upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Postfix sender restrictions (#359)

Browse source 
* postfix: add smtp sender restrictions to template
* add some model changes to allow sender restrictions
* postfix improvements (smtpd_recipient_restrictions)
* fix typo found by @mimugmail
* remove comma - requested by @mimugmail
* btree -> hash
This commit is contained in:
Fabian Franz, BSc 2017-11-08 17:42:19 +01:00 committed by GitHub
parent edd914313f
commit 54aa92e0e3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 142 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
View file

@ -41,4 +41,52 @@
<type>text</type>
<help>The smtpd_banner parameter specifies the text that follows the 220 code in the SMTP server's greeting banner. Default is "'System Hostname' ESMTP Postfix".</help>
</field>
<field>
<id>general.reject_unauth_pipelining</id>
<label>Reject Unauthenticated Pipelining</label>
<type>checkbox</type>
</field>
<field>
<id>general.reject_unknown_sender_domain</id>
<label>Reject Unknown Sender Domain</label>
<type>checkbox</type>
<help>This will reject mails from domains which do not exist.</help>
</field>
<field>
<id>general.reject_unknown_recipient_domain</id>
<label>Reject Unknown Recipient Domain</label>
<type>checkbox</type>
</field>
<field>
<id>general.reject_non_fqdn_sender</id>
<label>Reject Non FQDN Sender</label>
<type>checkbox</type>
<help>For example senders without a domain or only a hostname.</help>
</field>
<field>
<id>general.reject_non_fqdn_recipient</id>
<label>Reject Non FQDN Recipient</label>
<type>checkbox</type>
<help>For example recipients without a domain or only a hostname.</help>
</field>
<field>
<id>general.permit_sasl_authenticated</id>
<label>Permit SASL Authenticated</label>
<type>checkbox</type>
</field>
<field>
<id>general.permit_tls_clientcerts</id>
<label>Permit TLS Client Certificate Authenticated Users</label>
<type>checkbox</type>
</field>
<field>
<id>general.permit_mynetworks</id>
<label>Permit My Networks</label>
<type>checkbox</type>
</field>
<field>
<id>general.reject_unauth_destination</id>
<label>Reject Unauthenticated Destination</label>
<type>checkbox</type>
</field>
</form>

40
mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
View file

@ -31,5 +31,45 @@
<default></default>
<Required>N</Required>
</banner>
<check_recipient_access type="ArrayField">
</check_recipient_access>
<reject_unauth_pipelining type="BooleanField">
<default>1</default>
<Required>Y</Required>
</reject_unauth_pipelining>
<check_sender_access type="ArrayField">
</check_sender_access>
<reject_unknown_sender_domain type="BooleanField">
<default>1</default>
<Required>Y</Required>
</reject_unknown_sender_domain>
<reject_unknown_recipient_domain type="BooleanField">
<default>1</default>
<Required>Y</Required>
</reject_unknown_recipient_domain>
<reject_non_fqdn_sender type="BooleanField">
<default>1</default>
<Required>Y</Required>
</reject_non_fqdn_sender>
<reject_non_fqdn_recipient type="BooleanField">
<default>1</default>
<Required>Y</Required>
</reject_non_fqdn_recipient>
<permit_sasl_authenticated type="BooleanField">
<default>1</default>
<Required>Y</Required>
</permit_sasl_authenticated>
<permit_tls_clientcerts type="BooleanField">
<default>1</default>
<Required>Y</Required>
</permit_tls_clientcerts>
<permit_mynetworks type="BooleanField">
<default>1</default>
<Required>Y</Required>
</permit_mynetworks>
<reject_unauth_destination type="BooleanField">
<default>1</default>
<Required>Y</Required>
</reject_unauth_destination>
</items>
</model>

2
mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
View file

@ -28,3 +28,5 @@ chown -R root:postfix /var/spool/postfix/pid
# Create Transporttable
postmap /usr/local/etc/postfix/transport
postmap /usr/local/etc/postfix/recipient_access
postmap /usr/local/etc/postfix/sender_access

2
mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/+TARGETS
View file

@ -2,3 +2,5 @@ main.cf:/usr/local/etc/postfix/main.cf
master.cf:/usr/local/etc/postfix/master.cf
postfix:/etc/rc.conf.d/postfix
transport:/usr/local/etc/postfix/transport
recipient_access:/usr/local/etc/postfix/recipient_access
sender_access:/usr/local/etc/postfix/sender_access

42
mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
View file

@ -72,4 +72,46 @@ milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
{% endif %}
{# Sender Restrictions #}
{% set smtpd_recipient_restrictions=[] %}
{% if helpers.exists('OPNsense.postfix.general.check_recipient_access') %}
{% do smtpd_recipient_restrictions.append('check_recipient_access hash:/usr/local/etc/postfix/recipient_access') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_pipelining') and OPNsense.postfix.general.reject_unauth_pipelining == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unauth_pipelining') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.check_sender_access') %}
{% do smtpd_recipient_restrictions.append('check_sender_access hash:/usr/local/etc/postfix/sender_access') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_sender_domain') and OPNsense.postfix.general.reject_unknown_sender_domain == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unknown_sender_domain') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_recipient_domain') and OPNsense.postfix.general.reject_unknown_recipient_domain == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unknown_recipient_domain') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_sender') and OPNsense.postfix.general.reject_non_fqdn_sender == '1' %}
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_sender') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_recipient') and OPNsense.postfix.general.reject_non_fqdn_recipient == '1' %}
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_recipient') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
{% do smtpd_recipient_restrictions.append('permit_sasl_authenticated') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_tls_clientcerts') and OPNsense.postfix.general.permit_tls_clientcerts == '1' %}
{% do smtpd_recipient_restrictions.append('permit_tls_clientcerts') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_mynetworks') and OPNsense.postfix.general.permit_mynetworks == '1' %}
{% do smtpd_recipient_restrictions.append('permit_mynetworks') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_destination') and OPNsense.postfix.general.reject_unauth_destination == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unauth_destination') %}
{% endif %}
{% if smtpd_recipient_restrictions|length >= 1 %}
smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
{% endif %}
smtpd_helo_required = yes
{% endif %}

4
mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/recipient_access Normal file
View file

@ -0,0 +1,4 @@
{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
{% if helpers.exists('OPNsense.postfix.general.check_recipient_access') %}
{% endif %}
{% endif %}

4
mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/sender_access Normal file
View file

@ -0,0 +1,4 @@
{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
{% if helpers.exists('OPNsense.postfix.general.check_recipient_access') %}
{% endif %}
{% endif %}