Add a specific server for xclient-authenticated connections

7 years ago · ea1d876d93
parent cac00086c9
commit ea1d876d93
3 changed files with 19 additions and 22 deletions
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@ -31,9 +31,6 @@ relayhost = {{ RELAYHOST }}
 # Recipient delimiter for extended addresses
 recipient_delimiter = {{ RECIPIENT_DELIMITER }}

-# XClient for connection from the frontend
-smtpd_authorized_xclient_hosts = {{ FRONT_ADDRESS }}
-
 ###############
 # TLS
 ###############
@ -79,24 +76,16 @@ smtpd_delay_reject = yes
 smtpd_sender_login_maps = $virtual_alias_maps

 # Helo restrictions are specified for smtp only in master.cf
+# Restrictions for incoming SMTP, other restrictions are applied in master.cf
 smtpd_helo_required = yes

-# Sender restrictions
-smtpd_sender_restrictions =
-   permit_mynetworks,
-   reject_non_fqdn_sender,
-   reject_unknown_sender_domain,
-   reject_unlisted_sender,
-   reject_sender_login_mismatch,
-   permit
-
-# Recipient restrictions:
 smtpd_recipient_restrictions =
-   permit_mynetworks,
-   reject_unauth_pipelining,
-   reject_non_fqdn_recipient,
-   reject_unknown_recipient_domain,
-   permit
+  permit_mynetworks,
+  check_sender_access ${sql}sqlite-reject-spoofed.cf,
+  reject_non_fqdn_sender,
+  reject_unknown_sender_domain,
+  reject_unknown_recipient_domain,
+  permit

 ###############
 # Milter
--- a/postfix/conf/master.cf
+++ b/postfix/conf/master.cf
@ -1,12 +1,15 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)

-# Exposed SMTP services
+# Exposed SMTP service
 smtp      inet  n       -       n       -       -       smtpd
-  -o cleanup_service_name=outclean

-# Additional services
-outclean   unix n       -       n       -       0       cleanup
+# Internal SMTP service
+10025     inet  n       -       n       -       -       smtpd
+  -o smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
+  -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit
+  -o cleanup_service_name=outclean
+outclean  unix n       -       n       -       0       cleanup
  -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf

 # Internal postfix services
--- a/postfix/conf/sqlite-reject-spoofed.cf
+++ b/postfix/conf/sqlite-reject-spoofed.cf
@ -0,0 +1,5 @@
+dbpath = /data/main.db
+query =
+  SELECT 'REJECT' FROM domain WHERE name='%s'
+  UNION
+  SELECT 'REJECT' FROM name WHERE name='%s'