postfix: Restrict authenticated senders to their own address(es)

Please see the reject_authenticated_sender_login_mismatch option[1] for more details. For now service accounts are not restricted in any way, this should be improved in the further. [1] https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch Fix #365

postfix: Restrict authenticated senders to their own address(es)
42d8aef2 · Kristian Klausen · 92cf7ac9 · 42d8aef2
Verified Commit 42d8aef2 authored 3 years ago by Kristian Klausen
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -41,6 +41,7 @@ policy_check =
 # postfwd (rate-limiting)
  check_policy_service inet:127.0.0.1:10040

+smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
 smtpd_relay_restrictions =
 smtpd_recipient_restrictions =
 # policy services
@@ -84,9 +85,10 @@ internal_mail_filter_classes = bounce

 indexed = ${default_database_type}:${config_directory}

-smtpd_sender_login_maps =
+smtpd_sender_login_maps = unionmap:{
+  static:{aur bbs gemini gitlab matrix archlinux wiki security},
  ${indexed}/smtp_sender_map,
-  ${indexed}/users
+  ${indexed}/users}
 smtpd_helo_required = yes

 smtpd_client_connection_rate_limit = 400