From 72fbddab131af72c2b2c4eec7beb548b777de879 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Fri, 15 Jan 2021 16:32:21 -0700
Subject: [PATCH] postfix server plugin: reject_unlisted_senders in
 smtpd_sender_restrictions

---
 server/plugins-available/postfix_server_plugin.inc.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index b3e453be55..1818373637 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -161,9 +161,10 @@ class postfix_server_plugin {
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
 				array_splice($new_options, 0, 0, array('reject_authenticated_sender_login_mismatch'));
 
+				// insert before permit_sasl_authenticated
 				for ($i = 0; isset($new_options[$i]); $i++) {
-					if ($new_options[$i] == 'permit_mynetworks') {
-						array_splice($new_options, $i+1, 0, array('reject_sender_login_mismatch'));
+					if ($new_options[$i] == 'permit_sasl_authenticated') {
+						array_splice($new_options, $i, 0, array('reject_sender_login_mismatch'));
 						break;
 					}
 				}
@@ -358,7 +359,8 @@ class postfix_server_plugin {
 				exec("postconf -e 'milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}'");
 				exec("postconf -e 'milter_default_action = accept'");
 
-				exec("postconf -e 'smtpd_sender_restrictions = ${raslm} permit_mynetworks, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
+				exec("postconf -e 'smtpd_sender_restrictions = ${raslm} permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender'");
+
 
 				$new_options = array();
 				$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
@@ -397,7 +399,7 @@ class postfix_server_plugin {
 				exec("postconf -e 'content_filter = " . ($configure_lmtp ? "lmtp" : "amavis" ) . ":[127.0.0.1]:10024'");
 
 				// fixme: should read this from conf templates
-				exec("postconf -e 'smtpd_sender_restrictions = ${raslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
+				exec("postconf -e 'smtpd_sender_restrictions = ${raslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re'");
 			}
 		}
 
-- 
GitLab