From 9077dcc92954b810700ba1c67692d462dca7b61e Mon Sep 17 00:00:00 2001
From: Dominic Ricottone <me@dominic-ricottone.com>
Date: Sat, 12 Aug 2023 13:00:38 -0500
Subject: [PATCH] Restrictions on postfix

Adding rate limiting and proper security to the postfix images by
default.
---
 postfix/main.cf        | 19 ++++++++++++++++++-
 postfix/main.cf.tls-in | 19 ++++++++++++++++++-
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/postfix/main.cf b/postfix/main.cf
index 91a0dd6..d72a5e7 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -27,12 +27,29 @@ transport_maps = lmdb:/etc/postfix/transport
 # Logging
 maillog_file = /dev/stdout
 
+# Restrictions
+# reject if attempted to connect or authenticate 10 times in 60 seconds
+anvil_rate_time_unit = 60s
+smtpd_client_auth_rate_limit = 10
+smtpd_client_connection_rate_limit = 10
+smtpd_client_new_tls_session_rate_limit = 10
+# reject if not authenticated
+smtpd_client_restrictions = permit_sasl_authenticated, reject
+# reject if HELO or EHLO hostname does not have a valid A or MX record
+smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_helo_required = yes
+# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
+smtpd_sender_restrictions = reject_unknown_sender_domain
+# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
+smtpd_relay_restrictions = reject_unauth_destination
+# if RCPT TO hostname IS in $mydestination, apply no further restrictions
+smtpd_recipient_restrictions =
+
 # Authentication
 cyrus_sasl_config_path = /etc/sasl2/
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
 smtp_sasl_security_options = noanonymous
-smtpd_relay_restrictions = reject_unauth_destination
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_local_domain = $mydomain
 smtpd_sasl_path = smtpd
diff --git a/postfix/main.cf.tls-in b/postfix/main.cf.tls-in
index 2042e9e..fb72a6b 100644
--- a/postfix/main.cf.tls-in
+++ b/postfix/main.cf.tls-in
@@ -28,9 +28,26 @@ transport_maps = lmdb:/etc/postfix/transport
 # Logging
 maillog_file = /dev/stdout
 
+# Restrictions
+# reject if attempted to connect or authenticate 10 times in 60 seconds
+anvil_rate_time_unit = 60s
+smtpd_client_auth_rate_limit = 10
+smtpd_client_connection_rate_limit = 10
+smtpd_client_new_tls_session_rate_limit = 10
+# reject if not authenticated
+smtpd_client_restrictions = permit_sasl_authenticated, reject
+# reject if HELO or EHLO hostname does not have a valid A or MX record
+smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_helo_required = yes
+# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
+smtpd_sender_restrictions = reject_unknown_sender_domain
+# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
+smtpd_relay_restrictions = reject_unauth_destination
+# if RCPT TO hostname IS in $mydestination, apply no further restrictions
+smtpd_recipient_restrictions =
+
 # Authentication
 cyrus_sasl_config_path = /etc/sasl2/
-smtpd_relay_restrictions = reject_unauth_destination
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_local_domain = $mydomain
 smtpd_sasl_path = smtpd
-- 
2.45.2