From 8c68163e9d6dd2edf94bba6159156dde115cc8f8 Mon Sep 17 00:00:00 2001
From: Jon Lockwood <jonathon.lockwood@networkedweb.com>
Date: Fri, 18 Feb 2022 11:45:43 +0930
Subject: [PATCH] feat(postfix): introduce smtpd helo restrictions

Default is permit.
Rule order as follows:
    1. permit_mynetworks
        My network (localhost) is exempt from restriction
    2. reject_invalid_helo_hostname
        Don't allow a connection from an invalid host.
    3. permit
        Allow the remaining hosts not booted.

MR !7
---
 dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dockerfile b/dockerfile
index 732d3ad..c3adde7 100644
--- a/dockerfile
+++ b/dockerfile
@@ -195,6 +195,8 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
     # Connection defaults to reject where possible/advised
     # Client command restrictions
   && postconf -e "smtpd_client_restrictions=reject_unauth_destination,reject_unauth_pipelining,permit_mynetworks,permit_auth_destination,reject" \
+    # HELO/EHLO restrictions
+  && postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit" \
     
 EXPOSE 25 587 993 4190