postfix

Table of Contents

1. Overview
2. Module Description
3. Setup
   • What postfix affects
   • Setup requirements
   • Beginning with postfix
4. Usage
5. Reference
6. Limitations
7. Development
   • Contributing

Overview

postfix configuration management

Module Description

postfix setup and configuration, can be configured to act like a simple mail relay or a multidomain mailserver

Setup

What postfix affects

• /etc/postfix/main.cf
• package management
• service management
• purges packages for other MTA on CentOS and switches to postfix on Ubunut 14.04

Setup Requirements

This module requires pluginsync enabled and eyp-dovecot (it is required to be able to setup IMAP for the mailserver: postfix::vmail)

Beginning with postfix

basic setup:

class { 'postfix':
  inetinterfaces => 'localhost',
}

mail relay:

class { 'postfix':
  inetinterfaces => 'all',
  relayhost      => '1.2.3.4',
  mynetworks     => [ '127.0.0.1/32', '1.1.1.1/32' ],
}

multidomain mail server

class { 'postfix': }

class { 'postfix::vmail': }

postfix::vmail::alias { 'example@systemadmin.es':
  aliasto => [ 'exemple@systemadmin.es' ],
}

postfix::vmail::account { 'example@systemadmin.es':
  accountname => 'example',
  domain      => 'systemadmin.es',
  password    => 'secretpassw0rd',
}

postfix::vmail::account { 'silvia@systemadmin.es':
  accountname => 'silvia',
  domain      => 'systemadmin.es',
  password    => 'secretpassw0rd2',
}

postfix::vmail::account { 'marc@systemadmin.es':
  accountname => 'marc',
  domain      => 'systemadmin.es',
  password    => 'secretpassw0rd3',
}

Usage

This module can be used to configure postfix to relay mails to another server or to have virtual mailboxes (multidomain/multiaccount).

To setup opportunistic TLS with custom certificates:

    class { 'postfix':
        opportunistictls => true,
        tlscert          => 'puppet:///openldap/masterauth/ldap-master-01.crt',
        tlspk            => 'puppet:///openldap/masterauth/ldap-master-01.key.pem',
    }

To setup opportunistic TLS with selfsigned certificate:

    class { 'postfix':
        opportunistictls  => true,
        subjectselfsigned => '/C=ES/ST=Barcelona/L=Barcelona/O=systemadmin.es/CN=systemadmin.es',
        generatecert      => true,
    }

Mailserver with contentfilter (amavis)

# Mailserver
class { 'postfix': }

class { 'postfix::vmail': }

postfix::vmail::account { 'merda@merda.com':
  accountname => 'merda',
  domain      => 'merda.com',
  password    => 'putamerda',
}

class { 'postfix::contentfilter':
}

multiple smtp outbound instances:

postfix::instance { 'out_domain1':
  type    => 'unix',
  chroot  => 'n',
  command => 'smtp',
  opts    => { 'smtp_bind_address' => '1.1.1.1',
               'smtp_helo_name' => 'systemadmin.es',
               'syslog_name' => 'postfix-systemadmin.es',
             }
}

postfix::instance { 'out_domain2':
  type    => 'unix',
  chroot  => 'n',
  command => 'smtp',
  opts    => { 'smtp_bind_address' => '1.2.2.2',
               'smtp_helo_name' => 'sysadmins.es',
               'syslog_name' => 'postfix-sysadmins.es',
             }
}

blackhole domain or account (to be able to blackhole a domain it requires postfix::vmail):

postfix::alias { 'blackhole':
  to => '/dev/null',
}

postfix::vmail::alias { '@blackhole.com':
  aliasto => [ 'blackhole@' ],
}

log example:

# echo a | mail -s caca blackhole@

Nov 29 12:33:03 ldapm postfix/pickup[16927]: 51876A105B: uid=0 from=<root>
Nov 29 12:33:03 ldapm postfix/cleanup[16995]: 51876A105B: message-id=<20161129113303.51876A105B@ldapm>
Nov 29 12:33:03 ldapm postfix/qmgr[16928]: 51876A105B: from=<root@vm.vm>, size=384, nrcpt=1 (queue active)
Nov 29 12:33:03 ldapm postfix/local[16997]: 51876A105B: to=<blackhole@ldapm>, orig_to=<blackhole@>, relay=local, delay=0.09, delays=0.07/0.03/0/0, dsn=2.0.0, status=sent (delivered to file: /dev/null)
Nov 29 12:33:03 ldapm postfix/qmgr[16928]: 51876A105B: removed

