bundles/postfix: add iptables config

bundles/postfix/files/main.cf

@@ -6,7 +6,7 @@ compatibility_level = 2
 myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost
-mynetworks = ${' '.join(sorted(node.metadata.get('postfix/mynetworks')))}
+mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))}
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_protocols = all

bundles/postfix/metadata.py

@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -16,13 +18,6 @@ defaults = {
             },
         },
     },
-    'postfix': {
-        'mynetworks': {
-            '127.0.0.0/8',
-            '[::ffff:127.0.0.0]/104',
-            '[::1]/128',
-        },
-    },
 }
 
 if node.has_bundle('postfixadmin'):
@@ -72,3 +67,27 @@ def letsencrypt(metadata):
     return {
         'letsencrypt': result,
     }
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules/25',
+    'iptables/port_rules/587',
+)
+def iptables(metadata):
+    if node.has_bundle('postfixadmin'):
+        default = set('*')
+    else:
+        default = metadata.get('postfix/mynetworks', set())
+
+    rules = {
+        '25': atomic(metadata.get('postfix/restrict-to', default)),
+    }
+
+    if node.has_bundle('postfixadmin'):
+        rules['587'] = atomic(metadata.get('postfix/restrict-to', default))
+
+    return {
+        'iptables': {
+            'port_rules': rules,
+        },
+    }