From a3d89f07fa70e34c001d808a2fb8eae5dc75b697 Mon Sep 17 00:00:00 2001 From: Sebastian Hugentobler Date: Sat, 22 Jan 2022 19:58:58 +0100 Subject: [PATCH] add sender restrictions --- README.md | 18 ++++++++++++++++++ .../etc/confd/conf.d/pgsql-login-maps.cf.toml | 3 +++ rootfs/etc/confd/templates/main.cf.tmpl | 3 +++ .../confd/templates/pgsql-login-maps.cf.tmpl | 5 +++++ .../pgsql-virtual-mailbox-domains.cf.tmpl | 2 +- .../pgsql-virtual-mailbox-maps.cf.tmpl | 2 +- 6 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 rootfs/etc/confd/conf.d/pgsql-login-maps.cf.toml create mode 100644 rootfs/etc/confd/templates/pgsql-login-maps.cf.tmpl diff --git a/README.md b/README.md index 08dd34a..33f2661 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,23 @@ [Postfix](http://www.postfix.org/) with dovecot authentication and [rspamd](https://rspamd.com/) using postgres. +# Database +``` +create table if not exists virtual_domains ( + name text primary key +); + +create table if not exists virtual_users ( + email text primary key, + domain_name text not null references virtual_domains(name) +); + +create table if not exists virtual_aliases ( + domain_name text not null references virtual_domains(name), + source text not null, + destination text not null +); +``` + # Volumes - `/etc/ssl/mail:ro`: certificates have to be here. diff --git a/rootfs/etc/confd/conf.d/pgsql-login-maps.cf.toml b/rootfs/etc/confd/conf.d/pgsql-login-maps.cf.toml new file mode 100644 index 0000000..a4a3903 --- /dev/null +++ b/rootfs/etc/confd/conf.d/pgsql-login-maps.cf.toml @@ -0,0 +1,3 @@ +[template] +src = "pgsql-login-maps.cf.tmpl" +dest = "/etc/postfix/pgsql-login-maps.cf" diff --git a/rootfs/etc/confd/templates/main.cf.tmpl b/rootfs/etc/confd/templates/main.cf.tmpl index ef6f8a3..37aaeb6 100644 --- a/rootfs/etc/confd/templates/main.cf.tmpl +++ b/rootfs/etc/confd/templates/main.cf.tmpl @@ -62,6 +62,9 @@ smtpd_sasl_tls_security_options = noanonymous smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination, reject_unverified_recipient +smtpd_sender_restrictions = reject_sender_login_mismatch +smtpd_sender_login_maps = pgsql:/etc/postfix/pgsql-login-maps.cf + smtpd_milters={{getenv "RSPAMD_ADDRESS" "inet:127.0.0.1:11332"}} non_smtpd_milters=$smtpd_milters milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}" diff --git a/rootfs/etc/confd/templates/pgsql-login-maps.cf.tmpl b/rootfs/etc/confd/templates/pgsql-login-maps.cf.tmpl new file mode 100644 index 0000000..43006c7 --- /dev/null +++ b/rootfs/etc/confd/templates/pgsql-login-maps.cf.tmpl @@ -0,0 +1,5 @@ +hosts = {{ getenv "DB_HOST" }} +user = {{ getenv "DB_USER" "email" }} +password = {{ getenv "DB_PASSWORD" }} +dbname = {{ getenv "DB_NAME" "email" }} +query = SELECT source FROM virtual_aliases WHERE destination='%s' diff --git a/rootfs/etc/confd/templates/pgsql-virtual-mailbox-domains.cf.tmpl b/rootfs/etc/confd/templates/pgsql-virtual-mailbox-domains.cf.tmpl index d9481fb..6fd5b58 100644 --- a/rootfs/etc/confd/templates/pgsql-virtual-mailbox-domains.cf.tmpl +++ b/rootfs/etc/confd/templates/pgsql-virtual-mailbox-domains.cf.tmpl @@ -2,4 +2,4 @@ hosts = {{ getenv "DB_HOST" }} user = {{ getenv "DB_USER" "email" }} password = {{ getenv "DB_PASSWORD" }} dbname = {{ getenv "DB_NAME" "email" }} -query = SELECT 1 FROM virtual_domains WHERE name='%s' +query = SELECT name FROM virtual_domains WHERE name='%s' diff --git a/rootfs/etc/confd/templates/pgsql-virtual-mailbox-maps.cf.tmpl b/rootfs/etc/confd/templates/pgsql-virtual-mailbox-maps.cf.tmpl index ad86a75..971fa97 100644 --- a/rootfs/etc/confd/templates/pgsql-virtual-mailbox-maps.cf.tmpl +++ b/rootfs/etc/confd/templates/pgsql-virtual-mailbox-maps.cf.tmpl @@ -2,4 +2,4 @@ hosts = {{ getenv "DB_HOST" }} user = {{ getenv "DB_USER" "email" }} password = {{ getenv "DB_PASSWORD" }} dbname = {{ getenv "DB_NAME" "email" }} -query = SELECT 1 FROM virtual_users WHERE email ='%s' +query = SELECT email FROM virtual_users WHERE email ='%s'