infra/stacks/mailserver/modules/mailserver/variables.tf

# this is appended and merged to the main postfix.cf
# see defaults - https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/main.cf
variable "postfix_cf" {
  default = <<EOT
relayhost = [smtp-relay.brevo.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
# TLS cert/key come from docker-mailserver's SSL_TYPE=manual flow, which writes
# the authoritative `smtpd_tls_chain_files` into main.cf at boot. Setting the
# legacy smtpd_tls_cert_file/smtpd_tls_key_file here too makes postfix warn
# ("Both smtpd_tls_chain_files and one or more of the legacy ...") and ignore
# them. Dropped to silence the warning — functionally a no-op (chain_files wins).
smtpd_use_tls=yes
# Require STARTTLS before any AUTH command on the SMTPD listener.
# Without this, a misconfigured client that skips STARTTLS would send
# PLAIN/LOGIN creds in the clear. docker-mailserver's default does NOT
# enforce this at the main.cf level for submission (587).
# Note: smtpd_sasl_auth_only (sometimes cited) is NOT a real Postfix
# parameter — only smtpd_tls_auth_only is. Addresses code-vnw.
smtpd_tls_auth_only = yes
header_size_limit = 4096000

# Debug mail tls
smtpd_tls_loglevel = 1
#smtpd_tls_ciphers = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
#tls_medium_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1

# Rate limiting (brute-force protection)
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 30
anvil_rate_time_unit = 60s

# Disable the postscreen decision cache. The default (btree) driver
# requires an exclusive file lock for every access, and with postscreen
# re-spawning per connection (master.cf: maxproc=1) that produces thousands
# of 'unable to get exclusive lock' fatals per day — stalling SMTP
# acceptance and starving inbound delivery. lmdb would avoid the lock but
# isn't compiled into docker-mailserver 15.0.0's Postfix build
# (postconf -m → no lmdb). Proxy:btree is unsafe because postscreen does
# its own locking. An empty value disables the cache entirely — legitimate
# clients pay the greet/bare-newline re-check on every new TCP session,
# which is trivial at our volume (~100 deliveries/day).
postscreen_cache_map =
EOT
}
fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip] 6d224861 came from a --no-checkout worktree whose empty index made the commit drop every file except two. This restores 05b50d2b's full tree and correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the live infra was never applied from the broken commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-09 08:45:33 +00:00			`# this is appended and merged to the main postfix.cf`
			`# see defaults - https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/main.cf`
			`variable "postfix_cf" {`
			`default = <<EOT`
			`relayhost = [smtp-relay.brevo.com]:587`
			`smtp_sasl_auth_enable = yes`
			`smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd`
			`smtp_sasl_security_options = noanonymous`
			`smtp_sasl_tls_security_options = noanonymous`
			`smtp_tls_security_level = encrypt`
			`# TLS cert/key come from docker-mailserver's SSL_TYPE=manual flow, which writes`
			# the authoritative `smtpd_tls_chain_files` into main.cf at boot. Setting the
			`# legacy smtpd_tls_cert_file/smtpd_tls_key_file here too makes postfix warn`
			`# ("Both smtpd_tls_chain_files and one or more of the legacy ...") and ignore`
			`# them. Dropped to silence the warning — functionally a no-op (chain_files wins).`
			`smtpd_use_tls=yes`
			`# Require STARTTLS before any AUTH command on the SMTPD listener.`
			`# Without this, a misconfigured client that skips STARTTLS would send`
			`# PLAIN/LOGIN creds in the clear. docker-mailserver's default does NOT`
			`# enforce this at the main.cf level for submission (587).`
			`# Note: smtpd_sasl_auth_only (sometimes cited) is NOT a real Postfix`
			`# parameter — only smtpd_tls_auth_only is. Addresses code-vnw.`
			`smtpd_tls_auth_only = yes`
			`header_size_limit = 4096000`

			`# Debug mail tls`
			`smtpd_tls_loglevel = 1`
			`#smtpd_tls_ciphers = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1`
			`#tls_medium_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1`

			`# Rate limiting (brute-force protection)`
			`smtpd_client_connection_rate_limit = 10`
			`smtpd_client_message_rate_limit = 30`
			`anvil_rate_time_unit = 60s`

			`# Disable the postscreen decision cache. The default (btree) driver`
			`# requires an exclusive file lock for every access, and with postscreen`
			`# re-spawning per connection (master.cf: maxproc=1) that produces thousands`
			`# of 'unable to get exclusive lock' fatals per day — stalling SMTP`
			`# acceptance and starving inbound delivery. lmdb would avoid the lock but`
			`# isn't compiled into docker-mailserver 15.0.0's Postfix build`
			`# (postconf -m → no lmdb). Proxy:btree is unsafe because postscreen does`
			`# its own locking. An empty value disables the cache entirely — legitimate`
			`# clients pay the greet/bare-newline re-check on every new TCP session,`
			`# which is trivial at our volume (~100 deliveries/day).`
			`postscreen_cache_map =`
			`EOT`
			`}`