Add mail roles

package-postfix_filter/templates/15-content_filter_mode.j2

@@ -0,0 +1,12 @@
+use strict;
+
+# Amavis filter configuration
+# {{ ansible_managed }}
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return

package-postfix_filter/templates/50-user.j2

@@ -0,0 +1,40 @@
+use strict;
+
+@local_domains_acl = ( "." );
+$sa_tag_level_deflt = -9999;
+$sa_tag2_level_deflt = 5;
+$sa_kill_level_deflt = 9999;
+$sa_spam_subject_tag = '*** SPAM *** ';
+$final_spam_destiny = 'D_PASS';
+
+$bad_header_quarantine_method = undef;
+
+$notify_method  = '{{ notify_method }}';
+
+$newvirus_admin = '{{ notify_admin }}';
+$virus_admin = '{{ notify_admin }}';
+$spam_admin  = '{{ notify_admin }}';
+
+$banned_admin     = \@virus_admin_maps;  # for compatibility with pre-2.2.1
+$bad_header_admin = \@virus_admin_maps;  # for compatibility with pre-2.2.1
+@newvirus_admin_maps  = (\$newvirus_admin);
+@virus_admin_maps     = (\%virus_admin, \$virus_admin);
+@spam_admin_maps      = (\%spam_admin,  \$spam_admin);
+@banned_admin_maps    = (\$banned_admin);
+@bad_header_admin_maps= (\$bad_header_admin);
+
+{% if custom_sender_scores is defined %}
+# Custom sender_map scores
+@score_sender_maps = ({
+  '.' => [
+    new_RE(
+{% for score in custom_sender_scores %}
+      {{ score }},
+{% endfor %}
+    ),
+  ],
+});
+{% endif %}
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return

package-postfix_filter/templates/90_customrules.cf.j2

@@ -0,0 +1,7 @@
+# Adjustments to default SpamAssassin scoring
+# {{ ansible_managed }}
+score RCVD_IN_PSBL 3.5		# Increase default score significantly
+score URIBL_BLACK 3.5		# Increase default score significantly
+score LOTS_OF_MONEY 2		# Increase default score a little
+score ADVANCE_FEE_4_NEW 2	# Increase default score a little
+score RDNS_NONE 0.5		# Decrease default score a little

package-postfix_filter/templates/helo_access.j2

@@ -0,0 +1,2 @@
+/^\[[0-9]{1,3}(\.[0-9]{1,3}){3}\]$/     DUNNO   announced self using an address literal
+/^[0-9]{1,3}(\.[0-9]{1,3}){3}$/         REJECT  announced self with an IP address instead of a domain name

package-postfix_filter/templates/local.cf.j2

@@ -0,0 +1,27 @@
+# SpamAssassin local config
+# {{ ansible_managed }}
+
+report_safe 1
+required_score 4.5
+
+use_bayes 1
+bayes_auto_learn 1
+bayes_auto_learn_threshold_nonspam -0.1
+bayes_auto_learn_threshold_spam 9.0
+
+score BAYES_00 -4
+score BAYES_05 -2
+score BAYES_80 2
+score BAYES_95 6
+score BAYES_99 8
+
+bayes_ignore_header X-Bogosity
+bayes_ignore_header X-Spam-Flag
+bayes_ignore_header X-Spam-Status
+
+bayes_path /var/spamassassin/bayes_db/bayes
+bayes_file_mode 0777
+
+skip_rbl_checks 0
+ok_languages all
+ok_locales all

