From 1c17583ad5b2b2edae87bd93aff9e2eee866da4d Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Fri, 11 Sep 2020 17:44:45 -0700 Subject: [PATCH] puppet: Restrict postfix incoming addresses to postmaster and zulip. This removes the possibility of local user enumeration via RCPT TO. --- puppet/zulip/files/postfix/access | 9 +++++++++ puppet/zulip/files/postfix/virtual | 9 ++++++--- puppet/zulip/manifests/postfix_localmail.pp | 8 ++++++++ puppet/zulip/templates/postfix/main.cf.erb | 1 + 4 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 puppet/zulip/files/postfix/access diff --git a/puppet/zulip/files/postfix/access b/puppet/zulip/files/postfix/access new file mode 100644 index 0000000000..265bcf70ce --- /dev/null +++ b/puppet/zulip/files/postfix/access @@ -0,0 +1,9 @@ +# This is the list of email addresses that are accepted via SMTP; +# these consist of only the addresses in `virtual`, as well as the +# RFC822-specified postmaster. + +/\+.*@/ OK +/\..*@/ OK +/^mm/ OK + +/^postmaster@/ OK diff --git a/puppet/zulip/files/postfix/virtual b/puppet/zulip/files/postfix/virtual index 86624fae98..96e1a9bfcd 100644 --- a/puppet/zulip/files/postfix/virtual +++ b/puppet/zulip/files/postfix/virtual @@ -1,3 +1,6 @@ -/\+.*@/ zulip@localhost -/\..*@/ zulip@localhost -/^mm/ zulip@localhost +# Changes to this list require a corresponding change to `access` as +# well. + +/\+.*@/ zulip@localhost +/\..*@/ zulip@localhost +/^mm/ zulip@localhost diff --git a/puppet/zulip/manifests/postfix_localmail.pp b/puppet/zulip/manifests/postfix_localmail.pp index 345ab310f2..737a4a4961 100644 --- a/puppet/zulip/manifests/postfix_localmail.pp +++ b/puppet/zulip/manifests/postfix_localmail.pp @@ -67,4 +67,12 @@ class zulip::postfix_localmail { ], } + file {'/etc/postfix/access': + ensure => file, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/zulip/postfix/access', + require => Package[postfix], + } } diff --git a/puppet/zulip/templates/postfix/main.cf.erb b/puppet/zulip/templates/postfix/main.cf.erb index e51e021fc5..13eac5e062 100644 --- a/puppet/zulip/templates/postfix/main.cf.erb +++ b/puppet/zulip/templates/postfix/main.cf.erb @@ -16,6 +16,7 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination +smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/access, reject myhostname = <%= @fqdn %> alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases