From 6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 31 May 2017 21:42:32 +0200
Subject: Don't let authenticated client use arbitrary sender addresses.

The following policy is now implemented:

    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed.
---
 group_vars/all.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'group_vars')

diff --git a/group_vars/all.yml b/group_vars/all.yml
index 97e2024..236527e 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -40,7 +40,8 @@ postfix_instance:
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
            , port: 2525 }
   MSA:     { name: msa
-           , port: 587 }
+           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.MSA[0]].inventory_hostname_short ], '127.0.0.1') }}"
+           , port: 2587 }
   lists:   { name: lists
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}"
            , port: 2527 }
-- 
cgit v1.2.3