propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

commit 8fdf2400f049cc80049b37bff5b58c71cc3ce3a1
parent c1bc3bc010a8066b1ad2a55f70ecf2e053683aee
Author: rsiddharth <s@ricketyspace.net>
Date:   Mon, 23 Apr 2018 01:40:03 +0000

propellor spin

Diffstat:
config.hs | 78+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 75 insertions(+), 3 deletions(-)

diff --git a/config.hs b/config.hs @@ -696,7 +696,8 @@ lyra = host "lyra.ricketyspace.net" $props & File.ownerGroup "/etc/dkimkeys/ricketyspace.net" (User "opendkim") (Group "opendkim") & File.hasPrivContent "/etc/dkimkeys/ricketyspace.net/mail.private" (Context "ricketyspace.net") -- postfix - & File.hasContent "/etc/postfix/header_checks" ricketyspaceHeaderChecks + & File.hasContent "/etc/postfix/header_checks" rsPostfixHeaderChecks + & File.hasContent "/etc/postfix/main.cf" rsPostfixMainCf -- bind & Dns.primary publicHosts "ricketyspace.net" (Dns.mkSOA "lyra.ricketyspace.net" 20180129) @@ -907,12 +908,83 @@ ricketyspaceNetOpenDkimTrustedHosts = [ ] --- postfix -ricketyspaceHeaderChecks :: [File.Line] -ricketyspaceHeaderChecks = [ +rsPostfixHeaderChecks :: [File.Line] +rsPostfixHeaderChecks = [ "/^Received:.*with ESMTPSA/ IGNORE" , "/^X-Originating-IP:/ IGNORE" ] +rsPostfixMainCf :: [File.Line] +rsPostfixMainCf = [ + "smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)" + , "biff = no" + , "" + , "append_dot_mydomain = no" + , "compatibility_level = 2" + , "" + , "readme_directory = /usr/share/doc/postfix" + , "html_directory = /usr/share/doc/postfix/html" + , "" + , "mime_header_checks = regexp:/etc/postfix/header_checks" + , "header_checks = regexp:/etc/postfix/header_checks" + , "" + , "smtpd_tls_cert_file=/etc/ssl/certs/rs.net.chained.le.pem" + , "smtpd_tls_key_file=/etc/ssl/private/rs.net.d.le.key" + , "smtpd_use_tls=yes" + , "smtpd_tls_auth_only=yes" + , "smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache" + , "smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache" + , "" + , "smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination" + , "myhostname = lyra.ricketyspace.net" + , "alias_maps = hash:/etc/aliases" + , "alias_database = hash:/etc/aliases" + , "myorigin = ricketyspace.net" + , "mydestination = ricketyspace.net, localhost" + , "relayhost =" + , "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128" + , "mailbox_command =" + , "mailbox_size_limit = 0" + , "recipient_delimiter = +" + , "inet_interfaces = all" + , "inet_protocols = all" + , "relay_domains = ricketyspace.net" + , "" + , "smtpd_recipient_restrictions = permit_sasl_authenticated," + , " reject_invalid_hostname," + , " reject_unknown_recipient_domain," + , " reject_unauth_destination," + , " reject_rbl_client sbl.spamhaus.org," + , " check_policy_service unix:private/policy-spf" + , " permit" + , "" + , "smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/rbl_override," + , " reject_invalid_helo_hostname," + , " reject_non_fqdn_helo_hostname," + , " reject_unknown_helo_hostname" + , "" + , "smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net" + , "" + , "home_mailbox = Maildir/" + , "" + , "# dovecot" + , "smtpd_sasl_type = dovecot" + , "smtpd_sasl_path = private/auth" + , "smtpd_sasl_auth_enable = yes" + , "" + , "# dkim" + , "milter_default_action = accept" + , "milter_protocol = 6" + , "smtpd_milters = inet:localhost:12345" + , "non_smtpd_milters = inet:localhost:12345" + , "" + , "# spf" + , "policy-spf_time_limit = 3600s" + , "" + , "# map mail username/password to user's unix user/passwd." + , "local_recipient_maps = proxy:unix:passwd.byname $alias_maps" + ] + -- common --- tmux conf