From a479b2015def238126c6ae0d5916c29bb4b08a5d Mon Sep 17 00:00:00 2001
From: Noah Overcash <noah@overca.sh>
Date: Sun, 2 Jun 2024 13:55:56 -0400
Subject: [PATCH] Initial regexp-send-only alias implementation

---
 docs/content/config/advanced/optional-config.md    |  2 ++
 docs/content/config/environment.md                 |  3 +++
 docs/content/config/user-management.md             | 14 ++++++++++++++
 target/scripts/check-for-changes.sh                |  1 +
 target/scripts/helpers/aliases.sh                  | 11 +++++++++++
 target/scripts/helpers/change-detection.sh         |  1 +
 .../scripts/startup/setup.d/security/spoofing.sh   |  6 +++++-
 7 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/docs/content/config/advanced/optional-config.md b/docs/content/config/advanced/optional-config.md
index fb1ab29d..7bc1a122 100644
--- a/docs/content/config/advanced/optional-config.md
+++ b/docs/content/config/advanced/optional-config.md
@@ -83,6 +83,7 @@ This is a list of all configuration files and directories which are optional, au
 - **postfix-sasl-password.cf:** listing of relayed domains with their respective `<username>:<password>`. Modify via `setup.sh relay add-auth <domain> <username> [<password>]`. (Docs: [Relay-Hosts Auth][docs-relayhosts-senderauth])
 - **postfix-relaymap.cf:** domain-specific relays and exclusions. Modify via `setup.sh relay add-domain` and `setup.sh relay exclude-domain`. (Docs: [Relay-Hosts Senders][docs-relayhosts-senderhost])
 - **postfix-regexp.cf:** Regular expression alias file. (Docs: [Aliases][docs-aliases-regex])
+- **postfix-regexp-send-only.cf:** Regular expression alias file for senders only. (Docs: [Aliases][docs-aliases-send-only])
 - **ldap-users.cf:** Configuration for the virtual user mapping `virtual_mailbox_maps`. See the [`setup-stack.sh`][github-commit-setup-stack.sh-L411] script.
 - **ldap-groups.cf:** Configuration for the virtual alias mapping `virtual_alias_maps`. See the [`setup-stack.sh`][github-commit-setup-stack.sh-L411] script.
 - **ldap-aliases.cf:** Configuration for the virtual alias mapping `virtual_alias_maps`. See the [`setup-stack.sh`][github-commit-setup-stack.sh-L411] script.
@@ -99,6 +100,7 @@ This is a list of all configuration files and directories which are optional, au
 
 [docs-accounts-quota]: ../../config/user-management.md#quotas
 [docs-aliases-regex]: ../../config/user-management.md#configuring-regexp-aliases
+[docs-aliases-send-only]: ../../config/user-management.md#send-only-aliases
 [docs-dkim]: ../../config/best-practices/dkim_dmarc_spf.md#dkim
 [docs-fail2ban]: ../../config/security/fail2ban.md
 [docs-faq-spamrules]: ../../faq.md#how-can-i-manage-my-custom-spamassassin-rules
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 867c7459..e91951f8 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -210,6 +210,8 @@ Configures the handling of creating mails with forged sender addresses.
 - **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a [forged sender address](https://en.wikipedia.org/wiki/Email_spoofing).
 - 1 => Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with [extension delimiters](http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
 
+To allow certain accounts to send as other addresses, set the `SPOOF_PROTECTION` to `1` and see [the Aliases page in the documentation][docs-aliases].
+
 ##### ENABLE_SRS
 
 Enables the Sender Rewriting Scheme. SRS is needed if DMS acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/main/README.rst) for further explanation.
@@ -1141,6 +1143,7 @@ Provide the credentials to use with `RELAY_HOST` or `DEFAULT_RELAY_HOST`.
 [docs-tls-manual]: ./security/ssl.md#bring-your-own-certificates
 [docs-tls-selfsigned]: ./security/ssl.md#self-signed-certificates
 [docs-accounts-quota]: ./user-management.md#quotas
+[docs-aliases]: ./user-management.md#send-only-aliases
 [docs::relay-host]: ./advanced/mail-forwarding/relay-hosts.md
 [docs::dms-volumes-state]: ./advanced/optional-config.md#volumes-state
 [postfix-config::relayhost]: https://www.postfix.org/postconf.5.html#relayhost
diff --git a/docs/content/config/user-management.md b/docs/content/config/user-management.md
index a909157e..b6105bed 100644
--- a/docs/content/config/user-management.md
+++ b/docs/content/config/user-management.md
@@ -82,5 +82,19 @@ Postfix supports so-called address tags, in the form of plus (+) tags - i.e. `ad
     recipient_delimiter = -
     ```
 