# echo a | mail -s caca dsadadas@blackhole.com

Nov 29 12:33:10 ldapm postfix/pickup[16927]: 70BA8A105B: uid=0 from=<root>
Nov 29 12:33:10 ldapm postfix/cleanup[16995]: 70BA8A105B: message-id=<20161129113310.70BA8A105B@ldapm>
Nov 29 12:33:10 ldapm postfix/qmgr[16928]: 70BA8A105B: from=<root@vm.vm>, size=396, nrcpt=1 (queue active)
Nov 29 12:33:10 ldapm postfix/local[16997]: 70BA8A105B: to=<blackhole@ldapm>, orig_to=<dsadadas@blackhole.com>, relay=local, delay=0.03, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to file: /dev/null)
Nov 29 12:33:10 ldapm postfix/qmgr[16928]: 70BA8A105B: removed

multiple inbound email instances:

class { 'postfix':
  inetinterfaces    => 'all',
  mynetworks        => [ '127.0.0.1/32' ],
  myhostname        => 'smtp3.systemadmin.es',
  smtpdbanner       => 'smtp3.systemadmin.es ESMTP',
  opportunistictls  => true,
  subjectselfsigned => '/C=UK/ST=Shropshire/L=Telford/O=systemadmin/CN=smtp3.systemadmin.es',
  generatecert      => true,
  syslog_name       => 'private',
}

class { 'postfix::vmail': }

postfix::vmail::account { 'systemadmin@systemadmin.es':
  accountname => 'systemadmin',
  domain      => 'systemadmin.com',
  password    => 'systemadmin_secret_passw0rd',
}

postfix::instance { '0.0.0.0:2525':
  type    => 'inet',
  private => 'n',
  chroot  => 'n',
  command => 'smtpd',
  opts    => {
              'content_filter'               => '',
              'smtpd_helo_restrictions'      => '',
              'smtpd_sender_restrictions'    => '',
              'smtpd_recipient_restrictions' => 'permit_mynetworks,reject',
              'mynetworks'                   => '127.0.0.0/8,10.0.2.15/32',
              'receive_override_options'     => 'no_header_body_checks',
              'smtpd_helo_required'          => 'no',
              'smtpd_client_restrictions'    => '',
              'smtpd_restriction_classes'    => '',
              'disable_vrfy_command'         => 'no',
              #'strict_rfc821_envelopes'      => 'yes',
              'smtpd_sasl_auth_enable'       => 'no',
              'syslog_name'                                  => 'public',
            },
  order   => '99',
}

Reference

postfix

Most variables are standard postfix variables, please refer to postfix documentation:

• append_dot_mydomain

• biff

• inetinterfaces

• ipv6

• mail_spool_directory

• mydestination

• mydomain

• myhostname

• mynetworks

• myorigin

• readme_directory

• recipient_delimiter

• relayhost

• smtp_fallback_relay

• smtpdbanner

• install_mailclient

• default_process_limit

• smtpd_client_connection_count_limit

• smtpd_client_connection_rate_limit

• in_flow_delay

• setgid_group

• (...)

• install_mailclient: controls if a mail client should be installed (default: true)

SSL certificates:

• opportunistictls: controls Opportunistic TLS (default: false)
• generatecert: controls if a selfsigned certificate is generated for this postfix instance (default: true)
• tlscert: source cert file - generatecert must be false
• tlspk: source private key - generatecert must be false
• subjectselfsigned subject for a selfsigned certificate - generatecert must be true. example: '/C=RC/ST=Barcelona/L=Barcelona/O=systemadmin.es/CN=systemadmin.es',

postfix::transport

bounce a specific domain:

postfix::transport { 'example.com':
  error => 'email to this domain is not allowed',
}

SMTP route:

postfix::transport { 'example.com':
  nexthop => '1.1.1.1',
}

postfix::vmail

• mailbox_base: (default: /var/vmail)
• setup_dovecot: (default: true)
• smtpd_recipient_restrictions (default: permit_inet_interfaces,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination)
• smtpd_relay_restrictions (default: permit_inet_interfaces,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination)

postfix::vmail::acount

postfix::vmail::account { 'silvia@systemadmin.es':
  accountname => 'silvia',
  domain      => 'systemadmin.es',
  password    => 'secretpassw0rd2',
}

postfix::vmail::alias

postfix::vmail::alias { 'example@systemadmin.es':
  aliasto => [ 'exemple@systemadmin.es' ],
}

