From 1b168f07d56c89cf8e5635aa3d00429342914f15 Mon Sep 17 00:00:00 2001
From: Jon Lockwood <jonathon.lockwood@networkedweb.com>
Date: Fri, 18 Feb 2022 12:09:20 +0930
Subject: [PATCH] feat(postfix): enforce SMTPD recipient restrictions

Filter mail based on recipient restrictions. default is to filter then
reject the remaining.

This is a default rule and submission requires it's own rule specified.

rules and order as follows:
    1. permit_mynetworks
        Allow local mail host to send to whomever.
    2. reject_non_fqdn_recipient
        must use a FQDN so that the recipient can be identified.
    3. reject_unknown_recipient_domain
        Only accept mail for the domains we host.
    4. reject_unauth_destination
        reject mail for domains we don't host and before any policy
        checks are done. This prevents additional processes from
        spawning that would otherwise be unused.
    5. check_policy_service,unix:private/policyd-spf
        bounce the mail that fails spf check. likely to be a non-smtp
        server.
    6. check_policy_service unix:private/quota
        Check the recipients quota before delivery. if fails, bounce
        the mail.
    7. permit_auth_destination
        Only accept mail for domains we host. This rule placed after
        the bounces, so that filtering can be done first.
    8. reject
        Hard reject as the recipient doesn't belong to this host.

MR !7
---
 dockerfile                    | 4 ++--
 include/etc/postfix/master.cf | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/dockerfile b/dockerfile
index 0666c58..576f1ab 100644
--- a/dockerfile
+++ b/dockerfile
@@ -177,8 +177,6 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   && postconf -e "always_add_missing_headers=yes" \
   # Only add missing headers for authenticated users (mail users) and my networks and mail orginating from localhost
   && postconf -e "local_header_rewrite_clients=permit_sasl_authenticated,permit_mynetworks,permit_inet_interfaces" \
-  # check quota before delivery
-  && postconf -e "smtpd_recipient_restrictions=check_policy_service=inet:localhost:12340" \
   # set tls settings
   && postconf -e "smtpd_tls_cert_file=/certs/postfix/cert.pem" \
   && postconf -e "smtpd_tls_key_file=/certs/postfix/key.pem" \
@@ -199,6 +197,8 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   && postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit" \
     # MAIL FROM restrictions
   && postconf -e "smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,permit" \
+    # RCPT TO restrictions
+  && postconf -e "smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,check_policy_service unix:private/quota,permit_auth_destination,reject" \
     
 EXPOSE 25 587 993 4190
 
diff --git a/include/etc/postfix/master.cf b/include/etc/postfix/master.cf
index 6a32ffb..e36cc32 100644
--- a/include/etc/postfix/master.cf
+++ b/include/etc/postfix/master.cf
@@ -14,7 +14,6 @@ smtp      inet  n       -       y       -       1       postscreen
 smtpd     pass  -       -       y       -       -       smtpd
   -o syslog_name=postfix/inbound
   -o smtpd_tls_security_level=may
-  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,permit_auth_destination,reject
 
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy