From ab8466efab85b97c26a8a7a6076f1de2688aa40e Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 9 Feb 2016 12:11:16 -0700
Subject: [PATCH 01/19] reject non-fqdn sender addresses

---
 install/tpl/gentoo_postfix.conf.master | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index 52b48f9274..b5ef8d1ac2 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -21,7 +21,7 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
+smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_client_message_rate_limit = 100
-- 
GitLab


From a71e8fdc4f3c1a52a5a0ac704a4286dc4ebfc253 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 9 Feb 2016 16:32:52 -0700
Subject: [PATCH 02/19] add smtpd_data_restrictions

---
 install/tpl/debian_postfix.conf.master   | 1 +
 install/tpl/fedora_postfix.conf.master   | 1 +
 install/tpl/gentoo_postfix.conf.master   | 1 +
 install/tpl/opensuse_postfix.conf.master | 1 +
 4 files changed, 4 insertions(+)

diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 8e3fa50f22..9a623c264e 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -29,6 +29,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index ffe831286c..0260327579 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -25,6 +25,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index b5ef8d1ac2..a589bb0dac 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -24,6 +24,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 545dcb1080..4eea85154a 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -27,6 +27,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
-- 
GitLab


From 001d9fc63a6897393bf39c0c6a894d16ceb21279 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 9 Feb 2016 16:49:50 -0700
Subject: [PATCH 03/19] add smtpd_etrn_restrictions

---
 install/tpl/debian_postfix.conf.master   | 1 +
 install/tpl/fedora_postfix.conf.master   | 1 +
 install/tpl/gentoo_postfix.conf.master   | 1 +
 install/tpl/opensuse_postfix.conf.master | 1 +
 4 files changed, 4 insertions(+)

diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 9a623c264e..8a1b0fc4fc 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -29,6 +29,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 0260327579..b3e79478d2 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -25,6 +25,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index a589bb0dac..0dde56c4a1 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -24,6 +24,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 4eea85154a..08ed58d861 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -27,6 +27,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
-- 
GitLab


From 16a2fa67b7f7c37f9869420d334af614cb065e4e Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 10 Feb 2016 17:23:10 -0700
Subject: [PATCH 04/19] add postfix version check, smtpd_relay_restrictions and
 stress adaptive behavior

add postfix version check

add stress adaptive behavior (syntax changes with postfix version 3.0)

add smtpd_relay_restrictions (postfix version 2.10)
---
 install/lib/installer_base.lib.php   | 25 +++++++++++++++++++++++++
 install/tpl/postfix_2-10.conf.master |  5 +++++
 install/tpl/postfix_2-5.conf.master  | 11 +++++++++++
 install/tpl/postfix_3-0.conf.master  | 11 +++++++++++
 4 files changed, 52 insertions(+)
 create mode 100644 install/tpl/postfix_2-10.conf.master
 create mode 100644 install/tpl/postfix_2-5.conf.master
 create mode 100644 install/tpl/postfix_3-0.conf.master

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 6a4d771e16..e95c3e3e9c 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -967,6 +967,11 @@ class installer_base {
 			$this->error("The postfix configuration directory '$config_dir' does not exist.");
 		}
 
+		//* Get postfix version
+		exec('postfix -d mail_version 2>&1', $out);
+		$postfix_version = preg_replace('/.*=\s*/', '', $out[0]);
+		unset($out);
+
 		//* mysql-virtual_domains.cf
 		$this->process_postfix_config('mysql-virtual_domains.cf');
 
@@ -1093,6 +1098,26 @@ class installer_base {
 		$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
 		$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
 
+		//* Merge version-specific postfix config
+		if(version_compare($postfix_version , '2.5', '>=')) {
+		    $configfile = 'postfix_2-5.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+		if(version_compare($postfix_version , '2.10', '>=')) {
+		    $configfile = 'postfix_2-10.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+		if(version_compare($postfix_version , '3.0', '>=')) {
+		    $configfile = 'postfix_3-0.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+
 		//* These postconf commands will be executed on installation only
 		if($this->is_update == false) {
 			$postconf_commands = array_merge($postconf_commands, array(
diff --git a/install/tpl/postfix_2-10.conf.master b/install/tpl/postfix_2-10.conf.master
new file mode 100644
index 0000000000..d77f37e0a0
--- /dev/null
+++ b/install/tpl/postfix_2-10.conf.master
@@ -0,0 +1,5 @@
+# Postfix configuration for version 2.10 and up
+smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
+# This is supported in version 2.9, but lets not create another conf file for it
+address_verify_sender_ttl = 15686s
diff --git a/install/tpl/postfix_2-5.conf.master b/install/tpl/postfix_2-5.conf.master
new file mode 100644
index 0000000000..398dc6393c
--- /dev/null
+++ b/install/tpl/postfix_2-5.conf.master
@@ -0,0 +1,11 @@
+# Postfix configuration for version 2.5 and up
+in_flow_delay = ${stress?3}${stress:1}s
+smtp_connect_timeout = ${stress?10}${stress:30}s
+smtp_helo_timeout = ${stress?10}${stress:60}s
+smtp_mail_timeout = ${stress?10}${stress:60}s
+smtpd_error_sleep_time = ${stress?1}${stress:2}s
+smtpd_hard_error_limit = ${stress?1}${stress:10}
+smtpd_recipient_overshoot_limit = ${stress?60}${stress:600}
+smtpd_soft_error_limit = ${stress?2}${stress:5}
+smtpd_timeout = ${stress?10}${stress:60}s
+
diff --git a/install/tpl/postfix_3-0.conf.master b/install/tpl/postfix_3-0.conf.master
new file mode 100644
index 0000000000..a185eb6dad
--- /dev/null
+++ b/install/tpl/postfix_3-0.conf.master
@@ -0,0 +1,11 @@
+# Postfix configuration for version 3.0 and up
+in_flow_delay = ${stress?{3}:{1}}s
+smtp_connect_timeout = ${stress?{10}:{30}}s
+smtp_helo_timeout = ${stress?{10}:{60}}s
+smtp_mail_timeout = ${stress?{10}:{60}}s
+smtpd_error_sleep_time = ${stress?{1}:{2}}s
+smtpd_hard_error_limit = ${stress?{1}:{10}}
+smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
+smtpd_soft_error_limit = ${stress?{2}:{5}}
+smtpd_timeout = ${stress?{10}:{60}}s
+
-- 
GitLab


From 72d53293935112766d369ae791cc4ace5abe9c4e Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 10 Feb 2016 17:45:03 -0700
Subject: [PATCH 05/19] fix postfix command typo

---
 install/lib/installer_base.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index e95c3e3e9c..ab49b6753e 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -968,7 +968,7 @@ class installer_base {
 		}
 
 		//* Get postfix version
-		exec('postfix -d mail_version 2>&1', $out);
+		exec('postconf -d mail_version 2>&1', $out);
 		$postfix_version = preg_replace('/.*=\s*/', '', $out[0]);
 		unset($out);
 
-- 
GitLab


From 2d9413d5d3c89ab92019dc86f3ef351eb6598955 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Thu, 24 Mar 2016 17:35:30 -0600
Subject: [PATCH 06/19] put changes to smtpd_*_restrictions after mynetworks

---
 install/tpl/debian_postfix.conf.master   | 6 +++---
 install/tpl/fedora_postfix.conf.master   | 6 +++---
 install/tpl/gentoo_postfix.conf.master   | 6 +++---
 install/tpl/opensuse_postfix.conf.master | 6 +++---
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 8a1b0fc4fc..7bfafca723 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -26,11 +26,11 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
-smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
+smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index b3e79478d2..6b2b5bb5e1 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -22,11 +22,11 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
-smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
+smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index 0dde56c4a1..2119f1a395 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -21,11 +21,11 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
-smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
+smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 08ed58d861..6891969d8c 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -24,11 +24,11 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
-smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
+smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
 maildrop_destination_concurrency_limit = 1
 maildrop_destination_recipient_limit   = 1
-- 
GitLab


From 142db5f29849a95220f79bc19b97e82aa0b2db73 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Thu, 24 Mar 2016 17:41:29 -0600
Subject: [PATCH 07/19] comment stress adaptive changes as examples

---
 install/tpl/postfix_2-5.conf.master | 20 +++++++++++---------
 install/tpl/postfix_3-0.conf.master | 20 +++++++++++---------
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/install/tpl/postfix_2-5.conf.master b/install/tpl/postfix_2-5.conf.master
index 398dc6393c..f58ba0bf9b 100644
--- a/install/tpl/postfix_2-5.conf.master
+++ b/install/tpl/postfix_2-5.conf.master
@@ -1,11 +1,13 @@
 # Postfix configuration for version 2.5 and up
-in_flow_delay = ${stress?3}${stress:1}s
-smtp_connect_timeout = ${stress?10}${stress:30}s
-smtp_helo_timeout = ${stress?10}${stress:60}s
-smtp_mail_timeout = ${stress?10}${stress:60}s
-smtpd_error_sleep_time = ${stress?1}${stress:2}s
-smtpd_hard_error_limit = ${stress?1}${stress:10}
-smtpd_recipient_overshoot_limit = ${stress?60}${stress:600}
-smtpd_soft_error_limit = ${stress?2}${stress:5}
-smtpd_timeout = ${stress?10}${stress:60}s
+
+# These will make postfix adapt more to load spikes
+#in_flow_delay = ${stress?3}${stress:1}s
+#smtp_connect_timeout = ${stress?10}${stress:30}s
+#smtp_helo_timeout = ${stress?10}${stress:60}s
+#smtp_mail_timeout = ${stress?10}${stress:60}s
+#smtpd_error_sleep_time = ${stress?1}${stress:2}s
+#smtpd_hard_error_limit = ${stress?1}${stress:10}
+#smtpd_recipient_overshoot_limit = ${stress?60}${stress:600}
+#smtpd_soft_error_limit = ${stress?2}${stress:5}
+#smtpd_timeout = ${stress?10}${stress:60}s
 
diff --git a/install/tpl/postfix_3-0.conf.master b/install/tpl/postfix_3-0.conf.master
index a185eb6dad..e1ce3913c4 100644
--- a/install/tpl/postfix_3-0.conf.master
+++ b/install/tpl/postfix_3-0.conf.master
@@ -1,11 +1,13 @@
 # Postfix configuration for version 3.0 and up
-in_flow_delay = ${stress?{3}:{1}}s
-smtp_connect_timeout = ${stress?{10}:{30}}s
-smtp_helo_timeout = ${stress?{10}:{60}}s
-smtp_mail_timeout = ${stress?{10}:{60}}s
-smtpd_error_sleep_time = ${stress?{1}:{2}}s
-smtpd_hard_error_limit = ${stress?{1}:{10}}
-smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
-smtpd_soft_error_limit = ${stress?{2}:{5}}
-smtpd_timeout = ${stress?{10}:{60}}s
+
+# These will make postfix adapt more to load spikes
+# in_flow_delay = ${stress?{3}:{1}}s
+# smtp_connect_timeout = ${stress?{10}:{30}}s
+# smtp_helo_timeout = ${stress?{10}:{60}}s
+# smtp_mail_timeout = ${stress?{10}:{60}}s
+# smtpd_error_sleep_time = ${stress?{1}:{2}}s
+# smtpd_hard_error_limit = ${stress?{1}:{10}}
+# smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
+# smtpd_soft_error_limit = ${stress?{2}:{5}}
+# smtpd_timeout = ${stress?{10}:{60}}s
 
-- 
GitLab


From 2135d143ca02112ed6677b498e5ba150a06824ef Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 28 Apr 2020 12:49:19 -0600
Subject: [PATCH 08/19] postfix_server_plugin.inc.php should set
 reject_sender_login_mismatch

---
 server/plugins-available/postfix_server_plugin.inc.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index 5a0b222a24..46369d2ed1 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -220,6 +220,8 @@ class postfix_server_plugin {
 		exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
 
 		if($mail_config['content_filter'] != $old_ini_data['mail']['content_filter']) {
+			$rslm= ($mail_config['reject_sender_login_mismatch']) ? ", reject_sender_login_mismatch" : "";
+
 			if($mail_config['content_filter'] == 'rspamd'){
 				exec("postconf -X 'receive_override_options'");
 				exec("postconf -X 'content_filter'");
@@ -230,7 +232,7 @@ class postfix_server_plugin {
 				exec("postconf -e 'milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}'");
 				exec("postconf -e 'milter_default_action = accept'");
 				
-				exec("postconf -e 'smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit_mynetworks, permit_sasl_authenticated'");
+				exec("postconf -e 'smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf ${rslm}, permit_mynetworks, permit_sasl_authenticated'");
 				
 				$new_options = array();
 				$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
-- 
GitLab


From cde635c13a28dc81806e0348181766a80c13802e Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 28 Apr 2020 14:15:40 -0600
Subject: [PATCH 09/19] reject_sender_login_mismatch (not
 reject_authenticated_sender_login_mismatch)

---
 install/dist/lib/fedora.lib.php                        | 2 +-
 install/dist/lib/gentoo.lib.php                        | 2 +-
 install/dist/lib/opensuse.lib.php                      | 2 +-
 install/lib/installer_base.lib.php                     | 2 +-
 server/plugins-available/postfix_server_plugin.inc.php | 4 ++--
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index c188ac93a5..27962691f5 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -154,7 +154,7 @@ class installer_dist extends installer_base {
 
 		$reject_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
+			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
 		unset($server_ini_array);
 
diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php
index 324fe06e9a..0e8238d57e 100644
--- a/install/dist/lib/gentoo.lib.php
+++ b/install/dist/lib/gentoo.lib.php
@@ -103,7 +103,7 @@ class installer extends installer_base
 
 		$reject_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
+			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
 		unset($server_ini_array);
 
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index da31ad6b57..21be53d975 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -165,7 +165,7 @@ class installer_dist extends installer_base {
 
 		$reject_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
+			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
 		unset($server_ini_array);
 
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index ab49b6753e..c7c63e1dab 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1078,7 +1078,7 @@ class installer_base {
 
 		$reject_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
+			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
 		unset($server_ini_array);
 
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index 46369d2ed1..4795226d35 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -146,7 +146,7 @@ class postfix_server_plugin {
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if (!preg_match('/reject_authenticated_sender_login_mismatch/', $value)) {
+				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
 					$new_options[] = $value;
 				}
 			}
@@ -155,7 +155,7 @@ class postfix_server_plugin {
 				reset($new_options); $i = 0;
 				// insert after check_sender_access but before permit_...
 				while (isset($new_options[$i]) && substr($new_options[$i], 0, 19) == 'check_sender_access') ++$i;
-				array_splice($new_options, $i, 0, array('reject_authenticated_sender_login_mismatch'));
+				array_splice($new_options, $i, 0, array('reject_sender_login_mismatch'));
 			}
 			$app->system->exec_safe("postconf -e ?", 'smtpd_sender_restrictions = '.implode(", ", $new_options));
 			exec('postfix reload');
-- 
GitLab


From df75da91e28610160a40a330506a867facd62e38 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Mon, 8 Jun 2020 12:57:01 -0600
Subject: [PATCH 10/19] keep quota related settings grouped together

---
 interface/web/admin/form/server_config.tform.php     | 12 ++++++------
 .../web/admin/templates/server_config_mail_edit.htm  |  8 ++++----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 680a52c574..9ae7745656 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -654,12 +654,6 @@ $form["tabs"]['mail'] = array(
 			'width' => '10',
 			'maxlength' => '15'
 		),
-		'mailbox_quota_stats' => array (
-			'datatype' => 'VARCHAR',
-			'formtype' => 'CHECKBOX',
-			'default' => 'y',
-			'value' => array(0 => 'n', 1 => 'y')
-		),
 		'realtime_blackhole_list' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
@@ -672,6 +666,12 @@ $form["tabs"]['mail'] = array(
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'mailbox_quota_stats' => array (
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
 		'overquota_notify_admin' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'CHECKBOX',
diff --git a/interface/web/admin/templates/server_config_mail_edit.htm b/interface/web/admin/templates/server_config_mail_edit.htm
index 6ba37104ef..de98c4af78 100644
--- a/interface/web/admin/templates/server_config_mail_edit.htm
+++ b/interface/web/admin/templates/server_config_mail_edit.htm
@@ -99,6 +99,10 @@
                 <label for="message_size_limit" class="col-sm-3 control-label">{tmpl_var name='message_size_limit_txt'}</label>
                 <div class="col-sm-6"><input type="text" name="message_size_limit" id="message_size_limit" value="{tmpl_var name='message_size_limit'}" class="form-control" /></div><div class="col-sm-3 input-sm">&nbsp;MB
             </div></div>
+            <div class="form-group">
+                <label for="realtime_blackhole_list" class="col-sm-3 control-label">{tmpl_var name='realtime_blackhole_list_txt'}</label>
+                <div class="col-sm-6"><input type="text" name="realtime_blackhole_list" id="realtime_blackhole_list" value="{tmpl_var name='realtime_blackhole_list'}" class="form-control" /></div><div class="col-sm-3 input-sm">&nbsp;{tmpl_var name='realtime_blackhole_list_note_txt'}
+            </div></div>
             <div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='mailbox_quota_stats_txt'}</label>
                 <div class="col-sm-9">
@@ -106,10 +110,6 @@
                 </div>
             </div>
             <div class="form-group">
-                <label for="realtime_blackhole_list" class="col-sm-3 control-label">{tmpl_var name='realtime_blackhole_list_txt'}</label>
-                <div class="col-sm-6"><input type="text" name="realtime_blackhole_list" id="realtime_blackhole_list" value="{tmpl_var name='realtime_blackhole_list'}" class="form-control" /></div><div class="col-sm-3 input-sm">&nbsp;{tmpl_var name='realtime_blackhole_list_note_txt'}
-            </div></div>
-			<div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='overquota_notify_admin_txt'}</label>
                 <div class="col-sm-9">
                     {tmpl_var name='overquota_notify_admin'}
-- 
GitLab


From a32f99aa7cf1c187346eded43098b8d72acdccd3 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 9 Jun 2020 10:33:43 -0600
Subject: [PATCH 11/19] add server config checkbox for postfix stress adaptive
 behavior

