From e193248d3eab7645a2693e8039200597296f660a Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 21 Jul 2025 02:10:51 +0200
Subject: [PATCH] roles/server/mail/postfix

---
 .../postfix/files/default/postfix.service     | 85 +++++++++++++++++++
 .../postfix/files/default/postfix@.service    | 30 -------
 roles/server/mail/postfix/tasks/main.yml      | 12 +--
 3 files changed, 91 insertions(+), 36 deletions(-)
 create mode 100644 roles/server/mail/postfix/files/default/postfix.service
 delete mode 100644 roles/server/mail/postfix/files/default/postfix@.service

diff --git a/roles/server/mail/postfix/files/default/postfix.service b/roles/server/mail/postfix/files/default/postfix.service
new file mode 100644
index 0000000..3bfb4d7
--- /dev/null
+++ b/roles/server/mail/postfix/files/default/postfix.service
@@ -0,0 +1,85 @@
+[Unit]
+Description=Postfix Mail Transport Agent (main/default instance)
+Documentation=man:postfix(1)
+After=network.target nss-lookup.target
+# network-online.target is a semi-working work-around for specific
+# network_interfaces, https://bugs.debian.org/854475#126
+# Please add local override wanting network-online.target or
+# systemd-networkd-wait-online@INTERFACE:no-carrier.service
+#After=network-online.target
+#Wants=network-online.target
+ConditionPathExists=/etc/postfix/main.cf
+# pre-3.9.1-7 multi-instance setup:
+Conflicts=postfix@-.service
+
+[Service]
+Type=forking
+# Force operations on single default instance, do not run postmulti wrapper
+Environment=MAIL_CONFIG=/etc/postfix
+# perform 2-stage startup
+ExecStartPre=+postfix check
+ExecStart=postfix debian-systemd-start
+ExecStop=postfix stop
+ExecReload=postfix reload
+
+# Postfix consists of multiple processes run by a master(8) orchestrator,
+# each of them having different requirements.  From the whole set, local(8)
+# (the Postfix local delivery agent) is the most demanding one, because it
+# runs things as user, and a user needs to be able to run suid/sgid programs
+# (if not only to be able to deliver mail to /var/spool/postfix/postdrop).
+# Individual Postfix daemons are started as root, optionally perform chroot
+# into the queue directory, and drop privileges voluntary
+
+# listen(2) on privileged ports (smtp)
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# chroot into queue dir
+CapabilityBoundingSet=CAP_SYS_CHROOT
+# drop root privs, run as user when delivering local mail
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+# processes access protected files in non-root-owned dirs (acl root:rwx);
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+# https://bugs.debian.org/1099891 :
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+# chown(2) is needed for procmal &Co to create /var/mail/$USER
+CapabilityBoundingSet=CAP_CHOWN
+
+# users might run suid/sgid programs from ~/.forward:
+RestrictSUIDSGID=no
+# for the same reason, NoNewPrivileges can not be set to yes
+NoNewPrivileges=no
+
+# if you don't use procmail for delivery to /var/mail/$USER,
+# CAP_CHOWN can be removed.
+# if you don't use local(8) at all, only doing local delivery over LMTP
+# or using virtual(8), you can also set
+#RestrictSUIDSGID=yes
+#NoNewPrivileges=yes
+# Also, CAP_DAC_OVERRIDE can be eliminated by adding root user to ACL to
+# postfix-owned dis in spool: public, private; and whatever maps in protected
+# subdirs you use, relying on cap_dac_override
+
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+PrivateDevices=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# ProtectProc is not usable with User=root:
+#ProtectProc=noaccess
+ProcSubset=pid
+# ProtectSystem can be "yes" if rw maps are in /etc, or "full"
+# Alternative would be "strict" +ReadWritePaths=/var
+ProtectSystem=full
+# Need to write to ~/Maildir/ etc:
+ProtectHome=no
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+
+SystemCallFilter=@system-service @setuid chroot
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/server/mail/postfix/files/default/postfix@.service b/roles/server/mail/postfix/files/default/postfix@.service
deleted file mode 100644
index 49b2ccb..0000000
--- a/roles/server/mail/postfix/files/default/postfix@.service
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-################################################
-### Managed by someone's ansible provisioner ###
-################################################
-# Part of: https://git.somenet.org/root/pub/somesible.git
-# 2017-2025 by someone <someone@somenet.org>
-#
-
-[Unit]
-Description=Postfix Mail Transport Agent (instance %i)
-Documentation=man:postfix(1)
-PartOf=postfix.service
-Before=postfix.service
-ReloadPropagatedFrom=postfix.service
-After=network-online.target nss-lookup.target
-Wants=network-online.target
-
-[Service]
-Type=forking
-GuessMainPID=no
-ExecStartPre=/usr/lib/postfix/configure-instance.sh %i
-ExecStart=/usr/sbin/postmulti -i %i -p start
-ExecStop=/usr/sbin/postmulti -i %i -p stop
-ExecReload=/usr/sbin/postmulti -i %i -p reload
-TimeoutStartSec=600
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/server/mail/postfix/tasks/main.yml b/roles/server/mail/postfix/tasks/main.yml
index 717c163..a18b2b9 100644
--- a/roles/server/mail/postfix/tasks/main.yml
+++ b/roles/server/mail/postfix/tasks/main.yml
@@ -215,18 +215,18 @@
   notify: reload postfix.service
 
 
-- name: copy postfix@.service to /etc/systemd/system/
+- name: copy postfix.service to /etc/systemd/system/
   copy:
     src: "{{item}}"
-    dest: "/etc/systemd/system/postfix@.service"
+    dest: "/etc/systemd/system/postfix.service"
     mode: 0644
     owner: "root"
     group: "root"
   with_first_found:
-    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/postfix@.service"
-    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/postfix@.service"
-    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/postfix@.service"
-    - "default/postfix@.service"
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/postfix.service"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/postfix.service"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/postfix.service"
+    - "default/postfix.service"
 
 
 - name: copy fail2ban.jail.d.postfix.conf to /etc/fail2ban/jail.d/
-- 
2.47.2