package-postfix_filter/templates/main.cf.j2

@@ -0,0 +1,91 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+myorigin = /etc/mailname
+myhostname = {{ ansible_fqdn }}
+
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+message_size_limit = 26214400
+mailbox_size_limit = 0
+default_process_limit = 1000
+recipient_delimiter = +
+inet_interfaces = all
+
+smtpd_banner = {{ ansible_fqdn }} ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 48h
+maximal_queue_lifetime = 14d
+bounce_queue_lifetime = 14d
+readme_directory = no
+compatibility_level = 2
+
+smtpd_use_tls={{ tls_enabled }}
+smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
+smtpd_tls_cert_file={{ tls_cert }}
+smtpd_tls_key_file={{ tls_key }}
+smtpd_tls_ask_ccert = yes
+smtpd_tls_received_header = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
+smtpd_tls_security_level = may
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_ciphers = medium
+smtpd_tls_exclude_ciphers = RC4, CAMELLIA, SEED, 3DES
+
+smtp_use_tls={{ tls_enabled }}
+smtp_tls_cert_file={{ tls_cert }}
+smtp_tls_key_file={{ tls_key }}
+smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
+smtp_tls_loglevel = 1
+smtp_tls_security_level = may
+smtp_tls_protocols = $smtpd_tls_protocols
+smtp_tls_ciphers = $smtpd_tls_ciphers
+smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
+
+mydestination =
+local_recipient_maps =
+alias_maps =
+alias_database =
+virtual_alias_maps = pcre:$config_directory/local/virtual
+local_transport = error:local mail delivery is disabled
+transport_maps = pcre:$config_directory/local/transport
+relay_domains = $config_directory/local/relay_domains
+
+content_filter = smtp-amavis:[127.0.0.1]:10024
+smtpd_client_recipient_rate_limit = 250
+strict_rfc821_envelopes = yes
+receive_override_options = no_address_mappings
+policyd-spf_time_limit = 3600
+smtpd_relay_restrictions =
+    permit_mynetworks
+    reject_unauth_destination
+    check_policy_service unix:private/policyd-spf
+{% for rbl in remote_block_lists %}
+    reject_rbl_client {{ rbl }}
+{% endfor %}
+    warn_if_reject reject_unknown_client
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+    check_helo_access pcre:$config_directory/local/helo_access
+    reject_invalid_hostname
+
+smtpd_sender_restrictions =
+    check_sender_mx_access cidr:$config_directory/local/mx_access
+    reject_unknown_sender_domain
+    reject_non_fqdn_sender
+    check_sender_access pcre:$config_directory/local/sender_access
+
+smtpd_recipient_restrictions =
+    reject_unknown_recipient_domain
+    reject_non_fqdn_recipient
+    reject_unauth_pipelining
+    reject_unauth_destination
+    check_policy_service unix:private/policyd-spf
+    check_recipient_access pcre:$config_directory/local/recipient_access
+    reject_unverified_recipient
+
+smtpd_data_restrictions =
+    reject_multi_recipient_bounce
+    reject_unauth_pipelining

package-postfix_filter/templates/master.cf.j2

@@ -0,0 +1,62 @@
+# Postfix master process configuration file
+# {{ ansible_managed }}
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#         (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+pickup    unix  n       -       y       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+
+policyd-spf  unix  -       n       n       -       0       spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
+
+smtp-amavis     unix    -       -       y       -       2       smtp
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+
+127.0.0.1:10025 inet    n       -       y       -       -       smtpd
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o mynetworks=127.0.0.0/8
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

package-postfix_filter/templates/policyd-spf.conf.j2

@@ -0,0 +1,12 @@
+# policyd SPF config
+# {{ ansible_managed }}
+
+debugLevel = 1 
+
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

package-postfix_filter/templates/recipient_access.j2

@@ -0,0 +1,4 @@
+/[%!@].*[%!@]/  REJECT          sender-specified routing in recipient address
+/&.*@/          REJECT          invalid user
+/^(daemon|bin|sys|sync|games|man|lp|news|uucp|proxy|www-data|backup|list|irc|gnats|nobody)@/    REJECT  reserved system user
+/^(ntp|sshd|munin|postfix|clamav|sqlgrey|policyd-spf|bind|statd|freerad|mysql|smokeping|systemd-.+|)@/  REJECT  reserved system user

package-postfix_filter/templates/relay_domains.j2

@@ -0,0 +1,3 @@
+{% for domain in relay_domains %}
+{{ domain.domain }}
+{% endfor %}

package-postfix_filter/templates/transport.j2

@@ -0,0 +1,3 @@
+{% for domain in relay_domains %}
+/@{{ domain.domain }}$/ relay:{{ domain.relay }}
+{% endfor %}

package-postfix_filter/templates/virtual.j2

@@ -0,0 +1,3 @@
+{% for map in virtual_maps %}
+{{ map.regex }} {{ map.map }}
+{% endfor %}