From f90daea454fac0ccec781129128bbf40e43378a3 Mon Sep 17 00:00:00 2001 From: Jon Lockwood Date: Fri, 18 Feb 2022 12:16:06 +0930 Subject: [PATCH] feat(postfix): enforce only reaying mail for auth destination Mail server should only relay mail for domains and users it hosts. default is to reject. Rules and order as follows: 1. reject_non_fqdn_recipient Require the recipient to be in FQDN format for relaying and routing reasons including locating user. 2. permit_auth_destination Only accept mail to be routed if authorized. 3. reject Don't accept any further mail for relaying. MR !7 --- dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dockerfile b/dockerfile index 576f1ab..9c9b6d1 100644 --- a/dockerfile +++ b/dockerfile @@ -199,6 +199,8 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \ && postconf -e "smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,permit" \ # RCPT TO restrictions && postconf -e "smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,check_policy_service unix:private/quota,permit_auth_destination,reject" \ + # RCPT TO restrictions + && postconf -e "smtpd_relay_restrictions=reject_non_fqdn_recipient,permit_auth_destination,reject" \ EXPOSE 25 587 993 4190