bundles/postfix: add iptables config

2021-03-21 11:11:49 +01:00 · 2021-03-21 11:11:49 +01:00 · 5775001301
commit 5775001301
parent c9f008ad82
3 changed files with 27 additions and 11 deletions
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@ -6,7 +6,7 @@ compatibility_level = 2
 myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost
-mynetworks = ${' '.join(sorted(node.metadata.get('postfix/mynetworks')))}
+mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))}
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_protocols = all
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
    'apt': {
        'packages': {
@ -16,13 +18,6 @@ defaults = {
            },
        },
    },
-    'postfix': {
-        'mynetworks': {
-            '127.0.0.0/8',
-            '[::ffff:127.0.0.0]/104',
-            '[::1]/128',
-        },
-    },
 }

 if node.has_bundle('postfixadmin'):
@ -72,3 +67,27 @@ def letsencrypt(metadata):
    return {
        'letsencrypt': result,
    }
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules/25',
+    'iptables/port_rules/587',
+)
+def iptables(metadata):
+    if node.has_bundle('postfixadmin'):
+        default = set('*')
+    else:
+        default = metadata.get('postfix/mynetworks', set())
+
+    rules = {
+        '25': atomic(metadata.get('postfix/restrict-to', default)),
+    }
+
+    if node.has_bundle('postfixadmin'):
+        rules['587'] = atomic(metadata.get('postfix/restrict-to', default))
+
+    return {
+        'iptables': {
+            'port_rules': rules,
+        },
+    }
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -91,9 +91,6 @@ nodes['home.router'] = {
                'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
                'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',

-                # Allow mail from internal network
-                'iptables_both -A INPUT -s 172.19.138.0/24 -p tcp --dport 25 -j ACCEPT',
-
                # use MASQUERADE for tun0 (c3voc)
                'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',