From 5686a4097ae5719d41afda33d3523d47b5a36b4d Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sun, 2 Mar 2025 01:55:13 +1300 Subject: [PATCH] fix: `setup email restrict` configs should only prepend once (#4379) * fix: `setup email restrict` configs should only prepend once * chore: Prepend to our custom parameter variant to retain applying to all `smtpd` ports --------- Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- target/postfix/main.cf | 5 +++-- target/scripts/startup/setup.d/postfix.sh | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/target/postfix/main.cf b/target/postfix/main.cf index d501eec0..518e2dc5 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -68,9 +68,10 @@ smtpd_forbid_bare_newline = yes # smtpd_forbid_bare_newline_exclusions = $mynetworks # Custom defined parameters for DMS: -# reject_unknown_sender_domain: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234 +# Custom sender restrictions overview: https://github.com/docker-mailserver/docker-mailserver/pull/4379#issuecomment-2670365917 +# `reject_unknown_sender_domain`: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain -# Submission ports 587 and 465 support for SPOOF_PROTECTION=1 +# `SPOOF_PROTECTION=1` support requires prepending `reject_authenticated_sender_login_mismatch` mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $dms_smtpd_sender_restrictions # Postscreen settings to drop zombies/open relays/spam early diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh index e99e6607..9e9370ab 100644 --- a/target/scripts/startup/setup.d/postfix.sh +++ b/target/scripts/startup/setup.d/postfix.sh @@ -93,13 +93,17 @@ EOF function _setup_postfix_late() { _log 'debug' 'Configuring Postfix (late setup)' + # These two config files are `access` database tables managed via `setup email restrict`: + # NOTE: Prepends to existing restrictions, thus has priority over other permit/reject policies that follow. + # https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions + # https://www.postfix.org/access.5.html __postfix__log 'trace' 'Configuring user access' if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]]; then - sed -i -E 's|(smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf + sed -i -E 's|^(dms_smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf fi if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]]; then - sed -i -E 's|(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf + sed -i -E 's|^(dms_smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf fi __postfix__log 'trace' 'Configuring relay host'