diff --git a/bundles/postfix/files/blocked_recipients b/bundles/postfix/files/blocked_recipients new file mode 100644 index 0000000..736e9d4 --- /dev/null +++ b/bundles/postfix/files/blocked_recipients @@ -0,0 +1,3 @@ +% for address in sorted(blocked): +${address} REJECT +% endfor diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index bb647fc..cb7f95c 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -48,6 +48,8 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname smtpd_data_restrictions = reject_unauth_pipelining +smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients +smtpd_relay_before_recipient_restrictions = yes # generated using mozilla ssl generator, using "old" configuration. # we need this to support CentOS 7 systems, sadly ... diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 43f4ae9..d1bf0c2 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -39,6 +39,16 @@ files = { 'action:postfix_newaliases', }, }, + '/etc/postfix/blocked_recipients': { + 'content_type': 'mako', + 'context': { + 'blocked': node.metadata.get('postfix/blocked_recipients', set()), + }, + 'triggers': { + 'action:postfix_postmap_blocked_recipients', + 'svc_systemd:postfix:restart', + }, + }, '/etc/postfix/master.cf': { 'content_type': 'mako', 'triggers': { @@ -74,6 +84,19 @@ actions = { 'needs': { my_package, }, + 'before': { + 'svc_systemd:postfix', + }, + }, + 'postfix_postmap_blocked_recipients': { + 'command': 'postmap hash:/etc/postfix/blocked_recipients', + 'triggered': True, + 'needs': { + my_package, + }, + 'before': { + 'svc_systemd:postfix', + }, }, }