bundles/postfix: add feature to block email recipients

2024-01-21 11:43:43 +01:00 · 2024-01-21 11:43:43 +01:00 · ee58509e93
commit ee58509e93
parent 57c76e5eba
3 changed files with 28 additions and 0 deletions
--- a/bundles/postfix/files/blocked_recipients
+++ b/bundles/postfix/files/blocked_recipients
@ -0,0 +1,3 @@
+% for address in sorted(blocked):
+${address} REJECT
+% endfor
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@ -48,6 +48,8 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
 smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients
+smtpd_relay_before_recipient_restrictions = yes

 # generated using mozilla ssl generator, using "old" configuration.
 # we need this to support CentOS 7 systems, sadly ...
--- a/bundles/postfix/items.py
+++ b/bundles/postfix/items.py
@ -39,6 +39,16 @@ files = {
            'action:postfix_newaliases',
        },
    },
+    '/etc/postfix/blocked_recipients': {
+        'content_type': 'mako',
+        'context': {
+            'blocked': node.metadata.get('postfix/blocked_recipients', set()),
+        },
+        'triggers': {
+            'action:postfix_postmap_blocked_recipients',
+            'svc_systemd:postfix:restart',
+        },
+    },
    '/etc/postfix/master.cf': {
        'content_type': 'mako',
        'triggers': {
@ -74,6 +84,19 @@ actions = {
        'needs': {
            my_package,
        },
+        'before': {
+            'svc_systemd:postfix',
+        },
+    },
+    'postfix_postmap_blocked_recipients': {
+        'command': 'postmap hash:/etc/postfix/blocked_recipients',
+        'triggered': True,
+        'needs': {
+            my_package,
+        },
+        'before': {
+            'svc_systemd:postfix',
+        },
    },
 }