From 6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 31 May 2017 21:42:32 +0200 Subject: Don't let authenticated client use arbitrary sender addresses. The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. --- roles/common/templates/etc/postfix/master.cf.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'roles/common') diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index c2ee395..52b2ec4 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -20,8 +20,13 @@ tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog cleanup_nochroot unix n - n - 0 cleanup {% elif inst == 'MSA' %} -{{ postfix_instance.MSA.port }} inet n - - - - smtpd +submission inet n - - - - smtpd -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +{% if groups.webmail | difference([inventory_hostname]) | length > 0 %} +[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd + -o smtpd_tls_security_level=none + -o smtpd_sasl_security_options=noanonymous +{% endif %} {% elif inst in ['IMAP', 'out', 'lists'] %} [{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd {% endif %} -- cgit v1.2.3