CLI_BINARIES = $(addprefix, 'bin/', ${CLITOOLS})
TEMPLATES = \
+ main.cf.in \
+ main.cf.in.demo \
+ master.cf.in \
+ master.cf.in.demo \
init.pre.in \
local.cf.in \
v310.pre.in \
- changed license to AGPL3
+- remove commtouch integration
+
+- new 'dnsbl_sites' setting
+
Incompatible changes:
---------------------
return $max_servers - 2;
}
+sub get_max_smtpd {
+ # estimate optimal number of smtpd daemons
+
+ my $max_servers = 25;
+ my $servermem = 20;
+ my $memory = physical_memory();
+ my $add_servers = int(($memory - 512)/$servermem);
+ $max_servers += $add_servers if $add_servers > 0;
+ $max_servers = 100 if $max_servers > 100;
+ return $max_servers;
+}
+
+
sub properties {
return {
+ relay => {
+ description => "The default mail delivery transport (incoming mails).",
+ type => 'string',
+ },
+ relayport => {
+ description => "SMTP port number for relay host.",
+ type => 'integer',
+ minimum => 1,
+ maximum => 65535,
+ default => 25,
+ },
+ relaynomx => {
+ description => "Disable MX lookups for default relay.",
+ type => 'boolean',
+ default => 0,
+ },
+ smarthost => {
+ description => "When set, all outgoing mails are deliverd to the specified smarthost.",
+ type => 'string',
+ },
banner => {
description => "ESMTP banner.",
type => 'string',
maximum => 40,
default => get_max_filters(),
},
+ max_smtpd_in => {
+ description => "Maximum number of SMTP daemon processes (in).",
+ type => 'integer',
+ minimum => 3,
+ maximum => 100,
+ default => get_max_smtpd(),
+ },
+ max_smtpd_out => {
+ description => "Maximum number of SMTP daemon processes (out).",
+ type => 'integer',
+ minimum => 3,
+ maximum => 100,
+ default => get_max_smtpd(),
+ },
+ conn_count_limit => {
+ description => "How many simultaneous connections any client is allowed to make to this service. To disable this feature, specify a limit of 0.",
+ type => 'integer',
+ minimum => 0,
+ default => 50,
+ },
+ conn_rate_limit => {
+ description => "The maximal number of connection attempts any client is allowed to make to this service per minute. To disable this feature, specify a limit of 0.",
+ type => 'integer',
+ minimum => 0,
+ default => 0,
+ },
+ message_rate_limit => {
+ description => "The maximal number of message delivery requests that any client is allowed to make to this service per minute.To disable this feature, specify a limit of 0.",
+ type => 'integer',
+ minimum => 0,
+ default => 0,
+ },
hide_received => {
description => "Hide received header in outgoing mails.",
type => 'boolean',
default => 0,
},
- max_size => {
+ maxsize => {
description => "Maximum email size. Larger mails are rejected.",
type => 'integer',
minimum => 1024,
default => 1024*1024*10,
},
+ dwarning => {
+ description => "SMTP delay warning time (in hours).",
+ type => 'integer',
+ minimum => 0,
+ default => 4,
+ },
+ use_rbl => {
+ descriptions => "Use Realtime Blacklists.",
+ type => 'boolean',
+ default => 1,
+ },
+ tls => {
+ descriptions => "Use TLS.",
+ type => 'boolean',
+ default => 0,
+ },
+ spf => {
+ descriptions => "Use Sender Policy Framework.",
+ type => 'boolean',
+ default => 1,
+ },
+ greylist => {
+ descriptions => "Use Greylisting.",
+ type => 'boolean',
+ default => 1,
+ },
+ helotests => {
+ descriptions => "Use SMTP HELO tests.",
+ type => 'boolean',
+ default => 0,
+ },
+ rejectunknown => {
+ descriptions => "Reject unknown clients.",
+ type => 'boolean',
+ default => 0,
+ },
+ rejectunknownsender => {
+ descriptions => "Reject unknown senders.",
+ type => 'boolean',
+ default => 0,
+ },
+ verifyreceivers => {
+ description => "Enable receiver verification. The value (if greater than 0) spefifies the numerical reply code when the Postfix SMTP server rejects a recipient address (450 or 550).",