+### Send-Only Aliases
+
+Sometimes, it may be useful to allow certain accounts to send as other accounts, even when [the `SPOOF_PROTECTION` environment variable is enabled][spoof-protection]. This may be used to allow services to send accounts as other addresses without needing to disable spoof protection entirely, and without affecting incoming mail (which traditional [aliases](#aliases) would do).
+
+To configure these aliases, add them to `docker-data/dms/config/postfix-regexp-send-only.cf` in the same format as [the other regexp aliases](#configuring-regexp-aliases). For example:
+
+```cf
+/^.*@example.com$/ admin@example.com
+/^.*$/ superadmin@example.com
+```
+
+In this example, `admin@example.com` would be able to send as any address at `example.com` and `superadmin@example.com` would be able to send as any address at any domain.
+
+[spoof-protection]: ./environment.md#spoof_protection
 [postfix-docs-alias]: http://www.postfix.org/VIRTUAL_README.html#virtual_alias
 [postfix-docs-extension-delimiters]: http://www.postfix.org/postconf.5.html#recipient_delimiter
diff --git a/target/scripts/check-for-changes.sh b/target/scripts/check-for-changes.sh
index bf5cd90b..099fcbc5 100755
--- a/target/scripts/check-for-changes.sh
+++ b/target/scripts/check-for-changes.sh
@@ -138,6 +138,7 @@ function _postfix_dovecot_changes() {
   # Regenerate system + virtual account aliases via `helpers/aliases.sh`:
   [[ ${CHANGED} =~ ${DMS_DIR}/postfix-virtual.cf ]] && _handle_postfix_virtual_config
   [[ ${CHANGED} =~ ${DMS_DIR}/postfix-regexp.cf  ]] && _handle_postfix_regexp_config
+  [[ ${CHANGED} =~ ${DMS_DIR}/postfix-regexp-send-only.cf  ]] && _handle_postfix_regexp_send_only_config
   [[ ${CHANGED} =~ ${DMS_DIR}/postfix-aliases.cf ]] && _handle_postfix_aliases_config
 
   # Legacy workaround handled here, only seems necessary for _create_accounts:
diff --git a/target/scripts/helpers/aliases.sh b/target/scripts/helpers/aliases.sh
index b0f2fa1a..758f9af0 100644
--- a/target/scripts/helpers/aliases.sh
+++ b/target/scripts/helpers/aliases.sh
@@ -30,6 +30,17 @@ function _handle_postfix_regexp_config() {
   fi
 }
 
+function _handle_postfix_regexp_send_only_config() {
+  : >/etc/postfix/regexp-send-only
+
+  if [[ -f /tmp/docker-mailserver/postfix-regexp-send-only.cf ]]; then
+    _log 'trace' "Adding regexp-send-only alias file postfix-regexp-send-only.cf"
+
+    cp -f /tmp/docker-mailserver/postfix-regexp-send-only.cf /etc/postfix/regexp-send-only
+    # we specifically do NOT append this to virtual_alias_maps
+  fi
+}
+
 function _handle_postfix_aliases_config() {
   _log 'trace' 'Configuring root alias'
 
diff --git a/target/scripts/helpers/change-detection.sh b/target/scripts/helpers/change-detection.sh
index 08f6906c..7c2398fd 100644
--- a/target/scripts/helpers/change-detection.sh
+++ b/target/scripts/helpers/change-detection.sh
@@ -34,6 +34,7 @@ function _monitored_files_checksums() {
       "${DMS_DIR}/postfix-accounts.cf"
       "${DMS_DIR}/postfix-virtual.cf"
       "${DMS_DIR}/postfix-regexp.cf"
+      "${DMS_DIR}/postfix-regexp-send-only.cf"
       "${DMS_DIR}/postfix-aliases.cf"
       "${DMS_DIR}/postfix-relaymap.cf"
       "${DMS_DIR}/postfix-sasl-password.cf"
diff --git a/target/scripts/startup/setup.d/security/spoofing.sh b/target/scripts/startup/setup.d/security/spoofing.sh
index ffefb279..91ba14a3 100644
--- a/target/scripts/startup/setup.d/security/spoofing.sh
+++ b/target/scripts/startup/setup.d/security/spoofing.sh
@@ -14,7 +14,11 @@ function _setup_spoof_protection() {
       # NOTE: This file is always created at startup, it potentially has content added.
       # TODO: From section: "SPOOF_PROTECTION=1 handling for smtpd_sender_login_maps"
       # https://github.com/docker-mailserver/docker-mailserver/issues/2819#issue-1402114383
-      if [[ -f /etc/postfix/regexp ]]; then
+      if [[ -f /etc/postfix/regexp && -f /etc/postfix/regexp-send-only ]]; then
+        postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp, pcre:/etc/postfix/regexp-send-only }'
+      elif [[ -f /etc/postfix/regexp-send-only ]]; then
+        postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp-send-only }'
+      elif [[ -f /etc/postfix/regexp ]]; then
         postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
       else
         postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'