~dricottone/container-images

9077dcc92954b810700ba1c67692d462dca7b61e — Dominic Ricottone 1 year, 4 months ago effcfb1
Restrictions on postfix

Adding rate limiting and proper security to the postfix images by
default.
2 files changed, 36 insertions(+), 2 deletions(-)

M postfix/main.cf
M postfix/main.cf.tls-in
M postfix/main.cf => postfix/main.cf +18 -1
@@ 27,12 27,29 @@ transport_maps = lmdb:/etc/postfix/transport
# Logging
maillog_file = /dev/stdout

# Restrictions
# reject if attempted to connect or authenticate 10 times in 60 seconds
anvil_rate_time_unit = 60s
smtpd_client_auth_rate_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
# reject if not authenticated
smtpd_client_restrictions = permit_sasl_authenticated, reject
# reject if HELO or EHLO hostname does not have a valid A or MX record
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_helo_required = yes
# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
smtpd_sender_restrictions = reject_unknown_sender_domain
# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
smtpd_relay_restrictions = reject_unauth_destination
# if RCPT TO hostname IS in $mydestination, apply no further restrictions
smtpd_recipient_restrictions =

# Authentication
cyrus_sasl_config_path = /etc/sasl2/
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd

M postfix/main.cf.tls-in => postfix/main.cf.tls-in +18 -1
@@ 28,9 28,26 @@ transport_maps = lmdb:/etc/postfix/transport
# Logging
maillog_file = /dev/stdout

# Restrictions
# reject if attempted to connect or authenticate 10 times in 60 seconds
anvil_rate_time_unit = 60s
smtpd_client_auth_rate_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
# reject if not authenticated
smtpd_client_restrictions = permit_sasl_authenticated, reject
# reject if HELO or EHLO hostname does not have a valid A or MX record
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_helo_required = yes
# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
smtpd_sender_restrictions = reject_unknown_sender_domain
# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
smtpd_relay_restrictions = reject_unauth_destination
# if RCPT TO hostname IS in $mydestination, apply no further restrictions
smtpd_recipient_restrictions =

# Authentication
cyrus_sasl_config_path = /etc/sasl2/
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd