Postfix: Cleanup port 25 option overrides

uubk · Carbenium · commit bcc2ca71f4b2 · 2019-10-14T14:04:05.000+02:00
diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2
@@ -165,33 +165,41 @@ delay_warning_time=3h
 maximal_queue_lifetime=2d
 bounce_queue_lifetime=1d
 
-{% if mailserver_behind_proxy %}
-# We're behind a forwaring proxy that does antispam. Mails therefore do not get delivered to us
-# from their original sender, therefore, we can't do DNS checks!
-
 # smtpd sender restrictions
+smtpd_sender_restrictions_25 = permit_mynetworks,
+{% if mailserver_config_method == "ldap" %}  check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,
+{% endif %}
+  permit_mynetworks, reject_unauth_destination,
+  reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
+  reject_unauth_pipelining, permit
 smtpd_sender_restrictions = reject_sender_login_mismatch,
   permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
   reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
   reject_unauth_pipelining, permit
 
+{% if mailserver_behind_proxy %}
+# We're behind a forwaring proxy that does antispam. Mails therefore do not get delivered to us
+# from their original sender, therefore, we can't do DNS checks!
+
 # smtp destination restrictions
 # Either you're authenticated OR you are from 127.0.0.1 OR you satisfy a boatload of constraints
 # Also note that the same thing ist in master.cf without sasl restrictions
+smtpd_recipient_restrictions_25 = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining,
+  reject_unauth_destination, reject_multi_recipient_bounce, permit
+
 smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated,
   permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining,
   reject_unauth_destination, reject_multi_recipient_bounce, permit
 {% else %}
-# smtpd sender restrictions
-smtpd_sender_restrictions = reject_sender_login_mismatch,
-  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
-  reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
-  reject_unauth_pipelining, permit
-
 # smtp destination restrictions
 # Either you're authenticated OR you are from 127.0.0.1 OR you satisfy a boatload of constraints
 # We need to find out in prod if this is too restrictive
 # Also note that the same thing ist in master.cf without sasl restrictions
+smtpd_recipient_restrictions_25 = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname,
+  reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain,
+  reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination,
+  reject_multi_recipient_bounce, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
+
 smtpd_recipient_restrictions = reject_sender_login_mismatch,
 {% if mailserver_config_method == "ldap" %}  check_sender_access ldap:/etc/postfix/ldap-external-send.cf,
 {% endif %}
diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2
@@ -15,13 +15,8 @@
 # We list
 smtp      inet  n       -       y       -       -       smtpd
     -o smtpd_sasl_auth_enable=no
-{% if not mailserver_behind_proxy %}
-    -o smtpd_recipient_restrictions=permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,permit
-    -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
-{% else %}
-    -o smtpd_recipient_restrictions=permit_mynetworks,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,permit
-    -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,reject_unauth_pipelining,permit
-{% endif %}
+    -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_25
+    -o smtpd_sender_restrictions=$smtpd_sender_restrictions_25
     -o header_checks=
 {% if ansible_local['mailserver_have_antispam']|default(False) %}
     -o smtpd_proxy_filter=127.0.0.1:10026
