Postfix: Support canReceiveExternally flag

Author: uubk

tasks/main.yml

@@ -166,6 +166,7 @@
       - ldap-vdomains.cf
       - ldap-transport.cf
       - ldap-external-send.cf
+      - ldap-external-receive.cf
     notify:
       - restart postfix
     tags: postfix

templates/postfix/ldap-external-receive.cf.j2

@@ -0,0 +1,10 @@
+############################################################################
+########### Managed by ansible (role: mailserver), do not edit! ############
+############################################################################
+
+{% include './templates/postfix/ldap-conn.j2' %}
+
+search_base = {{ mailserver_ldap_basedn }}
+query_filter = (&(|(primaryMail=%s)(alias=%s))(canReceiveExternally=FALSE))
+result_attribute = canReceiveExternally
+result_format = local_only_sender

templates/postfix/main.cf.j2

@@ -247,8 +247,9 @@ recipient_delimiter = +
 
 # Create a restriction class "local_only" which can be used to limit
 # outgoing mail of some users to this domain only
-smtpd_restriction_classes = local_only
+smtpd_restriction_classes = local_only, local_only_sender
 local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
+local_only_sender = check_sender_access hash:/etc/postfix/local_domains, reject
 
 import_environment = KRB5CCNAME=FILE:/run/postfix/krb5_ccache
 

templates/postfix/master.cf.j2

@@ -17,8 +17,10 @@ smtp      inet  n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=no
 {% if not mailserver_behind_proxy %}
   -o smtpd_recipient_restrictions=permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,permit
+  -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
 {% else %}
   -o smtpd_recipient_restrictions=permit_mynetworks,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,permit
+  -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
 {% endif %}
   -o header_checks=
 {% if ansible_local['mailserver_have_antispam']|default(False) %}