+ type => 'integer',
+ minimum => 0,
+ maximum => 599,
+ default => 0,
+ },
+ dnsbl_sites => {
+ description => "Optional list of DNS white/blacklist domains (see postscreen_dnsbl_sites parameter).",
+ type => 'string',
+ },
};
}
sub options {
return {
- max_size => { optional => 1 },
+ relay => { optional => 1 },
+ relayport => { optional => 1 },
+ relaynomx => { optional => 1 },
+ dwarning => { optional => 1 },
+ max_smtpd_in => { optional => 1 },
+ max_smtpd_out => { optional => 1 },
+ greylist => { optional => 1 },
+ helotests => { optional => 1 },
+ use_rbl => { optional => 1 },
+ tls => { optional => 1 },
+ spf => { optional => 1 },
+ maxsize => { optional => 1 },
banner => { optional => 1 },
max_filters => { optional => 1 },
hide_received => { optional => 1 },
+ rejectunknown => { optional => 1 },
+ rejectunknownsender => { optional => 1 },
+ conn_count_limit => { optional => 1 },
+ conn_rate_limit => { optional => 1 },
+ message_rate_limit => { optional => 1 },
+ verifyreceivers => { optional => 1 },
+ dnsbl_sites => { optional => 1 },
};
}
package PMG::Config;
\&read_pmg_conf,
\&write_pmg_conf);
+# parsers/writers for other files
+
+my $domainsfilename = "/etc/proxmox/domains";
+
+sub read_pmg_domains {
+ my ($filename, $fh) = @_;
+
+ my $domains = [];
+
+ if (defined($fh)) {
+ while (defined(my $line = <$fh>)) {
+ if ($line =~ m/^\s*(\S+)\s*$/) {
+ my $domain = $1;
+ push @$domains, $domain;
+ }
+ }
+ }
+
+ return $domains;
+}
+
+sub write_pmg_domains {
+ my ($filename, $fh, $domain) = @_;
+
+ foreach my $domain (sort @$domain) {
+ PVE::Tools::safe_print($filename, $fh, "$domain\n");
+ }
+}
+
+PVE::INotify::register_file('domains', $domainsfilename,
+ \&read_pmg_domains,
+ \&write_pmg_domains,
+ undef, always_call_parser => 1);
+
# config file generation using templates
my $vars = { pmg => $self->get_config() };
+ my $nodename = PVE::INotify::nodename();
+ my $int_ip = PMG::Cluster::remote_node_ip($nodename);
+ my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip);
+
+ $vars->{ipconfig}->{int_ip} = $int_ip;
+ # $vars->{ipconfig}->{int_net_cidr} = $int_net_cidr;
+ $vars->{ipconfig}->{int_port} = 26;
+ $vars->{ipconfig}->{ext_port} = 25;
+
+ my $transportnets = []; # fixme
+ $vars->{postfix}->{transportnets} = join(' ', @$transportnets);
+
+ my $mynetworks = [ '127.0.0.0/8', '[::1]/128' ];
+ push @$mynetworks, @$transportnets;
+ push @$mynetworks, $int_net_cidr;
+
+ # add default relay to mynetworks
+ if (my $relay = $self->get('mail', 'relay')) {
+ if (Net::IP::ip_is_ipv4($relay)) {
+ push @$mynetworks, "$relay/32";
+ } elsif (Net::IP::ip_is_ipv6($relay)) {
+ push @$mynetworks, "[$relay]/128";
+ } else {
+ warn "unable to detect IP version of relay '$relay'";
+ }
+ }
+
+ $vars->{postfix}->{mynetworks} = join(' ', @$mynetworks);
+
+ my $usepolicy = 0;
+ $usepolicy = 1 if $self->get('mail', 'greylist') ||
+ $self->get('mail', 'spf') || $self->get('mail', 'use_rbl');
+ $vars->{postfix}->{usepolicy} = $usepolicy;
+
+ my $resolv = PVE::INotify::read_file('resolvconf');
+ $vars->{dns}->{hostname} = $nodename;
+ $vars->{dns}->{domain} = $resolv->{search};
+
$template->process($srcfd, $vars, $dstfd) ||
die $template->error();
close (TMP);
}
+# rewrite /etc/postfix/*
+sub rewrite_config_postfix {
+ my ($self) = @_;
+
+ # make sure we have a domains file (else postfix start fails)
+ IO::File->new($domainsfilename, 'a', 0644);
+
+ if ($self->get('mail', 'tls')) {
+ eval {
+ my $resolv = PVE::INotify::read_file('resolvconf');
+ my $domain = $resolv->{search};
+
+ my $company = $domain; # what else ?
