From 6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 31 May 2017 21:42:32 +0200 Subject: Don't let authenticated client use arbitrary sender addresses. The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. --- .../systemd/system/postfix-sender-login.service | 23 ++++++++++++++++++++++ .../etc/systemd/system/postfix-sender-login.socket | 8 ++++++++ 2 files changed, 31 insertions(+) create mode 100644 roles/MSA/etc/systemd/system/postfix-sender-login.service create mode 100644 roles/MSA/etc/systemd/system/postfix-sender-login.socket (limited to 'roles/MSA/etc/systemd/system') diff --git a/roles/MSA/etc/systemd/system/postfix-sender-login.service b/roles/MSA/etc/systemd/system/postfix-sender-login.service new file mode 100644 index 0000000..3ceb310 --- /dev/null +++ b/roles/MSA/etc/systemd/system/postfix-sender-login.service @@ -0,0 +1,23 @@ +[Unit] +Description=Postfix sender login socketmap +After=mail-transport-agent.target +Requires=postfix-sender-login.socket + +[Service] +User=postfix +Group=postfix +StandardInput=null +SyslogFacility=mail +ExecStart=/usr/local/bin/postfix-sender-login.pl + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +RestrictAddressFamilies=AF_UNIX + +[Install] +WantedBy=multi-user.target +Also=postfix-sender-login.socket diff --git a/roles/MSA/etc/systemd/system/postfix-sender-login.socket b/roles/MSA/etc/systemd/system/postfix-sender-login.socket new file mode 100644 index 0000000..c883dc1 --- /dev/null +++ b/roles/MSA/etc/systemd/system/postfix-sender-login.socket @@ -0,0 +1,8 @@ +[Socket] +SocketUser=postfix +SocketGroup=postfix +SocketMode=0666 +ListenStream=/var/spool/postfix-msa/private/sender-login + +[Install] +WantedBy=sockets.target -- cgit v1.2.3