---
 install/dist/lib/fedora.lib.php               |  6 +++
 install/dist/lib/gentoo.lib.php               |  6 +++
 install/dist/lib/opensuse.lib.php             |  6 +++
 install/lib/installer_base.lib.php            |  6 +++
 install/tpl/postfix_2-5.conf.master           | 18 +++----
 install/tpl/postfix_3-0.conf.master           | 18 +++----
 .../web/admin/form/server_config.tform.php    |  6 +++
 .../web/admin/lib/lang/ar_server_config.lng   |  2 +
 .../web/admin/lib/lang/bg_server_config.lng   |  2 +
 .../web/admin/lib/lang/br_server_config.lng   |  2 +
 .../web/admin/lib/lang/ca_server_config.lng   |  2 +
 .../web/admin/lib/lang/cz_server_config.lng   |  2 +
 .../web/admin/lib/lang/de_server_config.lng   |  2 +
 .../web/admin/lib/lang/dk_server_config.lng   |  2 +
 .../web/admin/lib/lang/el_server_config.lng   |  2 +
 .../web/admin/lib/lang/en_server_config.lng   |  2 +
 .../web/admin/lib/lang/es_server_config.lng   |  2 +
 .../web/admin/lib/lang/fi_server_config.lng   |  2 +
 .../web/admin/lib/lang/fr_server_config.lng   |  2 +
 .../web/admin/lib/lang/hr_server_config.lng   |  2 +
 .../web/admin/lib/lang/hu_server_config.lng   |  2 +
 .../web/admin/lib/lang/id_server_config.lng   |  2 +
 .../web/admin/lib/lang/it_server_config.lng   |  2 +
 .../web/admin/lib/lang/ja_server_config.lng   |  2 +
 .../web/admin/lib/lang/nl_server_config.lng   |  2 +
 .../web/admin/lib/lang/pl_server_config.lng   |  2 +
 .../web/admin/lib/lang/pt_server_config.lng   |  2 +
 .../web/admin/lib/lang/ro_server_config.lng   |  2 +
 .../web/admin/lib/lang/ru_server_config.lng   |  2 +
 .../web/admin/lib/lang/se_server_config.lng   |  2 +
 .../web/admin/lib/lang/sk_server_config.lng   |  2 +
 .../web/admin/lib/lang/tr_server_config.lng   |  2 +
 .../templates/server_config_mail_edit.htm     |  6 +++
 .../postfix_server_plugin.inc.php             | 50 ++++++++++++++++---
 34 files changed, 147 insertions(+), 25 deletions(-)

diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index 27962691f5..76d6ccae02 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -156,6 +156,11 @@ class installer_dist extends installer_base {
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
+
+		# placeholder includes comment char
+		$stress_adaptive_placeholder = '#{stress_adaptive} ';
+		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
+
 		unset($server_ini_array);
 
 		$postconf_placeholders = array('{config_dir}' => $config_dir,
@@ -165,6 +170,7 @@ class installer_dist extends installer_base {
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
+			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/fedora_postfix.conf.master', 'tpl/fedora_postfix.conf.master');
diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php
index 0e8238d57e..638de69735 100644
--- a/install/dist/lib/gentoo.lib.php
+++ b/install/dist/lib/gentoo.lib.php
@@ -105,6 +105,11 @@ class installer extends installer_base
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
+
+		# placeholder includes comment char
+		$stress_adaptive_placeholder = '#{stress_adaptive} ';
+		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
+
 		unset($server_ini_array);
 
 		$postconf_placeholders = array('{config_dir}' => $config_dir,
@@ -114,6 +119,7 @@ class installer extends installer_base
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
+			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_postfix.conf.master', 'tpl/gentoo_postfix.conf.master');
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index 21be53d975..de77dcd9d4 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -167,6 +167,11 @@ class installer_dist extends installer_base {
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
+
+		# placeholder includes comment char
+		$stress_adaptive_placeholder = '#{stress_adaptive} ';
+		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
+
 		unset($server_ini_array);
 
 		$postconf_placeholders = array('{config_dir}' => $config_dir,
@@ -176,6 +181,7 @@ class installer_dist extends installer_base {
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
+			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/opensuse_postfix.conf.master', 'tpl/opensuse_postfix.conf.master');
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index c7c63e1dab..b2da1d59de 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1080,6 +1080,11 @@ class installer_base {
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
 		}
+
+		# placeholder includes comment char
+		$stress_adaptive_placeholder = '#{stress_adaptive}';
+		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
+
 		unset($server_ini_array);
 
 		$tmp = str_replace('.','\.',$conf['hostname']);
@@ -1092,6 +1097,7 @@ class installer_base {
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
 			'{myhostname}' => $tmp,
+			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_postfix.conf.master', 'tpl/debian_postfix.conf.master');
diff --git a/install/tpl/postfix_2-5.conf.master b/install/tpl/postfix_2-5.conf.master
index f58ba0bf9b..132c80822e 100644
--- a/install/tpl/postfix_2-5.conf.master
+++ b/install/tpl/postfix_2-5.conf.master
@@ -1,13 +1,13 @@
 # Postfix configuration for version 2.5 and up
 
 # These will make postfix adapt more to load spikes
-#in_flow_delay = ${stress?3}${stress:1}s
-#smtp_connect_timeout = ${stress?10}${stress:30}s
-#smtp_helo_timeout = ${stress?10}${stress:60}s
-#smtp_mail_timeout = ${stress?10}${stress:60}s
-#smtpd_error_sleep_time = ${stress?1}${stress:2}s
-#smtpd_hard_error_limit = ${stress?1}${stress:10}
-#smtpd_recipient_overshoot_limit = ${stress?60}${stress:600}
-#smtpd_soft_error_limit = ${stress?2}${stress:5}
-#smtpd_timeout = ${stress?10}${stress:60}s
+#{stress_adaptive} in_flow_delay = ${stress?3}${stress:1}s
+#{stress_adaptive} smtp_connect_timeout = ${stress?10}${stress:30}s
+#{stress_adaptive} smtp_helo_timeout = ${stress?10}${stress:60}s
+#{stress_adaptive} smtp_mail_timeout = ${stress?10}${stress:60}s
+#{stress_adaptive} smtpd_error_sleep_time = ${stress?1}${stress:2}s
+#{stress_adaptive} smtpd_hard_error_limit = ${stress?1}${stress:10}
+#{stress_adaptive} smtpd_recipient_overshoot_limit = ${stress?60}${stress:600}
+#{stress_adaptive} smtpd_soft_error_limit = ${stress?2}${stress:5}
+#{stress_adaptive} smtpd_timeout = ${stress?10}${stress:60}s
 
diff --git a/install/tpl/postfix_3-0.conf.master b/install/tpl/postfix_3-0.conf.master
index e1ce3913c4..aa205679ad 100644
--- a/install/tpl/postfix_3-0.conf.master
+++ b/install/tpl/postfix_3-0.conf.master
@@ -1,13 +1,13 @@
 # Postfix configuration for version 3.0 and up
 
 # These will make postfix adapt more to load spikes
-# in_flow_delay = ${stress?{3}:{1}}s
-# smtp_connect_timeout = ${stress?{10}:{30}}s
-# smtp_helo_timeout = ${stress?{10}:{60}}s
-# smtp_mail_timeout = ${stress?{10}:{60}}s
-# smtpd_error_sleep_time = ${stress?{1}:{2}}s
-# smtpd_hard_error_limit = ${stress?{1}:{10}}
-# smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
-# smtpd_soft_error_limit = ${stress?{2}:{5}}
-# smtpd_timeout = ${stress?{10}:{60}}s
+#{stress_adaptive} in_flow_delay = ${stress?{3}:{1}}s
+#{stress_adaptive} smtp_connect_timeout = ${stress?{10}:{30}}s
+#{stress_adaptive} smtp_helo_timeout = ${stress?{10}:{60}}s
+#{stress_adaptive} smtp_mail_timeout = ${stress?{10}:{60}}s
+#{stress_adaptive} smtpd_error_sleep_time = ${stress?{1}:{2}}s
+#{stress_adaptive} smtpd_hard_error_limit = ${stress?{1}:{10}}
+#{stress_adaptive} smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
+#{stress_adaptive} smtpd_soft_error_limit = ${stress?{2}:{5}}
+#{stress_adaptive} smtpd_timeout = ${stress?{10}:{60}}s
 
