pillar.example

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
postfix:
  manage_master_config: true
  master_config:
    # Preferred way of managing services/processes. This allows for finegrained
    # control over each service. See postfix/services.yaml for defaults that can
    # be overridden.
    services:
      smtp:
        # Limit to no more than 10 smtp processes
        maxproc: 10
      # Enable oldstyle TLS wrapped SMTP
      smtps:
        enable: true
      # Enable submission service on port 587/tcp with custom options
      submission:
        enable: true
        args:
          - "-o smtpd_tls_security_level=encrypt"
          - "-o smtpd_sasl_auth_enable=yes"
          - "-o smtpd_client_restrictions: permit_sasl_authenticated,reject"
      tlsproxy:
        enable: true
        chroot: true
      uucp:
        enable: true
      # Dovecot delivery via deliver binary. For better performance, investigate
      # using LMTP instead: <https://wiki.dovecot.org/LMTP>
      dovecot:
        chroot: false
        command: pipe
        enable: true
        extras: '-d ${recipient}'
        flags: DRhu
        type: unix
        unpriv: false
        user: vmail:vmail
        argv: /usr/lib/dovecot/deliver
      # Completely customized mail-delivery-agent entry. Will be appended to the
      # master.cf file
      custom-mda:
        argv: /usr/local/sbin/mail-handler.py
        command: pipe
        extras: --rcpt ${recipient}
        flags: DRhu
        user: mail
        # Wrap the output in master.cf at 78 chars for better readability
        wrap: true
        # Avoid user and arvg settings to allow define internal processes
        # needed for randomizing relay IP (randmap functionality)
        no_args: true

    # Backwards compatible definition of dovecot delivery in master.cf
    enable_dovecot: false
    # The following are the default values:
    dovecot:
      user: vmail
      group: vmail
      flags: DRhu
      argv: "/usr/lib/dovecot/deliver"

    # Backwards compatible definition of submission listener in master.cf
    enable_submission: false
    # To replace the defaults use this:
    submission:
      smtpd_tls_security_level: encrypt
      smtpd_sasl_auth_enable: 'yes'
      smtpd_client_restrictions: permit_sasl_authenticated,reject

  enable_service: true
  reload_service: true

  postgrey:
    enabled: true
    enable_service: true
    location: inet:172.16.0.5:6379

  policyd-spf:
    enabled: true
    time_limit: 7200s

  config:
    smtpd_banner: $myhostname ESMTP $mail_name
    smtp_tls_CApath: /etc/ssl/certs
    biff: 'no'
    append_dot_mydomain: 'no'
    readme_directory: 'no'
    myhostname: localhost
    mydestination: localhost, localhost.localdomain
    relayhost: ''
    mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit: 0
    recipient_delimiter: +
    inet_interfaces: all
    inet_protocols: all

    # postsrsd:
    sender_canonical_maps: tcp:127.0.0.1:10001
    sender_canonical_classes: envelope_sender
    recipient_canonical_maps: tcp:127.0.0.1:10002
    recipient_canonical_classes: envelope_recipient

    # Alias
    alias_maps: hash:/etc/aliases
    # This is the list of files for the newaliases
    # cmd to process (see postconf(5) for details).
    # Only local hash/btree/dbm files:
    alias_database: hash:/etc/aliases

    # Virtual users
    virtual_alias_maps: proxy:mysql:/etc/postfix/virtual_alias_maps.cf
    virtual_mailbox_domains: proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
    virtual_mailbox_maps: proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
    virtual_mailbox_base: /home/vmail
    virtual_mailbox_limit: 512000000
    virtual_minimum_uid: 5000
    virtual_transport: virtual
    virtual_uid_maps: static:5000
    virtual_gid_maps: static:5000

    local_transport: virtual
    local_recipient_maps: $virtual_mailbox_maps
    # Use the `mapping` key to define the map
    transport_maps: hash:/etc/postfix/transport

