#
################################################
### Managed by someone's ansible provisioner ###
################################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2025 by someone <someone@somenet.org>
#

# Last time we extensively looked at our configuration.
compatibility_level=3.6


myhostname = mail.somenet.org
myorigin = mail.l
mydestination = mail.l, l, localhost, localhost.localdomain
mynetworks = 10.0.0.0/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128


# incoming mail
smtpd_tls_chain_files =
    /etc/ssl/letsencrypt/mail.somenet.org/privkey.pem,
    /etc/ssl/letsencrypt/mail.somenet.org/fullchain.pem,
    /etc/ssl/letsencrypt-rsa/mail.somenet.org/privkey.pem,
    /etc/ssl/letsencrypt-rsa/mail.somenet.org/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
# we override this for the "submission" service.
smtpd_sasl_auth_enable = no
smtpd_sasl_path = smtpd
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
# fuck sec consult and their business "ethics".
smtpd_forbid_bare_newline = yes
smtpd_forbid_unauth_pipelining = yes
smtpd_discard_ehlo_keywords = chunking, silent-discard


# header cleanup + transport mapping
header_checks = regexp:/etc/postfix/header_checks_in.regexp
nested_header_checks =
transport_maps = hash:/etc/postfix/transport.map
#, hash:/var/lib/sympa/transport.map


# outgoing mail
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_header_checks = regexp:/etc/postfix/header_checks_out.regexp


# hosted domains
virtual_alias_domains = somenet.org
virtual_alias_maps = hash:/etc/postfix/virtual.map


# local delivery
mailbox_transport = lmtp:unix:/var/lib/cyrus/socket/lmtp
mailbox_size_limit = 209715200


#sympa
# todo: flip vmailbox und valias domains?
#virtual_mailbox_domains = lists.somenet.org
#virtual_mailbox_maps = hash:/etc/postfix/virtual.map, hash:/etc/postfix/transport.map, hash:/var/lib/sympa/transport.map


# random settings
tls_preempt_cipherlist = yes
biff = no
connection_cache_status_update_time = 3600
inet_protocols=ipv4
message_size_limit = $mailbox_size_limit
recipient_delimiter = +


# take it easy.
default_destination_concurrency_limit = 2

# disable smtputf8 because of cyrus
smtputf8_enable = no


#########################################
# DONT BE AN OPEN RELAY. RESTRICT STUFF #
#########################################
smtpd_restriction_classes = HOLD_OK
HOLD_OK = check_client_access static:hold, permit


# 1. check every incomming connecting.
# we use master.cf to overridden this for the "submission" service to always require authentication:
#   smtpd_client_restrictions = permit_sasl_authenticated, reject
# we merge that into recipient and relay restrictions - no need to check everything multiple times.
#smtpd_client_restrictions =
#    permit_mynetworks,
#    permit_sasl_authenticated,
#    reject_unknown_client_hostname,
#    permit


# 2. check the helo of the incomming connection.
# we merge that into recipient and relay restrictions - no need to check everything multiple times.
# smtpd_helo_restrictions =
#    permit_mynetworks,
#    permit_sasl_authenticated,
#    reject_invalid_helo_hostname,
#    reject_unknown_helo_hostname,
#    permit


# 3. checks run after a connection issues "MAIL FROM"
# we merge that into recipient and relay restrictions - no need to check everything multiple times.
# smtpd_sender_restrictions =
#    check_sender_access regexp:/etc/postfix/sender_restrictions.regexp,
#    permit_mynetworks,
#    permit_sasl_authenticated,
#    reject_non_fqdn_sender,
#    reject_unknown_sender_domain,
#    permit


# 4a. checks run after a connection issues "RCPT TO"
smtpd_recipient_restrictions =
    check_sender_access    regexp:/etc/postfix/rcpt_sender.regexp,
    check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_helo_hostname,
    reject_unauth_pipelining,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_client_hostname,
    reject_unknown_helo_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    permit


# 4b. same as smtpd_recipient_restrictions but diffrent.
smtpd_relay_restrictions =
    check_sender_access    regexp:/etc/postfix/rel_sender.regexp,
    check_recipient_access regexp:/etc/postfix/rel_recipient.regexp,
    check_sender_access    regexp:/etc/postfix/rcpt_sender.regexp,
    check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_helo_hostname,
    reject_unauth_pipelining,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_client_hostname,
    reject_unknown_helo_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    permit


# 5. checks run after a connection issues "RCPT TO"
# we merge that into recipient and relay restrictions - no need to check everything multiple times.
# smtpd_data_restrictions =
#    permit_mynetworks,
#    permit_sasl_authenticated,
#    reject_unauth_pipelining,
#    permit