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 9ae7745656..3d8d7a3f29 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -666,6 +666,12 @@ $form["tabs"]['mail'] = array(
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'stress_adaptive' => array (
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
 		'mailbox_quota_stats' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'CHECKBOX',
diff --git a/interface/web/admin/lib/lang/ar_server_config.lng b/interface/web/admin/lib/lang/ar_server_config.lng
index 2daeadecc8..cf3e6da095 100644
--- a/interface/web/admin/lib/lang/ar_server_config.lng
+++ b/interface/web/admin/lib/lang/ar_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/bg_server_config.lng b/interface/web/admin/lib/lang/bg_server_config.lng
index 7bf8b2c73c..20202b8202 100644
--- a/interface/web/admin/lib/lang/bg_server_config.lng
+++ b/interface/web/admin/lib/lang/bg_server_config.lng
@@ -170,6 +170,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/br_server_config.lng b/interface/web/admin/lib/lang/br_server_config.lng
index 48ed0395b7..e44a5a3485 100644
--- a/interface/web/admin/lib/lang/br_server_config.lng
+++ b/interface/web/admin/lib/lang/br_server_config.lng
@@ -179,6 +179,8 @@ $wb['connect_userid_to_webid_txt'] = 'Conectar o UID do usuário no sistema para
 $wb['connect_userid_to_webid_start_txt'] = 'Conexão do ID inicial do usuário com o webID';
 $wb['realtime_blackhole_list_txt'] = 'Lista RBL em tempo real';
 $wb['realtime_blackhole_list_note_txt'] = '(separar as RBLs com vírgulas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'Configurações SSL';
 $wb['permissions_txt'] = 'Permissões';
 $wb['php_settings_txt'] = 'Configurações php';
diff --git a/interface/web/admin/lib/lang/ca_server_config.lng b/interface/web/admin/lib/lang/ca_server_config.lng
index 89c426fc52..56d40c1424 100644
--- a/interface/web/admin/lib/lang/ca_server_config.lng
+++ b/interface/web/admin/lib/lang/ca_server_config.lng
@@ -175,6 +175,8 @@ $wb['connect_userid_to_webid_txt'] = 'Connect Linux userid to webid';
 $wb['connect_userid_to_webid_start_txt'] = 'Start ID for userid/webid connect';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/cz_server_config.lng b/interface/web/admin/lib/lang/cz_server_config.lng
index f52af24a87..92826822f5 100644
--- a/interface/web/admin/lib/lang/cz_server_config.lng
+++ b/interface/web/admin/lib/lang/cz_server_config.lng
@@ -163,6 +163,8 @@ $wb['backup_mode_userzip'] = 'Zálohování všech souborů v adresáři web jak
 $wb['backup_mode_rootgz'] = 'Zálohování všech souborů v adresáři web jako uživatel root';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(jednotlivé RBL databáze oddělujte čárkou)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Nastavení';
 $wb['permissions_txt'] = 'Nastavit oprávnění';
 $wb['php_settings_txt'] = 'PHP Nastavení';
diff --git a/interface/web/admin/lib/lang/de_server_config.lng b/interface/web/admin/lib/lang/de_server_config.lng
index 0746e6bfdf..c49adf2396 100644
--- a/interface/web/admin/lib/lang/de_server_config.lng
+++ b/interface/web/admin/lib/lang/de_server_config.lng
@@ -174,6 +174,8 @@ $wb['connect_userid_to_webid_txt'] = 'Linux Userid mit webid verknüpfen';
 $wb['connect_userid_to_webid_start_txt'] = 'Start ID für userid/webid Verknüpfung';
 $wb['realtime_blackhole_list_txt'] = 'Realtime Blackhole Liste';
 $wb['realtime_blackhole_list_note_txt'] = '(Mehrere Realtime Blackhole Listen mit Kommas trennen)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Einstellungen';
 $wb['permissions_txt'] = 'Berechtigungen';
 $wb['php_settings_txt'] = 'PHP Einstellungen';
diff --git a/interface/web/admin/lib/lang/dk_server_config.lng b/interface/web/admin/lib/lang/dk_server_config.lng
index 772d46080f..5e5106af49 100644
--- a/interface/web/admin/lib/lang/dk_server_config.lng
+++ b/interface/web/admin/lib/lang/dk_server_config.lng
@@ -166,6 +166,8 @@ $wb['connect_userid_to_webid_txt'] = 'Forbinde Linux brugerid til webid';
 $wb['connect_userid_to_webid_start_txt'] = 'Start ID for brugerid/webid forbinde';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Adskille RBL\'er med kommaer)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Indstillinger';
 $wb['permissions_txt'] = 'Tilladelser';
 $wb['php_settings_txt'] = 'PHP Indstillinger';
diff --git a/interface/web/admin/lib/lang/el_server_config.lng b/interface/web/admin/lib/lang/el_server_config.lng
index 808cd63afe..6f88bc0712 100644
--- a/interface/web/admin/lib/lang/el_server_config.lng
+++ b/interface/web/admin/lib/lang/el_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
index ff7e39c705..a5560b8515 100644
--- a/interface/web/admin/lib/lang/en_server_config.lng
+++ b/interface/web/admin/lib/lang/en_server_config.lng
@@ -180,6 +180,8 @@ $wb["connect_userid_to_webid_txt"] = 'Connect Linux userid to webid';
 $wb["connect_userid_to_webid_start_txt"] = 'Start ID for userid/webid connect';
 $wb["realtime_blackhole_list_txt"] = 'Real-time Blackhole List';
 $wb["realtime_blackhole_list_note_txt"] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb["ssl_settings_txt"] = 'SSL Settings';
 $wb["permissions_txt"] = 'Permissions';
 $wb["php_settings_txt"] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/es_server_config.lng b/interface/web/admin/lib/lang/es_server_config.lng
index 9cf590a619..373b7ae0fb 100644
--- a/interface/web/admin/lib/lang/es_server_config.lng
+++ b/interface/web/admin/lib/lang/es_server_config.lng
@@ -230,6 +230,8 @@ $wb['pop3_imap_daemon_txt'] = 'Servicio POP3/IMAP';
 $wb['rbl_error_regex'] = 'Por favor especifique nombres de host RBL válidos.';
 $wb['realtime_blackhole_list_note_txt'] = '(Separe las listas RBL con una coma)';
 $wb['realtime_blackhole_list_txt'] = 'Lista de filtrado en tiempo real';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['reject_sender_login_mismatch_txt'] = 'Rechazar remitente e inicio de sesión diferentes';
 $wb['relayhost_password_txt'] = 'Contraseña del servidor de retransmisión';
 $wb['relayhost_txt'] = 'Servidor de retransmisión';
diff --git a/interface/web/admin/lib/lang/fi_server_config.lng b/interface/web/admin/lib/lang/fi_server_config.lng
index 654a63a501..9d743dbcfd 100644
--- a/interface/web/admin/lib/lang/fi_server_config.lng
+++ b/interface/web/admin/lib/lang/fi_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/fr_server_config.lng b/interface/web/admin/lib/lang/fr_server_config.lng
index 8ba5123460..0a06d2344e 100644
--- a/interface/web/admin/lib/lang/fr_server_config.lng
+++ b/interface/web/admin/lib/lang/fr_server_config.lng
@@ -165,6 +165,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL’s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/hr_server_config.lng b/interface/web/admin/lib/lang/hr_server_config.lng
index 6dd61c1b92..161ea5efb6 100644
--- a/interface/web/admin/lib/lang/hr_server_config.lng
+++ b/interface/web/admin/lib/lang/hr_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL postavke';
 $wb['permissions_txt'] = 'Dozvole';
 $wb['php_settings_txt'] = 'PHP postavke';
diff --git a/interface/web/admin/lib/lang/hu_server_config.lng b/interface/web/admin/lib/lang/hu_server_config.lng
index a62b7c3834..b3e44761c5 100644
--- a/interface/web/admin/lib/lang/hu_server_config.lng
+++ b/interface/web/admin/lib/lang/hu_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/id_server_config.lng b/interface/web/admin/lib/lang/id_server_config.lng
index 7d1a85626f..e6a09d9c06 100644
--- a/interface/web/admin/lib/lang/id_server_config.lng
+++ b/interface/web/admin/lib/lang/id_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/it_server_config.lng b/interface/web/admin/lib/lang/it_server_config.lng
index 9db4bb523a..d98cee7db7 100644
--- a/interface/web/admin/lib/lang/it_server_config.lng
+++ b/interface/web/admin/lib/lang/it_server_config.lng
@@ -165,6 +165,8 @@ $wb['backup_mode_userzip'] = 'Backup files siti web come utente web in formato z
 $wb['backup_mode_rootgz'] = 'Backup di tutti i files nella cartella sito come utente root';
 $wb['realtime_blackhole_list_txt'] = 'Lista Real-Time Blackhole';
 $wb['realtime_blackhole_list_note_txt'] = '(Separare RBL con le virgole)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'Impostazioni SSL';
 $wb['permissions_txt'] = 'Permessi';
 $wb['php_settings_txt'] = 'Impostazioni PHP';
diff --git a/interface/web/admin/lib/lang/ja_server_config.lng b/interface/web/admin/lib/lang/ja_server_config.lng
index 9956c4ea94..392a4d48ee 100644
--- a/interface/web/admin/lib/lang/ja_server_config.lng
+++ b/interface/web/admin/lib/lang/ja_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/nl_server_config.lng b/interface/web/admin/lib/lang/nl_server_config.lng
index a904e4e3d6..b3be619110 100644
--- a/interface/web/admin/lib/lang/nl_server_config.lng
+++ b/interface/web/admin/lib/lang/nl_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/pl_server_config.lng b/interface/web/admin/lib/lang/pl_server_config.lng
index d85c337d64..0072eeeea5 100644
--- a/interface/web/admin/lib/lang/pl_server_config.lng
+++ b/interface/web/admin/lib/lang/pl_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Pliki kopii z prawami użytkownika jako zip';
 $wb['backup_mode_rootgz'] = 'Twórz kopie wszystkich plików w katalogu web jako root';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(oddziel RBL-e przecinkami)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'Ustawienia SSL';
 $wb['permissions_txt'] = 'Uprawnienia';
 $wb['php_settings_txt'] = 'Ustawienia PHP';
diff --git a/interface/web/admin/lib/lang/pt_server_config.lng b/interface/web/admin/lib/lang/pt_server_config.lng
index e2051d0fff..391bb582ff 100644
--- a/interface/web/admin/lib/lang/pt_server_config.lng
+++ b/interface/web/admin/lib/lang/pt_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/ro_server_config.lng b/interface/web/admin/lib/lang/ro_server_config.lng
index 33b430de83..d41248a6f7 100644
--- a/interface/web/admin/lib/lang/ro_server_config.lng
+++ b/interface/web/admin/lib/lang/ro_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/ru_server_config.lng b/interface/web/admin/lib/lang/ru_server_config.lng
index 07aa94b967..b75c616eb5 100644
--- a/interface/web/admin/lib/lang/ru_server_config.lng
+++ b/interface/web/admin/lib/lang/ru_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Делать резервные копии web ф
 $wb['backup_mode_rootgz'] = 'Делать резервные копии всех файлов в веб-каталог как корневой пользователь';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Разделяйте RBL запятыми)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'Настройки SSL';
 $wb['permissions_txt'] = 'Разрешения';
 $wb['php_settings_txt'] = 'Параметры PHP';
diff --git a/interface/web/admin/lib/lang/se_server_config.lng b/interface/web/admin/lib/lang/se_server_config.lng
index a8ece108ca..d5bf5b2329 100644
--- a/interface/web/admin/lib/lang/se_server_config.lng
+++ b/interface/web/admin/lib/lang/se_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/sk_server_config.lng b/interface/web/admin/lib/lang/sk_server_config.lng
index d8ca8233b3..2246ad70e7 100644
--- a/interface/web/admin/lib/lang/sk_server_config.lng
+++ b/interface/web/admin/lib/lang/sk_server_config.lng
@@ -172,6 +172,8 @@ $wb['backup_mode_userzip'] = 'Backup web files owned by web user as zip';
 $wb['backup_mode_rootgz'] = 'Backup all files in web directory as root user';
 $wb['realtime_blackhole_list_txt'] = 'Real-time Blackhole List';
 $wb['realtime_blackhole_list_note_txt'] = '(Separate RBL\'s with commas)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Settings';
 $wb['permissions_txt'] = 'Permissions';
 $wb['php_settings_txt'] = 'PHP Settings';
diff --git a/interface/web/admin/lib/lang/tr_server_config.lng b/interface/web/admin/lib/lang/tr_server_config.lng
index 497116a00d..f4c2cfcd92 100644
--- a/interface/web/admin/lib/lang/tr_server_config.lng
+++ b/interface/web/admin/lib/lang/tr_server_config.lng
@@ -179,6 +179,8 @@ $wb['connect_userid_to_webid_txt'] = 'Linux kullanıcıkodu webkoduna bağlansı
 $wb['connect_userid_to_webid_start_txt'] = 'Bağlanacak kullanıcıkodu/webkodu için başlangıç kodu';
 $wb['realtime_blackhole_list_txt'] = 'Gerçek Zamanlı Karadelik Listesi (RBL)';
 $wb['realtime_blackhole_list_note_txt'] = '(RBL adlarını virgül ile ayırarak yazın)';
+$wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
+$wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['ssl_settings_txt'] = 'SSL Ayarları';
 $wb['permissions_txt'] = 'İzinler';
 $wb['php_settings_txt'] = 'PHP Ayarları';
diff --git a/interface/web/admin/templates/server_config_mail_edit.htm b/interface/web/admin/templates/server_config_mail_edit.htm
index de98c4af78..b7f7c2c6bf 100644
--- a/interface/web/admin/templates/server_config_mail_edit.htm
+++ b/interface/web/admin/templates/server_config_mail_edit.htm
@@ -103,6 +103,12 @@
                 <label for="realtime_blackhole_list" class="col-sm-3 control-label">{tmpl_var name='realtime_blackhole_list_txt'}</label>
                 <div class="col-sm-6"><input type="text" name="realtime_blackhole_list" id="realtime_blackhole_list" value="{tmpl_var name='realtime_blackhole_list'}" class="form-control" /></div><div class="col-sm-3 input-sm">&nbsp;{tmpl_var name='realtime_blackhole_list_note_txt'}
             </div></div>
+            <div class="form-group">
+                <label class="col-sm-3 control-label">{tmpl_var name='stress_adaptive_txt'}</label>
+                <div class="col-sm-9">
+                    <a href="#" data-toggle="tooltip" title="{tmpl_var name='tooltip_stress_adaptive_txt'}">{tmpl_var name="stress_adaptive"}</a>
+                </div>
+            </div>
             <div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='mailbox_quota_stats_txt'}</label>
                 <div class="col-sm-9">
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index 4795226d35..7f47b61ff4 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -70,6 +70,7 @@ class postfix_server_plugin {
 	// The purpose of this plugin is to rewrite the main.cf file
 	function update($event_name, $data) {
 		global $app, $conf;
+		$postfix_restart = false;
 
