26116973ab
La raison est que l'ip de freebox (l'interface de titanic sur le réseau de free) et blacklisté par nombre de smtp (hotmail, google, yahoo).
297 lines
8.6 KiB
Python
297 lines
8.6 KiB
Python
# -*- mode: python; coding: utf-8 -*-
|
||
|
||
include("ip")
|
||
|
||
header("Fichier de configuration principal de postfix.")
|
||
|
||
mx = has("mail-mx")
|
||
# Indique si c'est un MX principal ou secondaire.
|
||
main = has("mail-mx-main")
|
||
secondary = has("mail-mx-secondary")
|
||
# Indique si c'est un MX public, par exemple le serveur
|
||
# des adherents est utilise uniquement en interne
|
||
public = has("mail-mx-public")
|
||
|
||
# Si vrai alors delivre localement les mails des adherents.
|
||
users = has("users")
|
||
|
||
# Si vrai alors passe les mails des ml a mailman
|
||
manage_ml = has("mailing-list-manager")
|
||
|
||
# Si vrai, recoit les mails pour le corbeau
|
||
corbeau = has("corbeau")
|
||
# Si vrai, on est sur le tracker
|
||
tracker = has("tracker")
|
||
|
||
# Si vrai, on est sur un serveur non-vlan-adherent
|
||
nonadherent = has("non-vlan-adherent")
|
||
|
||
# La base de donnee utilise (pour les mx)
|
||
if has("ldap"):
|
||
db = "ldap"
|
||
elif has("pgsql"):
|
||
db = "pgsql"
|
||
|
||
def db_file(suffix):
|
||
'''Nom des fichiers de conf pour la base de donnees'''
|
||
return "%(db)s:/etc/postfix/%(db)s-%(suffix)s.cf" % {"db": db, "suffix": suffix}
|
||
|
||
keysep = " = "
|
||
def add(*values):
|
||
'''Continue une ligne logique (voif postconf(5))'''
|
||
out((len(last_definition)+len(keysep)) * " " + ", ".join([tostring(v) for v in values]) + "\n")
|
||
|
||
# La liste des variables de configuration de postfix
|
||
import commands
|
||
exports = [s.split(' ', 2)[0] for s in commands.getoutput("/usr/sbin/postconf -d").split("\n")]
|
||
|
||
# Les différents réseaux
|
||
local_networks = ["127.0.0.0/8"]
|
||
adm_networks = ["10.231.136.0/24"]
|
||
client_networks = ["138.231.136.0/21", "138.231.144.0/21", "138.231.148.0/22"]
|
||
|
||
@# +------------------+
|
||
@# | Variables utiles |
|
||
@# +------------------+
|
||
|
||
@# Definition par securite (sinon il utilise gethostname)
|
||
if nonadherent:
|
||
myhostname = admhostname
|
||
else:
|
||
myhostname = pubhostname
|
||
mydomain = "crans.org"
|
||
|
||
@# Origine des mails
|
||
myorigin = "crans.org"
|
||
|
||
@# Reseaux locaux
|
||
mynetworks = local_networks
|
||
if mx:
|
||
add(client_networks + adm_networks)
|
||
elif tracker:
|
||
add(adm_networks)
|
||
|
||
if not mx:
|
||
if tracker or corbeau:
|
||
@# Ecoute en local et sur adm (récupération des mails @tracker.adm.crans.org
|
||
inet_interfaces = ["127.0.0.1", admip()]
|
||
else:
|
||
@# Ecoute en local uniquement
|
||
inet_interfaces = "loopback-only"
|
||
|
||
if mx:
|
||
@# Destinations acceptees
|
||
mydestination = [hostname, "$myhostname",
|
||
"localhost", "localhost.$mydomain"]
|
||
if main | users:
|
||
add(["$mydomain",
|
||
"crans.ens-cachan.fr",
|
||
"clubs.ens-cachan.fr",
|
||
"install-party.ens-cachan.fr"])
|
||
if manage_ml:
|
||
add(["lists.$mydomain"])
|
||
|
||
@# Domaine relaye par ce MX
|
||
relay_domains = ["$mydestination"]
|
||
if secondary:
|
||
add(["$mydomain",
|
||
"crans.ens-cachan.fr",
|
||
"clubs.ens-cachan.fr",
|
||
"install-party.ens-cachan.fr"])
|
||
if public and not manage_ml:
|
||
add(["lists.$mydomain"])
|
||
|
||
if not mx:
|
||
if tracker:
|
||
@# On accepte les mails destinés au tracker
|
||
mydestination = "tracker.adm.crans.org",
|
||
if corbeau:
|
||
@# On accepte les mails destinés au corbeau
|
||
mydestination = "crans.org"
|
||
@# Les mails sont envoyes au MX principal
|
||
relayhost = "smtp.adm.crans.org",
|
||
|
||
@# Etre notifie ou non de l'arrive de nouveaux mails
|
||
biff = users
|
||
|
||
if mx:
|
||
@# Pour pouvoir tester sans tout casser, on active les soft bounces.
