summaryrefslogtreecommitdiffstats
path: root/roles/MSA/templates
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-05-31 21:42:32 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-01 01:09:00 +0200
commit6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be (patch)
tree87898c1653a36f1b23efbef55d6f876d8bc83444 /roles/MSA/templates
parente136d3edbdb6749d4559939dc9fcbc11d166e34c (diff)
Don't let authenticated client use arbitrary sender addresses.
The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
Diffstat (limited to 'roles/MSA/templates')
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j22
1 files changed, 2 insertions, 0 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index f5f0834..ec6b242 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -93,10 +93,12 @@ smtpd_helo_required = yes
smtpd_helo_restrictions =
reject_invalid_helo_hostname
+smtpd_sender_login_maps = socketmap:unix:private/sender-login:sender_login
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_sender_access cdb:$config_directory/check_sender_access
+ reject_known_sender_login_mismatch
smtpd_relay_restrictions =
reject_non_fqdn_recipient