 		// get the config
 		$app->uses("getconf,system");
@@ -105,7 +106,7 @@ class postfix_server_plugin {
 			exec("postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'");
 			exec("postconf -e 'smtp_sasl_security_options ='");
 			exec('postmap /etc/postfix/sasl_passwd');
-			exec($conf['init_scripts'] . '/' . 'postfix restart');
+			$postfix_restart=true;
 		}
 
 		if($mail_config['realtime_blackhole_list'] != $old_ini_data['mail']['realtime_blackhole_list']) {
@@ -139,9 +140,8 @@ class postfix_server_plugin {
 				}
 			}
 			$app->system->exec_safe("postconf -e ?", 'smtpd_recipient_restrictions = '.implode(", ", $new_options));
-			exec('postfix reload');
 		}
-		
+
 		if($mail_config['reject_sender_login_mismatch'] != $old_ini_data['mail']['reject_sender_login_mismatch']) {
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
@@ -150,7 +150,7 @@ class postfix_server_plugin {
 					$new_options[] = $value;
 				}
 			}
-				
+
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
 				reset($new_options); $i = 0;
 				// insert after check_sender_access but before permit_...
@@ -158,8 +158,44 @@ class postfix_server_plugin {
 				array_splice($new_options, $i, 0, array('reject_sender_login_mismatch'));
 			}
 			$app->system->exec_safe("postconf -e ?", 'smtpd_sender_restrictions = '.implode(", ", $new_options));
-			exec('postfix reload');
-		}		
+		}
+
+		if($mail_config['stress_adaptive']) {
+			if ($mail_config['stress_adaptive'] == 'y') {
+
+				if(version_compare($postfix_version , '3.0', '>=')) {
+					$app->system->exec_safe("postconf -e ?", 'in_flow_delay = ${stress?{3}:{1}}s');
+					$app->system->exec_safe("postconf -e ?", 'smtp_connect_timeout = ${stress?{10}:{30}}s');
+					$app->system->exec_safe("postconf -e ?", 'smtp_helo_timeout = ${stress?{10}:{60}}s');
+					$app->system->exec_safe("postconf -e ?", 'smtp_mail_timeout = ${stress?{10}:{60}}s');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_error_sleep_time = ${stress?{1}:{2}}s');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_hard_error_limit = ${stress?{1}:{10}}');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_soft_error_limit = ${stress?{2}:{5}}');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_timeout = ${stress?{10}:{60}}s');
+				} elseif (version_compare($postfix_version , '2.5', '>=')) {
+					$app->system->exec_safe("postconf -e ?", 'in_flow_delay = ${stress?3}${stress:1}s');
+					$app->system->exec_safe("postconf -e ?", 'smtp_connect_timeout = ${stress?10}${stress:30}s');
+					$app->system->exec_safe("postconf -e ?", 'smtp_helo_timeout = ${stress?10}${stress:60}s');
+					$app->system->exec_safe("postconf -e ?", 'smtp_mail_timeout = ${stress?10}${stress:60}s');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_error_sleep_time = ${stress?1}${stress:2}s');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_hard_error_limit = ${stress?1}${stress:10}');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_recipient_overshoot_limit = ${stress?60}${stress:600}');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_soft_error_limit = ${stress?2}${stress:5}');
+					$app->system->exec_safe("postconf -e ?", 'smtpd_timeout = ${stress?10}${stress:60}s');
+				}
+			} else { // mail_config['reject_sender_login_mismatch'] == 'n'
+				exec("postconf -X 'in_flow_delay'");
+				exec("postconf -X 'smtp_connect_timeout'");
+				exec("postconf -X 'smtp_helo_timeout'");
+				exec("postconf -X 'smtp_mail_timeout'");
+				exec("postconf -X 'smtpd_error_sleep_time'");
+				exec("postconf -X 'smtpd_hard_error_limit'");
+				exec("postconf -X 'smtpd_recipient_overshoot_limit'");
+				exec("postconf -X 'smtpd_soft_error_limit'");
+				exec("postconf -X 'smtpd_timeout'");
+			}
+		}
 		
 		if($app->system->is_installed('dovecot')) {
 			$virtual_transport = 'dovecot';
@@ -292,6 +328,6 @@ class postfix_server_plugin {
 
 		exec("postconf -e 'mailbox_size_limit = ".intval($mail_config['mailbox_size_limit']*1024*1024)."'");
 		exec("postconf -e 'message_size_limit = ".intval($mail_config['message_size_limit']*1024*1024)."'");
-		$app->services->restartServiceDelayed('postfix', 'reload');
+		$app->services->restartServiceDelayed('postfix', ($postfix_restart ? 'restart' : 'reload'));
 	}
 } // end class
-- 
GitLab


From 08d936a2628ce5a62f3eeb82a2c3de18eebd4513 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 9 Jun 2020 13:16:57 -0600
Subject: [PATCH 12/19] configure_rspamd() should set
 reject_sender_login_mismatch

---
 install/lib/installer_base.lib.php            | 24 +++++++++++++++++--
 install/tpl/debian_postfix.conf.master        |  2 +-
 install/tpl/fedora_postfix.conf.master        |  2 +-
 install/tpl/gentoo_postfix.conf.master        |  2 +-
 install/tpl/opensuse_postfix.conf.master      |  2 +-
 .../postfix_server_plugin.inc.php             | 17 +++++++------
 6 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index b2da1d59de..afd330c92c 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1078,7 +1078,7 @@ class installer_base {
 
 		$reject_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
+			$reject_sender_login_mismatch = ',reject_sender_login_mismatch,';
 		}
 
 		# placeholder includes comment char
@@ -1678,7 +1678,27 @@ class installer_base {
 			exec("postconf -e 'milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}'");
 			exec("postconf -e 'milter_default_action = accept'");
 
-			exec("postconf -e 'smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit_mynetworks, permit_sasl_authenticated'");
+			if(! isset($mail_config['reject_sender_login_mismatch'])) {
+				$mail_config['reject_sender_login_mismatch'] = 'n';
+			}
+			$options = explode(", ", exec("postconf -h smtpd_sender_restrictions"));
+			$new_options = array();
+			foreach ($options as $key => $value) {
+				if ($value == '') {
+					continue;
+				}
+				if (preg_match('/tag_as_(originating|foreign)\.re/', $value)) {
+					continue;
+				}
+				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
+					$new_options[] = $value;
+				}
+			}
+			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
+				reset($new_options);
+				array_splice($new_options, 0, 0, array('reject_sender_login_mismatch'));
+			}
+			exec("postconf -e 'smtpd_sender_restrictions = ".implode(", ", $new_options)."'");
 