+ my $cn = "*.$domain";
+ PMG::Utils::gen_proxmox_tls_cert(0, $company, $cn);
+ };
+ syslog ('info', msgquote ("generating certificate failed: $@")) if $@;
+ }
+
+ $self->rewrite_config_file('main.cf.in', '/etc/postfix/main.cf');
+ $self->rewrite_config_file('master.cf.in', '/etc/postfix/master.cf');
+ #rewrite_config_transports ($class);
+ #rewrite_config_whitelist ($class);
+ #rewrite_config_tls_policy ($class);
+
+ # make sure aliases.db is up to date
+ system('/usr/bin/newaliases');
+}
+
sub rewrite_config {
my ($self) = @_;
+ $self->rewrite_config_postfix();
$self->rewrite_dot_forward();
$self->rewrite_config_postgres();
$self->rewrite_config_spam();
$self->rewrite_config_clam();
+
}
1;
use Time::HiRes qw (gettimeofday);
use Xdgmime;
use Data::Dumper;
+use Net::IP;
+use PVE::Network;
use PVE::Tools;
use PVE::SafeSyslog;
+use PVE::ProcFSTools;
use PMG::AtomicFile;
use PMG::MailQueue;
}
}
+# x509 certificate utils
+
+my $proxmox_tls_cert_fn = "/etc/proxmox/proxmox-tls.pem";
+
+sub gen_proxmox_tls_cert {
+ my ($force, $company, $cn) = @_;
+
+ return if !$force && -f $proxmox_tls_cert_fn;
+
+ my $sslconf = <<__EOD__;
+RANDFILE = /root/.rnd
+extensions = v3_req
+
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+string_mask = nombstr
+
+[ req_distinguished_name ]
+organizationalUnitName = Proxmox Mail Gateway
+organizationName = $company
+commonName = $cn
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+nsCertType = server
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+__EOD__
+
+ my $cfgfn = "/tmp/proxmoxtlsconf-$$.tmp";
+ my $fh = IO::File->new ($cfgfn, "w");
+ print $fh $sslconf;
+ close ($fh);
+
+ eval {
+ PVE::Tools::run_command(['openssl', 'req', '-batch', '-x509', '-new', '-sha256',
+ '-config', $cfgfn, '-days', 3650, '-nodes',
+ '-out', $proxmox_tls_cert_fn,
+ '-keyout', $proxmox_tls_cert_fn]);
+ };
+
+ if (my $err = $@) {
+ unlink $proxmox_tls_cert_fn;
+ unlink $cfgfn;
+ die "unable to generate proxmox certificate request:\n$err";
+ }
+
+ unlink $cfgfn;
+}
+
+sub find_local_network_for_ip {
+ my ($ip) = @_;
+
+ my $testip = Net::IP->new($ip);
+
+ my $isv6 = $testip->version == 6;
+ my $routes = $isv6 ?
+ PVE::ProcFSTools::read_proc_net_ipv6_route() :
+ PVE::ProcFSTools::read_proc_net_route();
+
+ foreach my $entry (@$routes) {
+ my $mask;
+ if ($isv6) {
+ $mask = $entry->{prefix};
+ next if !$mask; # skip the default route...
