From ea1d876d9302e67bc8263f7ff71086071e2a1fad Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 22 Oct 2017 15:00:16 +0200
Subject: [PATCH] Add a specific server for xclient-authenticated connections

---
 postfix/conf/main.cf                  | 25 +++++++------------------
 postfix/conf/master.cf                | 11 +++++++----
 postfix/conf/sqlite-reject-spoofed.cf |  5 +++++
 3 files changed, 19 insertions(+), 22 deletions(-)
 create mode 100644 postfix/conf/sqlite-reject-spoofed.cf

diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf
index e23dcba7..bb374e7c 100644
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@@ -31,9 +31,6 @@ relayhost = {{ RELAYHOST }}
 # Recipient delimiter for extended addresses
 recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 
-# XClient for connection from the frontend
-smtpd_authorized_xclient_hosts = {{ FRONT_ADDRESS }}
-
 ###############
 # TLS
 ###############
@@ -79,24 +76,16 @@ smtpd_delay_reject = yes
 smtpd_sender_login_maps = $virtual_alias_maps
 
 # Helo restrictions are specified for smtp only in master.cf
+# Restrictions for incoming SMTP, other restrictions are applied in master.cf
 smtpd_helo_required = yes
 
-# Sender restrictions
-smtpd_sender_restrictions =
-   permit_mynetworks,
-   reject_non_fqdn_sender,
-   reject_unknown_sender_domain,
-   reject_unlisted_sender,
-   reject_sender_login_mismatch,
-   permit
-
-# Recipient restrictions:
 smtpd_recipient_restrictions =
-   permit_mynetworks,
-   reject_unauth_pipelining,
-   reject_non_fqdn_recipient,
-   reject_unknown_recipient_domain,
-   permit
+  permit_mynetworks,
+  check_sender_access ${sql}sqlite-reject-spoofed.cf,
+  reject_non_fqdn_sender,
+  reject_unknown_sender_domain,
+  reject_unknown_recipient_domain,
+  permit
 
 ###############
 # Milter
diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf
index d8c88379..8593c0e1 100644
--- a/postfix/conf/master.cf
+++ b/postfix/conf/master.cf
@@ -1,12 +1,15 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 
-# Exposed SMTP services
+# Exposed SMTP service
 smtp      inet  n       -       n       -       -       smtpd
-  -o cleanup_service_name=outclean
 
-# Additional services
-outclean   unix n       -       n       -       0       cleanup
+# Internal SMTP service
+10025     inet  n       -       n       -       -       smtpd
+  -o smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
+  -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit
+  -o cleanup_service_name=outclean
+outclean  unix n       -       n       -       0       cleanup
   -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf
 
 # Internal postfix services
diff --git a/postfix/conf/sqlite-reject-spoofed.cf b/postfix/conf/sqlite-reject-spoofed.cf
new file mode 100644
index 00000000..e1d3e754
--- /dev/null
+++ b/postfix/conf/sqlite-reject-spoofed.cf
@@ -0,0 +1,5 @@
+dbpath = /data/main.db
+query =
+  SELECT 'REJECT' FROM domain WHERE name='%s'
+  UNION
+  SELECT 'REJECT' FROM name WHERE name='%s'