 
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 7bfafca723..ce6f3b1553 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -27,7 +27,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 6b2b5bb5e1..ec88a572ff 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -23,7 +23,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index 2119f1a395..d369dbc89e 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -22,7 +22,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 6891969d8c..2c43cd9791 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -25,7 +25,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
-smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index 7f47b61ff4..0400f68827 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -152,10 +152,8 @@ class postfix_server_plugin {
 			}
 
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
-				reset($new_options); $i = 0;
-				// insert after check_sender_access but before permit_...
-				while (isset($new_options[$i]) && substr($new_options[$i], 0, 19) == 'check_sender_access') ++$i;
-				array_splice($new_options, $i, 0, array('reject_sender_login_mismatch'));
+				reset($new_options);
+				array_splice($new_options, 0, 0, array('reject_sender_login_mismatch'));
 			}
 			$app->system->exec_safe("postconf -e ?", 'smtpd_sender_restrictions = '.implode(", ", $new_options));
 		}
@@ -256,7 +254,7 @@ class postfix_server_plugin {
 		exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
 
 		if($mail_config['content_filter'] != $old_ini_data['mail']['content_filter']) {
-			$rslm= ($mail_config['reject_sender_login_mismatch']) ? ", reject_sender_login_mismatch" : "";
+			$rslm = ($mail_config['reject_sender_login_mismatch'] == 'y') ? "reject_sender_login_mismatch," : "";
 
 			if($mail_config['content_filter'] == 'rspamd'){
 				exec("postconf -X 'receive_override_options'");
@@ -267,8 +265,8 @@ class postfix_server_plugin {
 				exec("postconf -e 'milter_protocol = 6'");
 				exec("postconf -e 'milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}'");
 				exec("postconf -e 'milter_default_action = accept'");
-				
-				exec("postconf -e 'smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf ${rslm}, permit_mynetworks, permit_sasl_authenticated'");
+
+				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf'");
 				
 				$new_options = array();
 				$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
@@ -304,8 +302,9 @@ class postfix_server_plugin {
 				
 				exec("postconf -e 'receive_override_options = no_address_mappings'");
 				exec("postconf -e 'content_filter = " . ($configure_lmtp ? "lmtp" : "amavis" ) . ":[127.0.0.1]:10024'");
-				
-				exec("postconf -e 'smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access regexp:/etc/postfix/tag_as_foreign.re'");
+
+				// fixme: should read this from conf templates
+				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf'");
 			}
 		}
 		
-- 
GitLab


From 6d2d410b15774bf2d1d2e39c9471346a87e02787 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 10 Jun 2020 11:38:02 -0600
Subject: [PATCH 13/19] add server config select list for unknown (dns)
 rejection

---
 install/lib/installer_base.lib.php            | 19 +++--
 install/tpl/debian_postfix.conf.master        |  4 +-
 install/tpl/fedora_postfix.conf.master        |  4 +-
 install/tpl/gentoo_postfix.conf.master        |  4 +-
 install/tpl/opensuse_postfix.conf.master      |  4 +-
 .../web/admin/form/server_config.tform.php    | 23 +++--
 .../web/admin/lib/lang/ar_server_config.lng   |  5 ++
 .../web/admin/lib/lang/bg_server_config.lng   |  5 ++
 .../web/admin/lib/lang/br_server_config.lng   |  5 ++
 .../web/admin/lib/lang/ca_server_config.lng   |  5 ++
 .../web/admin/lib/lang/cz_server_config.lng   |  5 ++
 .../web/admin/lib/lang/de_server_config.lng   |  5 ++
 .../web/admin/lib/lang/dk_server_config.lng   |  5 ++
 .../web/admin/lib/lang/el_server_config.lng   |  5 ++
 .../web/admin/lib/lang/en_server_config.lng   | 10 +++
 .../web/admin/lib/lang/es_server_config.lng   |  5 ++
 .../web/admin/lib/lang/fi_server_config.lng   |  5 ++
 .../web/admin/lib/lang/fr_server_config.lng   |  5 ++
 .../web/admin/lib/lang/hr_server_config.lng   |  5 ++
 .../web/admin/lib/lang/hu_server_config.lng   |  5 ++
 .../web/admin/lib/lang/id_server_config.lng   |  5 ++
 .../web/admin/lib/lang/it_server_config.lng   |  5 ++
 .../web/admin/lib/lang/ja_server_config.lng   |  5 ++
 .../web/admin/lib/lang/nl_server_config.lng   |  5 ++
 .../web/admin/lib/lang/pl_server_config.lng   |  5 ++
 .../web/admin/lib/lang/pt_server_config.lng   |  5 ++
 .../web/admin/lib/lang/ro_server_config.lng   |  5 ++
 .../web/admin/lib/lang/ru_server_config.lng   |  5 ++
 .../web/admin/lib/lang/se_server_config.lng   |  5 ++
 .../web/admin/lib/lang/sk_server_config.lng   |  5 ++
 .../web/admin/lib/lang/tr_server_config.lng   |  5 ++
 .../templates/server_config_mail_edit.htm     |  8 ++
 .../postfix_server_plugin.inc.php             | 84 +++++++++++++++++--
 33 files changed, 256 insertions(+), 24 deletions(-)

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index afd330c92c..4c7ee2b772 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1077,7 +1077,7 @@ class installer_base {
 		}
 
 		$reject_sender_login_mismatch = '';
-		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
+		if (isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ',reject_sender_login_mismatch,';
 		}
 
@@ -1085,6 +1085,15 @@ class installer_base {
 		$stress_adaptive_placeholder = '#{stress_adaptive}';
 		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
 
+		$reject_unknown_client_hostname='';
+		if (isset($server_ini_array['mail']['reject_unknown']) && ($server_ini_array['mail']['reject_unknown'] == 'client' || $server_ini_array['mail']['reject_unknown'] == 'client_helo')) {
+			$reject_unknown_client_hostname=',reject_unknown_client_hostname';
+		}
+		$reject_unknown_helo_hostname='';
+		if ((!isset($server_ini_array['mail']['reject_unknown'])) || $server_ini_array['mail']['reject_unknown'] == 'helo' || $server_ini_array['mail']['reject_unknown'] == 'client_helo') {
+			$reject_unknown_helo_hostname=',reject_unknown_helo_hostname';
+		}
+
 		unset($server_ini_array);
 
 		$tmp = str_replace('.','\.',$conf['hostname']);
@@ -1098,6 +1107,8 @@ class installer_base {
 			'{reject_slm}' => $reject_sender_login_mismatch,
 			'{myhostname}' => $tmp,
 			$stress_adaptive_placeholder => $stress_adaptive,
+			'{reject_unknown_client_hostname}' => $reject_unknown_client_hostname,
+			'{reject_unknown_helo_hostname}' => $reject_unknown_helo_hostname,
 		);
 
