Postfix: Cleanup port 25 option overrides

SOSETH · May 17, 2020 · c7cb80e · c7cb80e
1 parent 3bae4b9
commit c7cb80e
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 11 deletions.
diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2
@@ -165,35 +165,54 @@ delay_warning_time=3h
 maximal_queue_lifetime=2d
 bounce_queue_lifetime=1d
 
+# submission sender restrictions
+smtpd_sender_restrictions = reject_sender_login_mismatch,
+  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
+  reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
+  reject_unauth_pipelining,
+  reject
+
 {% if mailserver_behind_proxy %}
 # We're behind a forwaring proxy that does antispam. Mails therefore do not get delivered to us
 # from their original sender, therefore, we can't do DNS checks!
 
 # smtpd sender restrictions
-smtpd_sender_restrictions = reject_sender_login_mismatch,
-  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
+smtpd_sender_restrictions_25 = permit_mynetworks,
+{% if mailserver_config_method == "ldap" %}  check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,
+{% endif %}
+  reject_unauth_destination,
   reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
   reject_unauth_pipelining, check_client_access hash:/etc/postfix/allowed_proxies,
   reject
 
 # smtp destination restrictions
 # Either you're authenticated OR you are from 127.0.0.1 OR you satisfy a boatload of constraints
 # Also note that the same thing ist in master.cf without sasl restrictions
+smtpd_recipient_restrictions_25 = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining,
+  reject_unauth_destination, reject_multi_recipient_bounce, permit
+
 smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated,
   permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining,
   reject_unauth_destination, reject_multi_recipient_bounce, check_client_access hash:/etc/postfix/allowed_proxies,
   reject
 {% else %}
 # smtpd sender restrictions
-smtpd_sender_restrictions = reject_sender_login_mismatch,
-  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
+smtpd_sender_restrictions_25 = permit_mynetworks,
+{% if mailserver_config_method == "ldap" %}  check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,
+{% endif %}
+  reject_unauth_destination,
   reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
   reject_unauth_pipelining, permit
 
 # smtp destination restrictions
 # Either you're authenticated OR you are from 127.0.0.1 OR you satisfy a boatload of constraints
 # We need to find out in prod if this is too restrictive
 # Also note that the same thing ist in master.cf without sasl restrictions
+smtpd_recipient_restrictions_25 = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname,
+  reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain,
+  reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination,
+  reject_multi_recipient_bounce, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
+
 smtpd_recipient_restrictions = reject_sender_login_mismatch,
 {% if mailserver_config_method == "ldap" %}  check_sender_access ldap:/etc/postfix/ldap-external-send.cf,
 {% endif %}

diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2
@@ -15,13 +15,8 @@
 # We list
 smtp      inet  n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=no
-{% if not mailserver_behind_proxy %}
-  -o smtpd_recipient_restrictions=permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,permit
-  -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
-{% else %}
-  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,permit
-  -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
-{% endif %}
+  -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_25
+  -o smtpd_sender_restrictions=$smtpd_sender_restrictions_25
   -o header_checks=
 {% if ansible_local['mailserver_have_antispam']|default(False) %}
   -o smtpd_proxy_filter=127.0.0.1:10026