From cf4573b6e1f3d5abddcc9d1a51bfed10a2804887 Mon Sep 17 00:00:00 2001 From: Deon George Date: Thu, 24 Apr 2025 12:41:20 +1000 Subject: [PATCH] Updates based on our current environment, added spf policy and checking receipt valid before doing recipient verify --- defaults/header_checks | 8 ++++---- docker/Dockerfile | 8 ++++++-- include/01-custom.cf | 6 ++++-- include/10-ssl.cf | 1 - 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/defaults/header_checks b/defaults/header_checks index b0038b9..596bc0a 100644 --- a/defaults/header_checks +++ b/defaults/header_checks @@ -548,7 +548,7 @@ # # HEADER_CHECKS(5) /^Received:\ from\ localhost\ \(localhost\ \[127.0.0.1\]\)/ IGNORE -/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[127.0.0.1/ IGNORE -/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[::1/ IGNORE -/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[127.0.0.1/ IGNORE -/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[::1/ IGNORE +/^Received:\ from\ efa-1-2.dege.au\ \(localhost\ \[127.0.0.1/ IGNORE +/^Received:\ from\ efa-1-2.dege.au\ \(localhost\ \[::1/ IGNORE +/^Received:\ from\ ov-3-2.graytech.net.au\ \(localhost\ \[127.0.0.1/ IGNORE +/^Received:\ from\ ov-3-2.graytech.net.au\ \(localhost\ \[::1/ IGNORE diff --git a/docker/Dockerfile b/docker/Dockerfile index d56b8fc..453b076 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -6,15 +6,19 @@ FROM alpine # Change to http respositories, so they we can cache the install packages RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositories; fi -RUN apk add --no-cache postfix postfix-ldap cyrus-sasl cyrus-sasl-login opendkim opendkim-utils +RUN apk add --no-cache postfix postfix-ldap cyrus-sasl cyrus-sasl-login opendkim opendkim-utils postfix-policyd-spf-perl # SASL config COPY smtpd.conf /etc/sasl2/ -RUN apk add shadow && useradd -rc "HUB Mail Relay" -M relay -NG mail -s /sbin/nologin && echo relay:SmTpR3l2Y | chpasswd \ +RUN apk add shadow \ + && useradd -r -M policyd-spf -s /usr/sbin/nologin \ + && useradd -rc "HUB Mail Relay" -M relay -NG mail -s /sbin/nologin \ + && echo relay:SmTpR3l2Y | chpasswd \ && gpasswd -a postfix opendkim # Config postfix +RUN echo "policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl" >> /etc/postfix/master.cf RUN sed -i -e 's%^#mynetworks = hash:/etc/postfix/network_table%mynetworks = /etc/opendkim/signing/TrustedHosts%' /etc/postfix/main.cf COPY include /etc/postfix/include COPY ssl /etc/postfix/ssl diff --git a/include/01-custom.cf b/include/01-custom.cf index d24ed51..4d6709d 100644 --- a/include/01-custom.cf +++ b/include/01-custom.cf @@ -15,6 +15,7 @@ smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_restrictions = check_helo_access lmdb:/etc/postfix/custom/helo_access, reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access lmdb:/etc/postfix/custom/recipient_access, + reject_unlisted_recipient, #reject_rhsbl_sender @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99], #reject_rhsbl_helo @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99], #reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99], @@ -22,9 +23,10 @@ smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, rej #reject_rhsbl_helo @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24], #reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24], #reject_rbl_client @SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255], - reject_unverified_recipient + reject_unverified_recipient, + check_policy_service unix:private/policyd-spf rbl_reply_maps = lmdb:/etc/postfix/custom/dnsbl-reply-map smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access lmdb:/etc/postfix/custom/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain -smtpd_use_tls = yes unverified_recipient_reject_code = 450 unverified_recipient_reject_reason = No user at this address +postscreen_greet_action = enforce diff --git a/include/10-ssl.cf b/include/10-ssl.cf index dbebc1d..0ce4db1 100644 --- a/include/10-ssl.cf +++ b/include/10-ssl.cf @@ -1,4 +1,3 @@ -smtp_use_tls = yes smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_security_level = may smtpd_tls_auth_only = yes