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_postfix.conf.master', 'tpl/debian_postfix.conf.master');
@@ -1684,14 +1695,12 @@ class installer_base {
 			$options = explode(", ", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if ($value == '') {
-					continue;
-				}
+				if (trim($value) == '') continue;
 				if (preg_match('/tag_as_(originating|foreign)\.re/', $value)) {
 					continue;
 				}
 				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
-					$new_options[] = $value;
+					$new_options[] = trim($value);
 				}
 			}
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index ce6f3b1553..5ce4671691 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -26,9 +26,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index ec88a572ff..d3f1eef6f3 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -22,9 +22,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index d369dbc89e..9f57085209 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -21,9 +21,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 2c43cd9791..c98342c201 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -24,9 +24,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 3d8d7a3f29..bc2f05840b 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -456,11 +456,13 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '/home/vmail/',
-			'validators' => array(	0 => array('type' => 'NOTEMPTY',
-										'errmsg' => 'homedir_path_error_empty'),
-									1 => array ( 	'type' => 'REGEX',
-										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
-										'errmsg'=> 'homedir_path_error_regex'),
+			'validators' => array(	0 => array ( 'type' => 'NOTEMPTY',
+						           'errmsg' => 'homedir_path_error_empty'
+						    ),
+						1 => array ( 'type' => 'REGEX',
+						            'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+							    'errmsg'=> 'homedir_path_error_regex'
+						    ),
 			),
 			'value' => '',
 			'width' => '40',
@@ -638,6 +640,17 @@ $form["tabs"]['mail'] = array(
 			'default' => 'n',
 			'value' => array(0 => 'n', 1 => 'y')
 		),
+		'reject_unknown' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'SELECT',
+			'default' => 'helo',
+			'value' => array(
+				'helo' => 'reject_unknown_helo_txt',
+				'client' => 'reject_unknown_client_txt',
+				'client_helo' => 'reject_unknown_client_helo_txt',
+				'none' => 'disabled_txt',
+			)
+		),
 		'mailbox_size_limit' => array(
 			'datatype' => 'INTEGER',
 			'formtype' => 'TEXT',
diff --git a/interface/web/admin/lib/lang/ar_server_config.lng b/interface/web/admin/lib/lang/ar_server_config.lng
index cf3e6da095..ed8e236071 100644
--- a/interface/web/admin/lib/lang/ar_server_config.lng
+++ b/interface/web/admin/lib/lang/ar_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';
diff --git a/interface/web/admin/lib/lang/bg_server_config.lng b/interface/web/admin/lib/lang/bg_server_config.lng
index 20202b8202..71e5bfd5c6 100644
--- a/interface/web/admin/lib/lang/bg_server_config.lng
+++ b/interface/web/admin/lib/lang/bg_server_config.lng
@@ -38,6 +38,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP адрес';
diff --git a/interface/web/admin/lib/lang/br_server_config.lng b/interface/web/admin/lib/lang/br_server_config.lng
index e44a5a3485..e7b59e3cdb 100644
--- a/interface/web/admin/lib/lang/br_server_config.lng
+++ b/interface/web/admin/lib/lang/br_server_config.lng
@@ -51,6 +51,11 @@ $wb['relayhost_txt'] = 'Servidor de retransmissão';
 $wb['relayhost_user_txt'] = 'Usuário de retransmissão';
 $wb['relayhost_password_txt'] = 'Senha do usuário de retransmissão';
 $wb['reject_sender_login_mismatch_txt'] = 'Rejeitar acesso com erro de usuário e/ou senha';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Limite do tamanho da conta de e-mail';
 $wb['message_size_limit_txt'] = 'Limite do tamanho da mensagem';
 $wb['ip_address_txt'] = 'Endereço IP';
diff --git a/interface/web/admin/lib/lang/ca_server_config.lng b/interface/web/admin/lib/lang/ca_server_config.lng
index 56d40c1424..effc175e85 100644
--- a/interface/web/admin/lib/lang/ca_server_config.lng
+++ b/interface/web/admin/lib/lang/ca_server_config.lng
@@ -51,6 +51,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';
diff --git a/interface/web/admin/lib/lang/cz_server_config.lng b/interface/web/admin/lib/lang/cz_server_config.lng
index 92826822f5..6e4f4c7faa 100644
--- a/interface/web/admin/lib/lang/cz_server_config.lng
+++ b/interface/web/admin/lib/lang/cz_server_config.lng
@@ -256,6 +256,11 @@ $wb['mailbox_virtual_uidgid_maps_error_nosingleserver'] = 'Uid cannot be mapped
 $wb['mailbox_virtual_uidgid_maps_error_nodovecot'] = 'Uid-mapping can only be used with dovecot.';
 $wb['mailbox_virtual_uidgid_maps_error_alreadyusers'] = 'Uid-mapping cannot be changed if there are already mail users.';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['do_not_try_rescue_mongodb_txt'] = 'Zakázat  MongoDB monitorování';
 $wb['v6_prefix_txt'] = 'IPv6 Prefix';
 $wb['vhost_rewrite_v6_txt'] = 'Rewrite IPv6 on Mirror';
diff --git a/interface/web/admin/lib/lang/de_server_config.lng b/interface/web/admin/lib/lang/de_server_config.lng
index c49adf2396..9a236d92e1 100644
--- a/interface/web/admin/lib/lang/de_server_config.lng
+++ b/interface/web/admin/lib/lang/de_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost Benutzer';
 $wb['relayhost_password_txt'] = 'Relayhost Passwort';
 $wb['reject_sender_login_mismatch_txt'] = 'Zurückweisen von Mails, wenn Sender nicht gleich Login';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'E-Mailkonto Beschränkung';
 $wb['message_size_limit_txt'] = 'E-Mailgrößen Beschränkung';
 $wb['ip_address_txt'] = 'IP Adresse';
diff --git a/interface/web/admin/lib/lang/dk_server_config.lng b/interface/web/admin/lib/lang/dk_server_config.lng
index 5e5106af49..41eaa1fe75 100644
--- a/interface/web/admin/lib/lang/dk_server_config.lng
+++ b/interface/web/admin/lib/lang/dk_server_config.lng
@@ -258,6 +258,11 @@ $wb['mailbox_virtual_uidgid_maps_error_nosingleserver'] = 'Uid cannot be mapped
 $wb['mailbox_virtual_uidgid_maps_error_nodovecot'] = 'Uid-mapping can only be used with dovecot.';
 $wb['mailbox_virtual_uidgid_maps_error_alreadyusers'] = 'Uid-mapping cannot be changed if there are already mail users.';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['backup_time_txt'] = 'Backup time';
 $wb['do_not_try_rescue_mongodb_txt'] = 'Disable MongoDB monitoring';
 $wb['v6_prefix_txt'] = 'IPv6 Prefix';
diff --git a/interface/web/admin/lib/lang/el_server_config.lng b/interface/web/admin/lib/lang/el_server_config.lng
index 6f88bc0712..491aa69cb6 100644
--- a/interface/web/admin/lib/lang/el_server_config.lng
+++ b/interface/web/admin/lib/lang/el_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Χρήστης Relayhost';
 $wb['relayhost_password_txt'] = 'Συνθηματικό Relayhost';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Όριο χώρου θυρίδας';
 $wb['message_size_limit_txt'] = 'Μήνυμα ορίου χώρου';
 $wb['ip_address_txt'] = 'Διεύθυνση IP';
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
index a5560b8515..4858ed2eb8 100644
--- a/interface/web/admin/lib/lang/en_server_config.lng
+++ b/interface/web/admin/lib/lang/en_server_config.lng
@@ -52,6 +52,16 @@ $wb["relayhost_txt"] = 'Relayhost';
 $wb["relayhost_user_txt"] = 'Relayhost User';
 $wb["relayhost_password_txt"] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb["mailbox_size_limit_txt"] = 'Mailbox Size Limit';
 $wb["message_size_limit_txt"] = 'Message Size Limit';
 $wb["ip_address_txt"] = 'IP Address';
diff --git a/interface/web/admin/lib/lang/es_server_config.lng b/interface/web/admin/lib/lang/es_server_config.lng
index 373b7ae0fb..866871de9a 100644
--- a/interface/web/admin/lib/lang/es_server_config.lng
+++ b/interface/web/admin/lib/lang/es_server_config.lng
@@ -233,6 +233,11 @@ $wb['realtime_blackhole_list_txt'] = 'Lista de filtrado en tiempo real';
 $wb['stress_adaptive_txt'] = 'Adapt to temporary load spikes';
 $wb['tooltip_stress_adaptive_txt'] = 'Enables Postfix stress-adaptive behavior.';
 $wb['reject_sender_login_mismatch_txt'] = 'Rechazar remitente e inicio de sesión diferentes';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['relayhost_password_txt'] = 'Contraseña del servidor de retransmisión';
 $wb['relayhost_txt'] = 'Servidor de retransmisión';
 $wb['relayhost_user_txt'] = 'Usuario del servidor de retransmisión';
diff --git a/interface/web/admin/lib/lang/fi_server_config.lng b/interface/web/admin/lib/lang/fi_server_config.lng
index 9d743dbcfd..61edf1e602 100644
--- a/interface/web/admin/lib/lang/fi_server_config.lng
+++ b/interface/web/admin/lib/lang/fi_server_config.lng
@@ -38,6 +38,11 @@ $wb['relayhost_txt'] = 'Edelleenlähetyspalvelin';
 $wb['relayhost_user_txt'] = 'Edelleenlähetyspalvelimen käyttäjätunnus';
 $wb['relayhost_password_txt'] = 'Edelleenlähetyspalvelimen salasana';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Postilaatikon koko';
 $wb['message_size_limit_txt'] = 'Viestien enimmäiskoko';
 $wb['ip_address_txt'] = 'IP-osoite';
diff --git a/interface/web/admin/lib/lang/fr_server_config.lng b/interface/web/admin/lib/lang/fr_server_config.lng
index 0a06d2344e..657a4e1b54 100644
--- a/interface/web/admin/lib/lang/fr_server_config.lng
+++ b/interface/web/admin/lib/lang/fr_server_config.lng
@@ -258,6 +258,11 @@ $wb['mailbox_virtual_uidgid_maps_error_nosingleserver'] = 'Uid cannot be mapped
 $wb['mailbox_virtual_uidgid_maps_error_nodovecot'] = 'Uid-mapping can only be used with dovecot.';
 $wb['mailbox_virtual_uidgid_maps_error_alreadyusers'] = 'Uid-mapping cannot be changed if there are already mail users.';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['do_not_try_rescue_mongodb_txt'] = 'Disable MongoDB monitoring';
 $wb['v6_prefix_txt'] = 'IPv6 Prefix';
 $wb['vhost_rewrite_v6_txt'] = 'Rewrite IPv6 on Mirror';
diff --git a/interface/web/admin/lib/lang/hr_server_config.lng b/interface/web/admin/lib/lang/hr_server_config.lng
index 161ea5efb6..c7be0b3df0 100644
--- a/interface/web/admin/lib/lang/hr_server_config.lng
+++ b/interface/web/admin/lib/lang/hr_server_config.lng
@@ -39,6 +39,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost korisnik';
 $wb['relayhost_password_txt'] = 'Relayhost šifra';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Dozvoljena veličina mailboxa';
 $wb['message_size_limit_txt'] = 'Dozvoljena veličina emaila';
 $wb['ip_address_txt'] = 'IP adresa';
diff --git a/interface/web/admin/lib/lang/hu_server_config.lng b/interface/web/admin/lib/lang/hu_server_config.lng
index b3e44761c5..979eacb0e8 100644
--- a/interface/web/admin/lib/lang/hu_server_config.lng
+++ b/interface/web/admin/lib/lang/hu_server_config.lng
@@ -38,6 +38,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';
diff --git a/interface/web/admin/lib/lang/id_server_config.lng b/interface/web/admin/lib/lang/id_server_config.lng
index e6a09d9c06..7179486469 100644
--- a/interface/web/admin/lib/lang/id_server_config.lng
+++ b/interface/web/admin/lib/lang/id_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Pengguna Relayhost';
 $wb['relayhost_password_txt'] = 'Kata Sandi Relayhost';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Batasan Ukuran Mailbox';
 $wb['message_size_limit_txt'] = 'Batasan Ukuran Pesan';
 $wb['ip_address_txt'] = 'Alamat IP';
diff --git a/interface/web/admin/lib/lang/it_server_config.lng b/interface/web/admin/lib/lang/it_server_config.lng
index d98cee7db7..9aa049a488 100644
--- a/interface/web/admin/lib/lang/it_server_config.lng
+++ b/interface/web/admin/lib/lang/it_server_config.lng
@@ -258,6 +258,11 @@ $wb['mailbox_virtual_uidgid_maps_error_nosingleserver'] = 'Uid cannot be mapped
 $wb['mailbox_virtual_uidgid_maps_error_nodovecot'] = 'Uid-mapping can only be used with dovecot.';
 $wb['mailbox_virtual_uidgid_maps_error_alreadyusers'] = 'Uid-mapping cannot be changed if there are already mail users.';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['do_not_try_rescue_mongodb_txt'] = 'Disable MongoDB monitoring';
 $wb['v6_prefix_txt'] = 'IPv6 Prefix';
 $wb['vhost_rewrite_v6_txt'] = 'Rewrite IPv6 on Mirror';
diff --git a/interface/web/admin/lib/lang/ja_server_config.lng b/interface/web/admin/lib/lang/ja_server_config.lng
index 392a4d48ee..3de4d2ca1a 100644
--- a/interface/web/admin/lib/lang/ja_server_config.lng
+++ b/interface/web/admin/lib/lang/ja_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'リレーホスト';
 $wb['relayhost_user_txt'] = 'リレーホストユーザー';
 $wb['relayhost_password_txt'] = 'リレーホストパスワード';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'メールボックスのサイズ';
 $wb['message_size_limit_txt'] = 'メッセージの最大サイズ';
 $wb['ip_address_txt'] = 'IPアドレス';
diff --git a/interface/web/admin/lib/lang/nl_server_config.lng b/interface/web/admin/lib/lang/nl_server_config.lng
index b3be619110..7e3edc4398 100644
--- a/interface/web/admin/lib/lang/nl_server_config.lng
+++ b/interface/web/admin/lib/lang/nl_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost gebruiker';
 $wb['relayhost_password_txt'] = 'Relayhost wachtwoord';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox grootte limiet';
 $wb['message_size_limit_txt'] = 'Message grootte limiet';
 $wb['ip_address_txt'] = 'IP adres';
diff --git a/interface/web/admin/lib/lang/pl_server_config.lng b/interface/web/admin/lib/lang/pl_server_config.lng
index 0072eeeea5..294ed44ee7 100644
--- a/interface/web/admin/lib/lang/pl_server_config.lng
+++ b/interface/web/admin/lib/lang/pl_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Adres Relayhost';
 $wb['relayhost_user_txt'] = 'Użytkownik Relayhost';
 $wb['relayhost_password_txt'] = 'Hasło Relayhost';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Maksymalna wielkość skrzynki pocztowej';
 $wb['message_size_limit_txt'] = 'Maksymalna wielkość wiadomości';
 $wb['ip_address_txt'] = 'Adres IP';
diff --git a/interface/web/admin/lib/lang/pt_server_config.lng b/interface/web/admin/lib/lang/pt_server_config.lng
index 391bb582ff..8b9d78d151 100644
--- a/interface/web/admin/lib/lang/pt_server_config.lng
+++ b/interface/web/admin/lib/lang/pt_server_config.lng
@@ -39,6 +39,11 @@ $wb['relayhost_txt'] = 'Host Relay';
 $wb['relayhost_user_txt'] = 'Utilizador do Host Relay';
 $wb['relayhost_password_txt'] = 'Senha do Host Relay';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Tamanho máximo da Caixa Postal';
 $wb['message_size_limit_txt'] = 'Tamanho máximo de mensagem';
 $wb['ip_address_txt'] = 'Endereço IP';
diff --git a/interface/web/admin/lib/lang/ro_server_config.lng b/interface/web/admin/lib/lang/ro_server_config.lng
index d41248a6f7..a1ce64839f 100644
--- a/interface/web/admin/lib/lang/ro_server_config.lng
+++ b/interface/web/admin/lib/lang/ro_server_config.lng
@@ -39,6 +39,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';
diff --git a/interface/web/admin/lib/lang/ru_server_config.lng b/interface/web/admin/lib/lang/ru_server_config.lng
index b75c616eb5..8583ccd434 100644
--- a/interface/web/admin/lib/lang/ru_server_config.lng
+++ b/interface/web/admin/lib/lang/ru_server_config.lng
@@ -37,6 +37,11 @@ $wb['relayhost_txt'] = 'Relay-хост';
 $wb['relayhost_user_txt'] = 'Логин Relay-хоста';
 $wb['relayhost_password_txt'] = 'Пароль Relay-хоста';
 $wb['reject_sender_login_mismatch_txt'] = 'Отклонить при несовпадении отправителя и логина';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Лимит объема почтового ящика';
 $wb['message_size_limit_txt'] = 'Лимит размера сообщения';
 $wb['ip_address_txt'] = 'IP-адрес';
diff --git a/interface/web/admin/lib/lang/se_server_config.lng b/interface/web/admin/lib/lang/se_server_config.lng
index d5bf5b2329..ff44861126 100644
--- a/interface/web/admin/lib/lang/se_server_config.lng
+++ b/interface/web/admin/lib/lang/se_server_config.lng
@@ -38,6 +38,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';
diff --git a/interface/web/admin/lib/lang/sk_server_config.lng b/interface/web/admin/lib/lang/sk_server_config.lng
index 2246ad70e7..1efac9e6e6 100644
--- a/interface/web/admin/lib/lang/sk_server_config.lng
+++ b/interface/web/admin/lib/lang/sk_server_config.lng
@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost uživateľ';
 $wb['relayhost_password_txt'] = 'Relayhost heslo';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Limit ve?kosti poštovej schránky';
 $wb['message_size_limit_txt'] = 'Limit ve?kosti správy';
 $wb['ip_address_txt'] = 'IP Adresa';
diff --git a/interface/web/admin/lib/lang/tr_server_config.lng b/interface/web/admin/lib/lang/tr_server_config.lng
index f4c2cfcd92..25380413fa 100644
--- a/interface/web/admin/lib/lang/tr_server_config.lng
+++ b/interface/web/admin/lib/lang/tr_server_config.lng
@@ -51,6 +51,11 @@ $wb['relayhost_txt'] = 'Aktarım Sunucusu';
 $wb['relayhost_user_txt'] = 'Aktarım Sunucu Kullanıcı Adı';
 $wb['relayhost_password_txt'] = 'Aktarım Sunucu Parolası';
 $wb['reject_sender_login_mismatch_txt'] = 'Gönderen ile Oturum Açmış Kullanıcı Eşleşmiyorsa Reddedilsin';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'E-posta Kutusu Boyutu Sınırı';
 $wb['message_size_limit_txt'] = 'İleti Boyutu Sınırı';
 $wb['ip_address_txt'] = 'IP Adresi';
diff --git a/interface/web/admin/templates/server_config_mail_edit.htm b/interface/web/admin/templates/server_config_mail_edit.htm
index b7f7c2c6bf..1e63cecca8 100644
--- a/interface/web/admin/templates/server_config_mail_edit.htm
+++ b/interface/web/admin/templates/server_config_mail_edit.htm
@@ -103,6 +103,14 @@
                 <label for="realtime_blackhole_list" class="col-sm-3 control-label">{tmpl_var name='realtime_blackhole_list_txt'}</label>
                 <div class="col-sm-6"><input type="text" name="realtime_blackhole_list" id="realtime_blackhole_list" value="{tmpl_var name='realtime_blackhole_list'}" class="form-control" /></div><div class="col-sm-3 input-sm">&nbsp;{tmpl_var name='realtime_blackhole_list_note_txt'}
             </div></div>
+            <div class="form-group">
+                <label class="col-sm-3 control-label">{tmpl_var name='reject_unknown_txt'}</label>
+                <div class="col-sm-9"><a href="#" data-toggle="tooltip" title="{tmpl_var name='tooltip_reject_unknown_txt'}">
+                    <select name="reject_unknown" id="reject_unknown" class="form-control">
+                        {tmpl_var name='reject_unknown'}
+                    </select></a>
+                </div>
+            </div>
             <div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='stress_adaptive_txt'}</label>
                 <div class="col-sm-9">
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index 0400f68827..e3e731fb1b 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -121,7 +121,7 @@ class postfix_server_plugin {
 				$value = trim($value);
 				if ($value == '') continue;
 				if (!preg_match('/reject_rbl_client/', $value)) {
-					$new_options[] = $value;
+					$new_options[] = trim($value);
 				} else {
 					if(is_array($rbl_hosts) && !empty($rbl_hosts) && !$rbl_updated){
 						$rbl_updated = true;
@@ -142,12 +142,13 @@ class postfix_server_plugin {
 			$app->system->exec_safe("postconf -e ?", 'smtpd_recipient_restrictions = '.implode(", ", $new_options));
 		}
 
