docker/docker-mail
1
0
Fork 0
Code Issues 4 Pull Requests Actions Projects Releases 6 Wiki Activity

feat(postfix): enforce smtpd client restrictions

Browse Source 
Default is reject.
order of rules as follows:
    1. reject_unauth_destination
        if postfix doesn't own the destination, bounce
    2. reject_unauth_pipelining
        not punch through commands.
    3. permit_mynetworks,
        set as rule 3 after the above rejects, so that if a rouge
        process on the server attempts to send, it is blocked.
    4. permit_auth_destination,
        Only accept a connection if the mailserver is the destination.
    5. reject
        Reject all remaining mail as it's clearly not for this host.

MR !7
This commit is contained in:
Jon Lockwood
2022-02-18 11:42:32 +09:30
parent 8f938bd3ce
commit 64258f2cd8
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
dockerfile
View File

@ -191,7 +191,10 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
&& postconf -e "smtpd_tls_mandatory_ciphers=high" \ && postconf -e "smtpd_tls_mandatory_ciphers=high" \
&& postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
# SPF postfix Settings # SPF postfix Settings
&& postconf -e "policyd-spf_time_limit=3600" && postconf -e "policyd-spf_time_limit=3600" \
# Connection defaults to reject where possible/advised
# Client command restrictions
&& postconf -e "smtpd_client_restrictions=reject_unauth_destination,reject_unauth_pipelining,permit_mynetworks,permit_auth_destination,reject" \
EXPOSE 25 587 993 4190 EXPOSE 25 587 993 4190