Limitations

Tested on:

• CentOS 5
• CentOS 6
• CentOS 7
• Ubuntu 14.04
• Ubuntu 16.04
• SLES 11 SP3

Development

We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature

TODO

• improve documentation (multidoamin mailserver is not yet covered)
• SQLite support (was added with Postfix version 2.8)
• add requires for postmap operations and rewrite it to use ${postfix::params::baseconf}

Contributing

1. Fork it using the development fork: jordiprats/eyp-systemd
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Added some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

CHANGELOG

0.2.41

• added postfix settings:
  • smtp_tls_mandatory_protocols
  • smtp_tls_ca_path for smtp_tls_CApath

0.2.40

• Added master.cf options for RHEL 8

0.2.39

• Added RHEL 8 support

0.2.37

• added queue related variables:
  • queue_run_delay
  • minimal_backoff_time
  • maximal_backoff_time
• added postfix::headercheck
• added SLES 12.4 support

0.2.36

• bugfix virtual alias maps reload

0.2.35

• added security related options (thanks to juju4 for this PR-63 - merged with changes)

0.2.34

• added SLES 12.3 support

0.2.33

• added support for multi-instance virtual_alias_maps

0.2.32

• added SELinux context to (thanks to Tony Green for this PR-51):
  • alias maps
  • mailboxes directory and subdirectories (default: /var/vmail)

0.2.31

• added Ubuntu 18.04 support
• added compatibility_level variable
• variable mynetworks_style set to subnet by default across postfix versions

0.2.30

• added regex support to postfix::vmail::alias

0.2.29

• added variable message_size_limit as per Issue#44

0.2.28

• added postfix::canonicalmap to be able to manage canonical_maps

0.2.27

• modified postfix::transport to be able to have multiple puppet managed transport files

0.2.26

• added smtpd_reject_footer

0.2.25

• added smtp_generic_maps management (default: /etc/postfix/generic_maps) using postfix::genericmap

0.2.24

• lint

0.2.23

• added data_directory as a variable

0.2.22

• added Ubuntu 16.04 support

0.2.21

• improved main.cf for clarity (debug peer, debug level)
• added syslog_name

0.2.20

• modified openssl cert generation to be able to change it's CN

0.2.19

• bugfix: postmap & newaliases dependencies
• debug peer, debug level and smtpd debug

0.2.18

• bugfix version detection

0.2.17

• dspam content filter

0.2.16

• stderr to /dev/null for facts eyp_postfix_uid & eyp_postfix_gid
• added postfix group to puppet management

0.2.15

• amavis support
• bugfix home_mailbox
• fixed acceptance testing
• added facts (eyp_postfix_uid/eyp_postfix_gid) to get postfix uid/gid

0.2.14

• postfix >= 2.9 compatibility for opportunistic TLS
• bugfix postfix::sendercanonicalmap
• /etc/aliases management

0.2.12

• INCOMPATIBLE CHANGE renamed scmmap_to and scmmap_to to scm_to and scm_from

0.2.10

• added postfix::sendercanonicalmap

0.2.9

• removed openssl package management

0.2.8

• INCOMPATIBLE CHANGE added resolve_null_domain, default: yes

0.2.7

• improved compatibility for master.cf

0.2.5

• lint + cleanup
• reject_authenticated_sender_login_mismatch postfix::vmail in smtpd_recipient_restrictions and smtpd_relay_restrictions
• master.cf management using concat
• added postfix::instance (each master.cf item is a instance)
• added postfix::contentfilter
• added service_ensure & service_enable

0.2.2

• added permit_inet_interfaces by default to smtpd_recipient_restrictions and smtpd_relay_restrictions

0.2.1

• Mailserver with virtual users and domains
  • added postfix::vmail for virtual hosting using eyp-dovecot
  • INCOMPATIBLE CHANGE: removed virtual_alias variable
  • added postfix::vmail::alias
  • INCOMPATIBLE CHANGE: changed default mailbox to maildir
  • virtual domains/accounts via postfix::vmail::account
  • dovecot based auth - using eyp-dovecot

0.1.58

• main.cf to concat
• added error support for postfix::transport

0.1.57

• added postfix::transport

0.1.56

INCOMPATIBLE CHANGE:

• option relayhost_mx_lookup to disable MX lookups for relay_host (disabled by default)

0.1.54

• added smtp_fallback_relay (array)