bundles/postfix: add feature to block email recipients

bundles/postfix/files/blocked_recipients

@@ -0,0 +1,3 @@
+% for address in sorted(blocked):
+${address} REJECT
+% endfor

bundles/postfix/files/main.cf

@@ -48,6 +48,8 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
 smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients
+smtpd_relay_before_recipient_restrictions = yes
 
 # generated using mozilla ssl generator, using "old" configuration.
 # we need this to support CentOS 7 systems, sadly ...

bundles/postfix/items.py

@@ -39,6 +39,16 @@ files = {
             'action:postfix_newaliases',
         },
     },
+    '/etc/postfix/blocked_recipients': {
+        'content_type': 'mako',
+        'context': {
+            'blocked': node.metadata.get('postfix/blocked_recipients', set()),
+        },
+        'triggers': {
+            'action:postfix_postmap_blocked_recipients',
+            'svc_systemd:postfix:restart',
+        },
+    },
     '/etc/postfix/master.cf': {
         'content_type': 'mako',
         'triggers': {
@@ -74,6 +84,19 @@ actions = {
         'needs': {
             my_package,
         },
+        'before': {
+            'svc_systemd:postfix',
+        },
+    },
+    'postfix_postmap_blocked_recipients': {
+        'command': 'postmap hash:/etc/postfix/blocked_recipients',
+        'triggered': True,
+        'needs': {
+            my_package,
+        },
+        'before': {
+            'svc_systemd:postfix',
+        },
     },
 }