+ } else {
+ $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
+ next if !defined($mask);
+ }
+ my $cidr = "$entry->{dest}/$mask";
+ my $testnet = Net::IP->new($cidr);
+ my $overlap = $testnet->overlaps($testip);
+ if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
+ $overlap == $Net::IP::IP_IDENTICAL)
+ {
+ return $cidr;
+ }
+ }
+
+ die "unable to detect local network for ip '$ip'\n";
+}
1;
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
-StreamMaxLength [% pmg.mail.max_size %]
+StreamMaxLength [% pmg.mail.maxsize %]
LogSyslog true
LogFacility LOG_LOCAL6
LogClean false
--- /dev/null
+# auto-generated by proxmox
+
+compatibility_level = 2
+command_directory = /usr/sbin
+daemon_directory = /usr/lib/postfix/sbin
+data_directory = /var/lib/postfix
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = yes
+
+smtpd_banner = $myhostname [% pmg.mail.banner %]
+biff = no
+
+[% IF pmg.mail.dwarning %]
+delay_warning_time = [% pmg.mail.dwarning %]h
+[% END %]
+
+best_mx_transport = local
+message_size_limit = [% pmg.mail.maxsize %]
+mailbox_size_limit = [% ((pmg.mail.maxsize*2 > 51200000) ? pmg.mail.maxsize*2 : 51200000) %]
+
+mydomain = [% dns.domain %]
+myhostname = [% dns.hostname %].[% dns.domain %]
+
+parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost, $myhostname
+mynetworks = [% postfix.mynetworks %]
+
+relay_domains = /etc/proxmox/domains
+
+transport_maps = hash:/etc/postfix/transport
+
+[% IF pmg.mail.relay %]
+[% IF pmg.mail.relaynomx %]
+relay_transport = smtp:[[% pmg.mail.relay %]]:[% pmg.mail.relayport %]
+[% ELSE %]
+relay_transport = smtp:[% pmg.mail.relay %]:[% pmg.mail.relayport %]
+[% END %]
+[% END %]
+
+[% IF pmg.mail.smarthost %]
+default_transport = smtp:[% pmg.mail.smarthost %]
+[% END %]
+
+content_filter=scan:127.0.0.1:10024
+
+mail_name = Proxmox
+
+[% IF pmg.mail.helotests %]
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
+[% ELSE %]
+smtpd_helo_restrictions =
+[% END %]
+
+postscreen_access_list =
+ permit_mynetworks,
+ cidr:/etc/postfix/postscreen_access
+
+[% IF pmg.mail.dnsbl_sites %]
+postscreen_dnsbl_sites = [% pmg.mail.dnsbl_sites %]
+[% END %]
+
+postscreen_dnsbl_action = enforce
+postscreen_greet_action = enforce
+postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
+
+smtpd_sender_restrictions =
+ permit_mynetworks
+ reject_non_fqdn_sender
+ check_client_access cidr:/etc/postfix/clientaccess
+ check_sender_access regexp:/etc/postfix/senderaccess
+ check_recipient_access regexp:/etc/postfix/rcptaccess
+[%- IF pmg.mail.rejectunknown %] reject_unknown_client_hostname[% END %]
+[%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]
+
+smtpd_recipient_restrictions =
+ permit_mynetworks
+ reject_unauth_destination
+ reject_non_fqdn_recipient
+ check_recipient_access regexp:/etc/postfix/rcptaccess
+[%- IF postfix.usepolicy %] check_sender_access regexp:/etc/postfix/senderaccess[% END %]
+[%- IF postfix.usepolicy %] check_client_access cidr:/etc/postfix/clientaccess[% END %]
+[%- IF postfix.usepolicy %] check_policy_service inet:127.0.0.1:10022[% END %]
+[%- IF pmg.mail.verifyreceivers %] reject_unknown_recipient_domain[% END %]
+[%- IF pmg.mail.verifyreceivers %] reject_unverified_recipient[% END %]
+
+[% IF pmg.mail.verifyreceivers %]
+unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
+[% END %]
+
+smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %]
+smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %]
+smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %]
+
+[% IF pmg.mail.tls %]
+smtp_tls_security_level = may
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = /etc/proxmox/proxmox-tls.pem
+smtpd_tls_key_file = $smtpd_tls_cert_file
+[% IF pmg.mail.tlslog %]
+smtpd_tls_loglevel = 1
+smtp_tls_loglevel = 1
+[% END %]
+[% IF pmg.mail.tlsheader %]
+smtpd_tls_received_header = yes
+[% END %]
+[% END %]
+
+smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
+
+
+default_destination_concurrency_limit = 40