    # SMTP server
    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
    smtpd_use_tls: 'yes'
    smtpd_sasl_auth_enable: 'yes'
    smtpd_sasl_type: dovecot
    smtpd_sasl_path: /var/run/dovecot/auth-client
    smtpd_recipient_restrictions: >-
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination
    smtpd_relay_restrictions: >-
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination
    smtpd_sasl_security_options: noanonymous
    smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
    smtpd_tls_auth_only: 'yes'
    smtpd_sasl_local_domain: $mydomain
    smtpd_tls_loglevel: 1
    smtpd_tls_session_cache_timeout: 3600s

    relay_domains: '$mydestination'

    # SMTP server certificate and key (from pillar data)
    smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
    smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key

    # SMTP client
    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
    smtp_use_tls: 'yes'
    smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
    smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
    smtp_tls_policy_maps: hash:/etc/postfix/tls_policy

    smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
    sender_canonical_maps: hash:/etc/postfix/sender_canonical
    relay_recipient_maps: hash:/etc/postfix/relay_domains
    virtual_alias_maps: hash:/etc/postfix/virtual

  vmail:
    user: postfix_user
    password: DB_PASSWD
    hosts: DB_HOST
    dbname: postfix_db

  # add mysql query to virtual
  mysql:
    virtual_mailbox_domains:
      table: virtual_domains
      select_field: 1
      where_field: name
    virtual_alias_maps:
      table: virtual_aliases
      select_field: destination
      where_field: email
    virtual_mailbox_maps:
      table: virtual_users
      select_field: 1
      where_field: email

  aliases:
    # manage single aliases
    # this uses the aliases file defined in the minion config, /etc/aliases by default
    use_file: false
    present:
      root: info@example.com
    absent:
      - root

    # manage entire aliases file
    use_file: true
    content: |
      # Forward all local *nix users mail to our admins (via greedy regexp)
      /.+/    admins@example.com

  certificates:
    server-cert:
      public_cert: |
        -----BEGIN CERTIFICATE-----
        (Your primary SSL certificate: smtp.example.com.crt)
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        (Your intermediate certificate: example-ca.crt)
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        (Your root certificate: trusted-root.crt)
        -----END CERTIFICATE-----
      private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        (Your Private key)
        -----END RSA PRIVATE KEY-----

    example.com-relay-client-cert:
      public_cert: |
        -----BEGIN CERTIFICATE-----
        (Your primary SSL certificate: smtp.example.com.crt)
        -----END CERTIFICATE-----
      private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        (Your Private key)
        -----END RSA PRIVATE KEY-----

  mapping:
    transport_maps:
      - DOMAIN_NAME: ':[IP_ADDRESS]'

    smpt_tls_policy_maps:
      - example.com: encrypt
      - .example.com: encrypt

    smtp_sasl_password_maps:
      - smtp.example.com: myaccount:somepassword

    sender_canonical_maps:
      - root: servers@example.com
      - nagios: alerts@example.com

    relay_recipient_maps:
      - example.com: OK

    virtual_alias_maps:
      - groupaliasexample:
          - someuser_1@example.com
          - someuser_2@example.com
      - singlealiasexample: someuser_3@example.com


###
#
# Multiple virtual_alias_maps entries:
#
# You are free to define alternative mapping names
# and use them as 'variables' in your Postfix config:
# (Credit for the idea and the example goes to @roskens.)

postfix:
  config:
    virtual_alias_maps: $virtual_alias_1_maps $virtual_alias_2_maps
    virtual_alias_1_maps: hash:/etc/postfix/virtual
    virtual_alias_2_maps: pcre:/etc/postfix/virtual.pcre
  mapping:
    virtual_alias_1_maps:
      root:
        - me
    virtual_alias_2_maps:
      - '/(\S+)_(devel|preprod|prod)@sub.example.com$/': '$(1)@$(2).sub.example.com'