From 64258f2cd8b0a8febd63d585e9b3aa1fe5d88bd4 Mon Sep 17 00:00:00 2001
From: Jon Lockwood <jonathon.lockwood@networkedweb.com>
Date: Fri, 18 Feb 2022 11:42:32 +0930
Subject: [PATCH] feat(postfix): enforce smtpd client restrictions

Default is reject.
order of rules as follows:
    1. reject_unauth_destination
        if postfix doesn't own the destination, bounce
    2. reject_unauth_pipelining
        not punch through commands.
    3. permit_mynetworks,
        set as rule 3 after the above rejects, so that if a rouge
        process on the server attempts to send, it is blocked.
    4. permit_auth_destination,
        Only accept a connection if the mailserver is the destination.
    5. reject
        Reject all remaining mail as it's clearly not for this host.

MR !7
---
 dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dockerfile b/dockerfile
index 89bb22a..732d3ad 100644
--- a/dockerfile
+++ b/dockerfile
@@ -191,7 +191,10 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   && postconf -e "smtpd_tls_mandatory_ciphers=high" \
   && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
      # SPF postfix Settings
-  && postconf -e "policyd-spf_time_limit=3600"
+  && postconf -e "policyd-spf_time_limit=3600" \
+    # Connection defaults to reject where possible/advised
+    # Client command restrictions
+  && postconf -e "smtpd_client_restrictions=reject_unauth_destination,reject_unauth_pipelining,permit_mynetworks,permit_auth_destination,reject" \
     
 EXPOSE 25 587 993 4190