# See /usr/share/postfix/main.cf.dist for a commented, more complete version

inet_interfaces = {{ "loopback-only" if postfix_satellite_only else "all" }}
inet_protocols = all
myhostname = {{ ansible_fqdn }}
myorigin = /etc/mailname
mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }}
relayhost = {{ postfix_relay_host }}
{% if postfix_transport_maps|bool %}
transport_maps = cdb:/etc/postfix/transport
{% endif %}

{% if not postfix_satellite_only %}

{% if postfix_domains|count > 0 %}
{% if postfix_prefer_lmtp %}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
{% else %}
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
{% endif %}
{% endif %}

smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

{% endif %}

append_dot_mydomain = no
biff = no
compatibility_level = 2
#delay_warning_time = 4h
disable_vrfy_command = yes
#enable_long_queue_ids = yes
mailbox_size_limit = 0
message_size_limit = {{ postfix_message_size_limit }}
readme_directory = no
recipient_delimiter = +
#strict_rfc821_envelopes = no

smtpd_banner = $myhostname ESMTP $mail_name
smtpd_relay_restrictions =
	permit_mynetworks
	permit_sasl_authenticated
	defer_unauth_destination

smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
{% if postfix_enable_mta_sts %}
smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
{% endif %}
{% if not postfix_satellite_only %}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
{% if postfix_tls_mandatory_ciphers %}
smtpd_tls_mandatory_ciphers = {{ postfix_tls_mandatory_ciphers }}
{% endif %}
{% if postfix_tls_preempt_cipherlist %}
tls_preempt_cipherlist = {{ 'yes' if postfix_tls_preempt_cipherlist else 'no' }}
{% endif %}
{% if postfix_tls_eecdh_grade %}
smtpd_tls_eecdh_grade = {{ postfix_tls_eecdh_grade }}
{% endif %}
{% if postfix_tls_high_cipherlist %}
tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
{% endif %}
{% if postfix_tls_medium_cipherlist %}
tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
{% endif %}
{% if postfix_tls_dh_file %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
{% endif %}
tls_ssl_options = NO_COMPRESSION
{% endif %}

alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
virtual_alias_maps = cdb:/etc/postfix/virtual

{% if postfix_virtual_domains|count > 0 %}
virtual_mailbox_domains = {{ postfix_virtual_domains | join(", ") }}
virtual_mailbox_base = /var/vmail/
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_gid_maps = static:5000
{% endif %}

{% set _x = postfix_notify_classes.extend(["resource", "software"]) %}
notify_classes = {{ postfix_notify_classes|unique|join(", ") }}

{% if postfix_enable_postscreen and not postfix_satellite_only %}
postscreen_access_list = permit_mynetworks
                         cidr:/etc/postfix/postscreen_access.cidr
{% if postfix_enable_memcached %}
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
{% else %}
postscreen_cache_map = proxy:btree:/var/lib/postfix/postscreen_cache
{% endif %}

postscreen_blacklist_action = drop
postscreen_greet_action = enforce
# postscreen_whitelist_interfaces = static:all
# postscreen_greet_banner = $smtpd_banner
postscreen_pipelining_enable = yes
# postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
# postscreen_non_smtp_command_action = drop
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = drop

postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_sites =
{% for site in postfix_dnsbl_sites %}
	{{ site.name }}*{{ site.modifier|default(1) }}
{% endfor %}
{% endif %}