diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 index a10b0e2c..6f88277c 100644 --- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 @@ -53,7 +53,8 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES # See . tls_preempt_cipherlist = yes -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +# Reject by default, override per smtpd in master.cf +smtpd_relay_restrictions = reject myhostname = {{ config.postfix_myhostname }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases diff --git a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 index bf108fec..84c17413 100644 --- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 @@ -17,6 +17,7 @@ smtp inet n - y - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_tls_mandatory_protocols=>=TLSv1.2 -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }} + -o smtpd_relay_restrictions=reject_unauth_destination submission inet n - y - 5000 smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt @@ -81,12 +82,14 @@ filter unix - n n - - lmtp -o syslog_name=postfix/reinject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=authclean + -o smtpd_relay_restrictions=permit_mynetworks,reject {% if not config.ipv4_relay %} -o smtpd_milters=unix:opendkim/opendkim.sock {% endif %} # Local SMTP server for reinjecting incoming filtered mail 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet n - n - 100 smtpd -o syslog_name=postfix/reinject_incoming + -o smtpd_relay_restrictions=reject_unauth_destination # Cleanup `Received` headers for authenticated mail # to avoid leaking client IP.