From 42d8aef2c3fbab3a24708611823115566bd65525 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sat, 17 Jul 2021 03:25:03 +0200
Subject: [PATCH] postfix: Restrict authenticated senders to their own
 address(es)

Please see the reject_authenticated_sender_login_mismatch option[1] for
more details.

For now service accounts are not restricted in any way, this should be
improved in the further.

[1] https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

Fix #365
---
 roles/postfix/templates/main.cf.j2 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index 889f35c98..9a90e5bb9 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -41,6 +41,7 @@ policy_check =
 # postfwd (rate-limiting)
   check_policy_service inet:127.0.0.1:10040
 
+smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
 smtpd_relay_restrictions =
 smtpd_recipient_restrictions =
 # policy services
@@ -84,9 +85,10 @@ internal_mail_filter_classes = bounce
 
 indexed = ${default_database_type}:${config_directory}
 
-smtpd_sender_login_maps =
+smtpd_sender_login_maps = unionmap:{
+  static:{aur bbs gemini gitlab matrix archlinux wiki security},
   ${indexed}/smtp_sender_map,
-  ${indexed}/users
+  ${indexed}/users}
 smtpd_helo_required = yes
 
 smtpd_client_connection_rate_limit = 400
-- 
GitLab