From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 13 Nov 2022 21:21:33 +0000 (+0100)
Subject: [postifx] Relay from addresses found in the address book.
X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=c06fbe92b141bf77f1782a54b3047c2f09b150d8;p=server.git

[postifx] Relay from addresses found in the address book.

This commit allows sending email only from email addresses (MAIL FROM)
present in the address book.
---

diff --git a/postfix/README b/postfix/README
index 2b972ad..ae1d999 100644
--- a/postfix/README
+++ b/postfix/README
@@ -12,8 +12,9 @@ server. Only root should have write permissions to these files.
 
 postfix
 |
-|-> main.cf   -- /etc/postfix/ :: configuration parameters
-`-> master.cf -- /etc/postfix/ :: postfix daemon
+|-> main.cf         -- /etc/postfix/ :: configuration parameters
+|-> master.cf       -- /etc/postfix/ :: postfix daemon
+`-> address_book.cf -- /etc/postfix/ :: FROM query
 
 Install
 -------
diff --git a/postfix/address_book.cf b/postfix/address_book.cf
new file mode 100644
index 0000000..cd327d4
--- /dev/null
+++ b/postfix/address_book.cf
@@ -0,0 +1,8 @@
+user = dovecot
+password =
+
+dbname = mail_db
+
+query = SELECT CONCAT(username, '@', domain)
+        FROM users
+        WHERE CONCAT(username, '@', domain) = '%s'
diff --git a/postfix/main.cf b/postfix/main.cf
index e6d6217..6c16a37 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -43,6 +43,11 @@ smtpd_sasl_auth_enable = yes
 smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noactive, noanonymous, nodictionary
 smtpd_sasl_type = dovecot
+## Possible MAIL FROM addresses.
+smtpd_sender_login_maps = pgsql:/etc/postfix/address_book.cf
+## Restrictions on MAIL FROM.
+smtpd_sender_restrictions = reject_non_fqdn_sender,
+  reject_sender_login_mismatch, reject_unknown_sender_domain
 ## Authenticate RCPT TO address.
 smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
 
diff --git a/postfix/master.cf b/postfix/master.cf
index 3f71c94..e59f0de 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -15,7 +15,6 @@ smtp       inet  n       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
 submission inet  n       -       y       -       -       smtpd
-  -o smtpd_sender_restrictions=reject_sender_login_mismatch
   -o smtpd_helo_restrictions=$mua_helo_restrictions
   -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       y       -       -       smtpd
diff --git a/postgres/pg_hba.conf b/postgres/pg_hba.conf
index 87c9bb7..2b6bc56 100644
--- a/postgres/pg_hba.conf
+++ b/postgres/pg_hba.conf
@@ -91,6 +91,7 @@ local   all             postgres                                peer
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
 local   mail_db         dovecot                                 trust
+host    mail_db         dovecot         ::1/128                 trust
 host    mail_db         dkim            ::1/128                 trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer