Updates based on our current environment, added spf policy and checking receipt valid before doing recipient verify

defaults/header_checks

@@ -548,7 +548,7 @@
 # 
 #                                                               HEADER_CHECKS(5)
 /^Received:\ from\ localhost\ \(localhost\ \[127.0.0.1\]\)/ IGNORE
-/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[127.0.0.1/ IGNORE
-/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[::1/ IGNORE
-/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[127.0.0.1/ IGNORE
-/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[::1/ IGNORE
+/^Received:\ from\ efa-1-2.dege.au\ \(localhost\ \[127.0.0.1/ IGNORE
+/^Received:\ from\ efa-1-2.dege.au\ \(localhost\ \[::1/ IGNORE
+/^Received:\ from\ ov-3-2.graytech.net.au\ \(localhost\ \[127.0.0.1/ IGNORE
+/^Received:\ from\ ov-3-2.graytech.net.au\ \(localhost\ \[::1/ IGNORE

docker/Dockerfile

@@ -6,15 +6,19 @@ FROM alpine
 # Change to http respositories, so they we can cache the install packages
 RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositories; fi
 
-RUN apk add --no-cache postfix postfix-ldap cyrus-sasl cyrus-sasl-login opendkim opendkim-utils
+RUN apk add --no-cache postfix postfix-ldap cyrus-sasl cyrus-sasl-login opendkim opendkim-utils postfix-policyd-spf-perl
 
 # SASL config
 COPY smtpd.conf /etc/sasl2/
 
-RUN apk add shadow && useradd -rc "HUB Mail Relay" -M relay -NG mail -s /sbin/nologin && echo relay:SmTpR3l2Y | chpasswd \
+RUN apk add shadow \
+  && useradd -r -M policyd-spf -s /usr/sbin/nologin \
+  && useradd -rc "HUB Mail Relay" -M relay -NG mail -s /sbin/nologin \
+  && echo relay:SmTpR3l2Y | chpasswd \
   && gpasswd -a postfix opendkim
 
 # Config postfix
+RUN echo "policyd-spf  unix  -       n       n       -       0       spawn user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl" >> /etc/postfix/master.cf
 RUN sed -i -e 's%^#mynetworks = hash:/etc/postfix/network_table%mynetworks = /etc/opendkim/signing/TrustedHosts%' /etc/postfix/main.cf
 COPY include /etc/postfix/include
 COPY ssl /etc/postfix/ssl

include/01-custom.cf

@@ -15,6 +15,7 @@ smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject
 smtpd_data_restrictions = reject_unauth_pipelining
 smtpd_helo_restrictions = check_helo_access lmdb:/etc/postfix/custom/helo_access, reject_invalid_hostname
 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access lmdb:/etc/postfix/custom/recipient_access,
+  reject_unlisted_recipient,
 #reject_rhsbl_sender         @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
 #reject_rhsbl_helo           @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
 #reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
@@ -22,9 +23,10 @@ smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, rej
 #reject_rhsbl_helo           @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
 #reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
 #reject_rbl_client           @SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255],
-  reject_unverified_recipient
+  reject_unverified_recipient,
+  check_policy_service unix:private/policyd-spf
 rbl_reply_maps = lmdb:/etc/postfix/custom/dnsbl-reply-map
 smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access lmdb:/etc/postfix/custom/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
-smtpd_use_tls = yes
 unverified_recipient_reject_code = 450
 unverified_recipient_reject_reason = No user at this address
+postscreen_greet_action = enforce

include/10-ssl.cf

@@ -1,4 +1,3 @@
-smtp_use_tls = yes
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtp_tls_security_level = may
 smtpd_tls_auth_only = yes