feat(postfix): enforce SMTPD recipient restrictions
Filter mail based on recipient restrictions. default is to filter then
reject the remaining.
This is a default rule and submission requires it's own rule specified.
rules and order as follows:
1. permit_mynetworks
Allow local mail host to send to whomever.
2. reject_non_fqdn_recipient
must use a FQDN so that the recipient can be identified.
3. reject_unknown_recipient_domain
Only accept mail for the domains we host.
4. reject_unauth_destination
reject mail for domains we don't host and before any policy
checks are done. This prevents additional processes from
spawning that would otherwise be unused.
5. check_policy_service,unix:private/policyd-spf
bounce the mail that fails spf check. likely to be a non-smtp
server.
6. check_policy_service unix:private/quota
Check the recipients quota before delivery. if fails, bounce
the mail.
7. permit_auth_destination
Only accept mail for domains we host. This rule placed after
the bounces, so that filtering can be done first.
8. reject
Hard reject as the recipient doesn't belong to this host.
MR !7
This commit is contained in:
@ -177,8 +177,6 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
|
|||||||
&& postconf -e "always_add_missing_headers=yes" \
|
&& postconf -e "always_add_missing_headers=yes" \
|
||||||
# Only add missing headers for authenticated users (mail users) and my networks and mail orginating from localhost
|
# Only add missing headers for authenticated users (mail users) and my networks and mail orginating from localhost
|
||||||
&& postconf -e "local_header_rewrite_clients=permit_sasl_authenticated,permit_mynetworks,permit_inet_interfaces" \
|
&& postconf -e "local_header_rewrite_clients=permit_sasl_authenticated,permit_mynetworks,permit_inet_interfaces" \
|
||||||
# check quota before delivery
|
|
||||||
&& postconf -e "smtpd_recipient_restrictions=check_policy_service=inet:localhost:12340" \
|
|
||||||
# set tls settings
|
# set tls settings
|
||||||
&& postconf -e "smtpd_tls_cert_file=/certs/postfix/cert.pem" \
|
&& postconf -e "smtpd_tls_cert_file=/certs/postfix/cert.pem" \
|
||||||
&& postconf -e "smtpd_tls_key_file=/certs/postfix/key.pem" \
|
&& postconf -e "smtpd_tls_key_file=/certs/postfix/key.pem" \
|
||||||
@ -199,6 +197,8 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
|
|||||||
&& postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit" \
|
&& postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit" \
|
||||||
# MAIL FROM restrictions
|
# MAIL FROM restrictions
|
||||||
&& postconf -e "smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,permit" \
|
&& postconf -e "smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,permit" \
|
||||||
|
# RCPT TO restrictions
|
||||||
|
&& postconf -e "smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,check_policy_service unix:private/quota,permit_auth_destination,reject" \
|
||||||
|
|
||||||
EXPOSE 25 587 993 4190
|
EXPOSE 25 587 993 4190
|
||||||
|
|
||||||
|
|||||||
@ -14,7 +14,6 @@ smtp inet n - y - 1 postscreen
|
|||||||
smtpd pass - - y - - smtpd
|
smtpd pass - - y - - smtpd
|
||||||
-o syslog_name=postfix/inbound
|
-o syslog_name=postfix/inbound
|
||||||
-o smtpd_tls_security_level=may
|
-o smtpd_tls_security_level=may
|
||||||
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,permit_auth_destination,reject
|
|
||||||
|
|
||||||
#dnsblog unix - - y - 0 dnsblog
|
#dnsblog unix - - y - 0 dnsblog
|
||||||
#tlsproxy unix - - y - 0 tlsproxy
|
#tlsproxy unix - - y - 0 tlsproxy
|
||||||
|
|||||||
Reference in New Issue
Block a user