|
||
@# Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais
|
||
@# a la place, de renvoyer une erreur non permanente. En production
|
||
@# il faut enlever ca.
|
||
soft_bounce = False
|
||
|
||
if users:
|
||
@# On delivre dans des maildir
|
||
mail_spool_directory = "/home/mail/"
|
||
|
||
@# +--------+
|
||
@# | Divers |
|
||
@# +--------+
|
||
|
||
@# Delais pour les warnings
|
||
delay_warning_time = "24h"
|
||
|
||
@# Esthetisme
|
||
smtpd_banner = "$myhostname ESMTP $mail_name (Debian/GNU)"
|
||
|
||
if not mx:
|
||
@# Reecriture des entetes: @host.crans.org -> @crans.org
|
||
canonical_maps = "regexp:/etc/postfix/canonical"
|
||
|
||
if has("postfix.transport"):
|
||
@# Par ou passer (notement pour la distrtibution des adresse
|
||
@# locales par le serveur des adherents)
|
||
transport_maps = "hash:/etc/postfix/transport"
|
||
|
||
@# Une infinite d'adresses mail par personne
|
||
recipient_delimiter = "+"
|
||
|
||
@# +-----------------+
|
||
@# | Bases d'adresse |
|
||
@# +-----------------+
|
||
|
||
@# Les fichiers d'alias (pour newaliases)
|
||
alias_database = "hash:/etc/postfix/aliases"
|
||
if manage_ml:
|
||
add("hash:/var/lib/mailman/data/aliases")
|
||
|
||
alias_maps = "$alias_database"
|
||
if mx:
|
||
@# Plus les alias dans la base de donnees
|
||
add(db_file("search"))
|
||
|
||
if mx:
|
||
@# On prend aussi en compte les utilisateurs de /etc/passwd
|
||
local_recipient_maps = "$alias_maps unix:passwd.byname"
|
||
|
||
if mx:
|
||
@# Les anciennes ML @crans.org, @crans.ens-cachan.fr -> @lists.crans.org
|
||
virtual_alias_maps = "hash:/etc/postfix/virtual"
|
||
|
||
# Pour les non-mx il n'y a plus rien d'interessant
|
||
if not mx:
|
||
done()
|
||
|
||
@# +-------------+
|
||
@# | TLS et SASL |
|
||
@# +-------------+
|
||
|
||
@# TLS pour la reception
|
||
smtpd_tls_cert_file = "/etc/ssl/certs/smtp.pem"
|
||
smtpd_tls_key_file = "/etc/ssl/private/smtp.pem"
|
||
smtpd_tls_CAfile = "/etc/ssl/certs/cacert.org.pem"
|
||
smtpd_tls_loglevel = 0
|
||
smtpd_use_tls = True
|
||
smtpd_tls_received_header = True
|
||
|
||
@# On utilise aussi TLS pour envoyer les mails
|
||
smtp_tls_cert_file = ""
|
||
smtp_tls_key_file = ""
|
||
smtp_tls_CAfile = "/etc/ssl/certs/cacert.org.pem"
|
||
smtp_tls_loglevel = 1
|
||
smtp_use_tls = True
|
||
|
||
|
||
@# On cache les sessions TLS car elles sont couteuses. Il parait que btree est mieux que sdbm,
|
||
@# a essayer quand on aura postfix > 2.2
|
||
smtpd_tls_session_cache_database = "sdbm:/var/run/smtpd_tls_session_cache"
|
||
smtp_tls_session_cache_database = "sdbm:/var/run/smtp_tls_session_cache"
|
||
|
||
tls_random_source = "dev:/dev/urandom"
|
||
tls_daemon_random_source = "dev:/dev/urandom"
|
||
|
||
if main:
|
||
@# Authentification SASL pour relayer du mail
|
||
smtpd_sasl_auth_enable = True
|
||
@# Auth que si tls pour eviter des pass en clair sur le reseau
|
||
smtpd_tls_auth_only = True
|
||
|
||
@# +--------------------------+
|
||
@# | Filtrages et limitations |
|
||
@# +--------------------------+
|
||
|
||
if main:
|
||
@# Filtrage sur les sources de connexions
|
||
print "smtpd_client_restrictions = permit_mynetworks"
|
||
#print " reject_rbl_client dnsbl.ahbl.org"
|
||
#print " reject_rbl_client dnsbl.njabl.org"
|
||
#print " reject_rbl_client dnsbl.inps.de"
|
||
@
|
||
@#
|
||
@# Requiring this will stop some UCE software.
|
||
@# (UCE = Unsolicited Commercial Email = SPAM)
|
||
@#
|
||
smtpd_require_helo = "yes"
|
||
@
|
||
@# Reject the request when the client HELO or EHLO parameter has a bad hostname syntax.
|
||
@# reject_unknown_hostname value not recommended, because it may causes mail losting.
|
||
@# (for example: after paypal.com registration you don't receive activation mail! I've tried it.)
|
||
@#
|
||
smtpd_helo_restrictions = "permit_mynetworks, reject_invalid_hostname"
|
||
@
|
||
@#
|
||
@# against to open relay:
|
||
@#
|
||
smtpd_recipient_restrictions = "permit_mynetworks, reject_unauth_destination"
|
||
@
|
||
|
||
@## Limitation des messages envoyés par minute
|
||
@# On n'ignore que les messages venant d'adresses "protégées"
|
||
smtpd_client_event_limit_exceptions = local_networks
|
||
if mx:
|
||
add(adm_networks)
|
||
|
||
@# On limite à 10 messages par minute
|
||
smtpd_client_message_rate_limit = 10
|
||
|
||
@## Filtrage au MAIL FROM
|
||
@# Rejet si le domaine de l'envoyeur n'est pas dans un DNS
|
||
smtpd_sender_restrictions = "reject_unknown_sender_domain"
|
||
|
||
@## Filtrage au RCPT TO
|
||
@# permet si le client est dans le reseau local
|
||
smtpd_recipient_restrictions = "permit_mynetworks"
|
||
@# rejette les recipients sans nom de domaine totalement qualifie
|
||
add("reject_non_fqdn_recipient")
|
||
if main:
|
||
@# permet si le client est authentifie
|
||
add("permit_sasl_authenticated")
|
||
@# rejette les destinations non locales
|
||
add("reject_unauth_destination")
|
||
if public:
|
||
@# accepte si le champ contourneGreylist de la base est a OK
|
||
add("check_recipient_access " + db_file("sqlgrey"))
|
||
@# accepte si la greylist est d'accord
|
||
add("check_policy_service inet:127.0.0.1:2501")
|
||
@# jette le reste
|
||
|
||
@# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
|
||
message_size_limit = 20971520
|
||
mailbox_size_limit = 78643000
|
||
|
||
@# Obligation de specifier le nom de domaine complet
|
||
append_dot_mydomain = secondary
|
||
|
||
if main:
|
||
@#Ajout de cyrus pour l'authentification SMTP
|
||
smtpd_sasl_type = "cyrus"
|
||
|
||
@# Pieces jointes
|
||
mime_header_checks = "regexp:/etc/postfix/mime_header_checks"
|
||
|
||
@# Transport slow
|
||
@slow_destination_recipient_limit = 20
|
||
@slow_destination_concurrency_limit = 2
|
||
|
||
if not secondary:
|
||
@# +----------------------+
|
||
@# | Connexion de secours |
|
||
@# +----------------------+
|
||
@#POUR SECOURS
|
||
if not has("rescue-mode"):
|
||
out("#")
|
||
relayhost = "[ovh.adm.crans.org]:25"
|
||
|
||
if has("titanic"):
|
||
@relayhost = "[ovh.adm.crans.org]:25"
|