+lmtp_destination_concurrency_limit = 20
+relay_destination_concurrency_limit = 20
+smtp_destination_concurrency_limit = 20
+virtual_destination_concurrency_limit = 20
+
+recipient_delimiter = +
--- /dev/null
+# auto-generated by proxmox
+
+compatibility_level = 2
+command_directory = /usr/sbin
+daemon_directory = /usr/lib/postfix/sbin
+data_directory = /var/lib/postfix
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = yes
+
+smtpd_banner = $myhostname [% pmg.mail.banner %]
+biff = no
+
+[% IF pmg.mail.dwarning %]
+delay_warning_time = [% pmg.mail.dwarning %]h
+[% END %]
+
+best_mx_transport = local
+message_size_limit = [% pmg.mail.maxsize %]
+mailbox_size_limit = [% ((pmg.mail.maxsize*2 > 51200000) ? pmg.mail.maxsize*2 : 51200000) %]
+
+mydomain = [% dns.domain %]
+myhostname = [% dns.hostname %].[% dns.domain %]
+
+parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost, $myhostname
+mynetworks = [% postfix.mynetworks %]
+
+relay_domains = /etc/proxmox/domains
+
+transport_maps = hash:/etc/postfix/transport
+
+[% IF pmg.mail.relay %]
+[% IF pmg.mail.relaynomx %]
+relay_transport = smtp:[[% pmg.mail.relay %]]:[% pmg.mail.relayport %]
+[% ELSE %]
+relay_transport = smtp:[% pmg.mail.relay %]:[% pmg.mail.relayport %]
+[% END %]
+[% END %]
+
+[% IF pmg.mail.smarthost %]
+default_transport = smtp:[% pmg.mail.smarthost %]
+[% END %]
+
+mail_name = Proxmox
+
+[% IF pmg.mail.rejectunknown %]
+smtpd_client_restrictions =
+ reject_unknown_client
+[% END %]
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+[%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]
+
+smtpd_recipient_restrictions =
+ permit_mynetworks
+ reject_unauth_destination
+ reject_non_fqdn_recipient
+
+smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %]
+smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %]
+smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %]
+
+default_destination_concurrency_limit = 40
+lmtp_destination_concurrency_limit = 20
+relay_destination_concurrency_limit = 20
+smtp_destination_concurrency_limit = 20
+virtual_destination_concurrency_limit = 20
+
+recipient_delimiter = +
--- /dev/null
+#
+# Postfix master process configuration file. Each logical line
+# describes how a Postfix daemon program should be run.
+#
+# A logical line starts with non-whitespace, non-comment text.
+# Empty lines and whitespace-only lines are ignored, as are comment
+# lines whose first non-whitespace character is a `#'.
+# A line that starts with whitespace continues a logical line.
+#
+# The fields that make up each line are described below. A "-" field
+# value requests that a default value be used for that field.
+#
+# Service: any name that is valid for the specified transport type
+# (the next field). With INET transports, a service is specified as
+# host:port. The host part (and colon) may be omitted. Either host
+# or port may be given in symbolic form or in numeric form. Examples
+# for the SMTP server: localhost:smtp receives mail via the loopback
+# interface only; 10025 receives mail on port 10025.
+#
+# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
+# sockets, "fifo" for named pipes.
+#
+# Private: whether or not access is restricted to the mail system.
+# Default is private service. Internet (inet) sockets can't be private.
+#
+# Unprivileged: whether the service runs with root privileges or as
+# the owner of the Postfix system (the owner name is controlled by the
+# mail_owner configuration variable in the main.cf file). Only the
+# pipe, virtual and local delivery daemons require privileges.
+#
+# Chroot: whether or not the service runs chrooted to the mail queue
+# directory (pathname is controlled by the queue_directory configuration
+# variable in the main.cf file). Presently, all Postfix daemons can run
+# chrooted, except for the pipe, virtual and local delivery daemons.
+# The proxymap server can run chrooted, but doing so defeats most of
+# the purpose of having that service in the first place.
+# The files in the examples/chroot-setup subdirectory describe how
+# to set up a Postfix chroot environment for your type of machine.
+#
+# Wakeup time: automatically wake up the named service after the
+# specified number of seconds. A ? at the end of the wakeup time
+# field requests that wake up events be sent only to services that
+# are actually being used. Specify 0 for no wakeup. Presently, only
+# the pickup, queue manager and flush daemons need a wakeup timer.
+#
+# Max procs: the maximum number of processes that may execute this
+# service simultaneously. Default is to use a globally configurable
+# limit (the default_process_limit configuration parameter in main.cf).
+# Specify 0 for no process count limit.
+#
+# Command + args: the command to be executed. The command name is
+# relative to the Postfix program directory (pathname is controlled by
+# the daemon_directory configuration variable). Adding one or more
+# -v options turns on verbose logging for that service; adding a -D
+# option enables symbolic debugging (see the debugger_command variable
+# in the main.cf configuration file). See individual command man pages
+# for specific command-line options, if any.
+#
+# In order to use the "uucp" message tranport below, set up entries
+# in the transport table.
+#
+# In order to use the "cyrus" message transport below, configure it
+# in main.cf as the mailbox_transport.
+#
+# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
+# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
+#
+# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+
+scan unix - - n - [% pmg.mail.max_filters %] lmtp
+ -o lmtp_send_xforward_command=yes
+ -o lmtp_connection_cache_on_demand=no
+ -o disable_dns_lookups=yes
+
+[% IF ipconfig.int_ip %]
+[% ipconfig.int_ip %]:[% ipconfig.int_port %] inet n - - - [% pmg.mail.max_smtpd_out %] smtpd
+ -o content_filter=scan:127.0.0.1:10023
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
+ -o smtpd_helo_restrictions=
+ -o smtpd_client_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_tls_security_level=none
+[% END %]
+
+[% IF ipconfig.int_ip %]
+[% ipconfig.int_ip %]:[% ipconfig.ext_port %] inet n - - - 1 postscreen
+[% END %]
+
+[% IF ipconfig.int_ip %]
+smtpd pass - - - - [% pmg.mail.max_smtpd_in %] smtpd
+ -o content_filter=scan:127.0.0.1:10024
+ -o receive_override_options=no_address_mappings
+ -o smtpd_discard_ehlo_keywords=silent-discard,dsn
+ -o mynetworks=127.0.0.0/8,[% ipconfig.int_ip %]
+[% END %]
+
+127.0.0.1:10025 inet n - n - - smtpd
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+ -o smtpd_helo_restrictions=
+ -o smtpd_client_restrictions=
+ -o smtpd_restriction_classes=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o mynetworks=127.0.0.0/8
+ -o smtpd_error_sleep_time=0
+ -o smtpd_client_connection_count_limit=0
+ -o smtpd_client_connection_rate_limit=0
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+
+pickup fifo n - - 60 1 pickup
+cleanup unix n - - - 0 cleanup
+ -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+
+qmgr fifo n - - 300 1 qmgr
+rewrite unix - - - - - trivial-rewrite
+bounce unix - - - - 0 bounce
+defer unix - - - - 0 bounce
+flush unix n - - 1000? 0 flush
+proxymap unix - - n - - proxymap
+smtp unix - - - - - smtp
+relay unix - - - - - smtp
+showq unix n - - - - showq
+error unix - - - - - error
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+verify unix - - - - 1 verify
+trace unix - - n - 0 bounce
+tlsmgr unix - - - 1000? 1 tlsmgr
+anvil unix - - - - 1 anvil
+scache unix - - - - 1 scache
+discard unix - - - - - discard
+retry unix - - - - - error
+dnsblog unix - - - - 0 dnsblog
+tlsproxy unix - - - - 0 tlsproxy
+
--- /dev/null
+#
+# Postfix master process configuration file. Each logical line
+# describes how a Postfix daemon program should be run.
+#
+# A logical line starts with non-whitespace, non-comment text.
+# Empty lines and whitespace-only lines are ignored, as are comment
+# lines whose first non-whitespace character is a `#'.
