proc-exec "/usr/lib/x86_64-linux-gnu/opensmtpd/filter-dnsbl ix.dnsbl.manitu.net"
### define built-in filters
filter "fcrdns" phase connect match fcrdns \
disconnect "550 sorry, we require forward-confirmed reverse DNS for SMTP connections"
### set the filter chain for incoming mail on the receiver
filter "f_incoming" chain {"fcrdns", "greylistd", "dnsbl"}
### load valid domains and users which we accept mail for from PostgreSQL
table validdomains postgres:/etc/smtpd/postgresql.table.conf
table validrecipients postgres:/etc/smtpd/postgresql.table.conf
table credentials postgres:/etc/smtpd/postgresql.table.conf
### receive email from the internet (i.e. unauthenticated users) who may or may not use TLS
listen on "{{receiver_ip}}" port 25 tls pki "{{receiver_hostname}}" \
hostname "{{receiver_hostname}}" tag UNFILTERED filter f_incoming
listen on "{{receiver_ip}}" port 465 smtps pki "{{receiver_hostname}}" \
hostname "{{receiver_hostname}}" tag UNFILTERED filter f_incoming
### incoming email for external authenticated users who must use TLS
listen on "{{relay_ip}}" port 25 tls-require auth <credentials> \
pki "{{relay_hostname}}" hostname "{{relay_hostname}}" tag AUTHENTICATED
listen on "{{relay_ip}}" port 465 smtps auth <credentials> \
pki "{{relay_hostname}}" hostname "{{relay_hostname}}" tag AUTHENTICATED
### incoming email for internal applications
listen on "{{internal_relay_ip}}" port 25 tls pki \
"{{internal_relay_hostname}}" hostname "{{internal_relay_hostname}}" \
tag INTERNAL
### Reject anything on an invalid domain.
match tag UNFILTERED from any ! for domain <validdomains> reject
### email with a valid recipient, but tagged as UNFILTERED now goes to
### amavisd-new on port 10026 and comes back on port 10025
action amavisd relay host "lmtp:https://localhost:10026"
match tag UNFILTERED from any for domain <validdomains> \
rcpt-to <validrecipients> action amavisd
listen on localhost port 10025 tag FILTERED
### relay mail for authenticated users either here or remotely after DKIM signing it
action mailforwarder relay host "smtp:https://localhost:10046"
action dkimsign relay host "smtp:https://localhost:10036"
match tag AUTHENTICATED from any \
for domain <validdomains> rcpt-to <validrecipients> \
action mailforwarder
match tag AUTHENTICATED from any for any action dkimsign
### deliver internal network mail. This is submitted through Smartstack by other
### daemons in the network.
match tag INTERNAL from any for any action dkimsign
### email that went through amavisd goes to mailforwarder for
### mailing list/alias processing. When it comes back, aliases have been
### removed from the RCPT TO list. Everything tagged FILTERED has already
### validated recipients.
match tag FILTERED from local for any action mailforwarder
listen on localhost port 10045 tag FINISHED
### the mailforwarder might send emails to external addresses. Then they must be
### DKIM signed at which point the SIGNED rule will process them above.
### `for any recipient` will not deny invalid addresses to the rule below will only
### match non-local accounts and follow through to the delivery rule below.
### This basically accepts *all* mail. So this is only okay because it's on localhost.
match tag FINISHED from local \
for any ! rcpt-to <validrecipients> action dkimsign
### deliver remote incoming mail that has been filtered by amavisd and processed
### by the mailforwarder daemon
action deliver_into_maildir mda \
"/usr/lib/dovecot/dovecot-lda -f %{sender} -d %{rcpt}" user virtmail \
virtual <validrecipients>
match tag FINISHED from local \
for domain <validdomains> rcpt-to <validrecipients> action deliver_into_maildir
### mail coming back from DKIM signing, goes out to the world
listen on localhost port 10035 tag SIGNED
action send relay
match tag SIGNED from local for any action send
### allow the mail node itself to relay mail via sendmail
match from local for any action mailforwarder
### if none of the above rules match, the default behavior is to reject, which is fine.
### EOF