9e21e1e669
Postfix relay image with Cyrus SASL (sasldb2) authentication. Replaces mwader/postfix-relay with a controlled image built via Kaniko and stored in Harbor. Credentials injected from Vault ExternalSecret at startup.
28 lines
901 B
CFEngine3
28 lines
901 B
CFEngine3
myhostname = relay.manabo.org
|
|
myorigin = $myhostname
|
|
mydestination =
|
|
local_transport = error:local delivery disabled
|
|
inet_interfaces = all
|
|
inet_protocols = all
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
|
|
# SASL authentication (Cyrus SASL / sasldb2)
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_type = cyrus
|
|
smtpd_sasl_path = smtpd
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_local_domain = $myhostname
|
|
cyrus_sasl_config_path = /etc/postfix/sasl
|
|
|
|
# Only accept mail from authenticated clients
|
|
smtpd_relay_restrictions = permit_sasl_authenticated, reject
|
|
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
|
|
|
|
# TLS (cert mounted from ExternalSecret)
|
|
smtpd_tls_cert_file = /etc/postfix/tls/tls.crt
|
|
smtpd_tls_key_file = /etc/postfix/tls/tls.key
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_tls_loglevel = 1
|
|
smtp_tls_security_level = may
|