+# A line that starts with whitespace continues a logical line.
+#
+# The fields that make up each line are described below. A "-" field
+# value requests that a default value be used for that field.
+#
+# Service: any name that is valid for the specified transport type
+# (the next field). With INET transports, a service is specified as
+# host:port. The host part (and colon) may be omitted. Either host
+# or port may be given in symbolic form or in numeric form. Examples
+# for the SMTP server: localhost:smtp receives mail via the loopback
+# interface only; 10025 receives mail on port 10025.
+#
+# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
+# sockets, "fifo" for named pipes.
+#
+# Private: whether or not access is restricted to the mail system.
+# Default is private service. Internet (inet) sockets can't be private.
+#
+# Unprivileged: whether the service runs with root privileges or as
+# the owner of the Postfix system (the owner name is controlled by the
+# mail_owner configuration variable in the main.cf file). Only the
+# pipe, virtual and local delivery daemons require privileges.
+#
+# Chroot: whether or not the service runs chrooted to the mail queue
+# directory (pathname is controlled by the queue_directory configuration
+# variable in the main.cf file). Presently, all Postfix daemons can run
+# chrooted, except for the pipe, virtual and local delivery daemons.
+# The proxymap server can run chrooted, but doing so defeats most of
+# the purpose of having that service in the first place.
+# The files in the examples/chroot-setup subdirectory describe how
+# to set up a Postfix chroot environment for your type of machine.
+#
+# Wakeup time: automatically wake up the named service after the
+# specified number of seconds. A ? at the end of the wakeup time
+# field requests that wake up events be sent only to services that
+# are actually being used. Specify 0 for no wakeup. Presently, only
+# the pickup, queue manager and flush daemons need a wakeup timer.
+#
+# Max procs: the maximum number of processes that may execute this
+# service simultaneously. Default is to use a globally configurable
+# limit (the default_process_limit configuration parameter in main.cf).
+# Specify 0 for no process count limit.
+#
+# Command + args: the command to be executed. The command name is
+# relative to the Postfix program directory (pathname is controlled by
+# the daemon_directory configuration variable). Adding one or more
+# -v options turns on verbose logging for that service; adding a -D
+# option enables symbolic debugging (see the debugger_command variable
+# in the main.cf configuration file). See individual command man pages
+# for specific command-line options, if any.
+#
+# In order to use the "uucp" message tranport below, set up entries
+# in the transport table.
+#
+# In order to use the "cyrus" message transport below, configure it
+# in main.cf as the mailbox_transport.
+#
+# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
+# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
+#
+# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+
+127.0.0.1:10025 inet n - n - - smtpd
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+ -o smtpd_helo_restrictions=
+ -o smtpd_client_restrictions=
+ -o smtpd_restriction_classes=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o mynetworks=127.0.0.0/8
+ -o smtpd_error_sleep_time=0
+ -o smtpd_client_connection_count_limit=0
+ -o smtpd_client_connection_rate_limit=0
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+127.0.0.1:25 inet n - n - - smtpd
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+ -o smtpd_helo_restrictions=
+ -o smtpd_client_restrictions=
+ -o smtpd_restriction_classes=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o mynetworks=127.0.0.0/8
+ -o smtpd_error_sleep_time=0
+ -o smtpd_client_connection_count_limit=0
+ -o smtpd_client_connection_rate_limit=0
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+pickup fifo n - - 60 1 pickup
+cleanup unix n - - - 0 cleanup
+ -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+qmgr fifo n - - 300 1 qmgr
+rewrite unix - - - - - trivial-rewrite
+bounce unix - - - - 0 bounce
+defer unix - - - - 0 bounce
+flush unix n - - 1000? 0 flush
+proxymap unix - - n - - proxymap
+smtp unix - - - - - smtp
+relay unix - - - - - smtp
+showq unix n - - - - showq
+error unix - - - - - error
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+verify unix - - - - 1 verify
+trace unix - - n - 0 bounce
+tlsmgr unix - - - 1000? 1 tlsmgr
+anvil unix - - - - 1 anvil
+scache unix - - - - 1 scache
+discard unix - - - - - discard