-		if($mail_config['reject_sender_login_mismatch'] != $old_ini_data['mail']['reject_sender_login_mismatch']) {
+		if ($mail_config['reject_sender_login_mismatch'] != $old_ini_data['mail']['reject_sender_login_mismatch']) {
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
+				if (trim($value) == '') continue;
 				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
-					$new_options[] = $value;
+					$new_options[] = trim($value);
 				}
 			}
 
@@ -158,10 +159,81 @@ class postfix_server_plugin {
 			$app->system->exec_safe("postconf -e ?", 'smtpd_sender_restrictions = '.implode(", ", $new_options));
 		}
 
-		if($mail_config['stress_adaptive']) {
-			if ($mail_config['stress_adaptive'] == 'y') {
+		if ($mail_config['reject_unknown']) {
+			if (($mail_config['reject_unknown'] === 'client') || ($mail_config['reject_unknown'] === 'client_helo')) {
+				$options = explode(", ", exec("postconf -h smtpd_client_restrictions"));
+				$new_options = array();
+				foreach ($options as $key => $value) {
+					if (trim($value) == '') continue;
+					if (!preg_match('/reject_unknown(_client)?_hostname/', $value)) {
+						$new_options[] = trim($value);
+					}
+				}
+
+				reset($new_options); $i = 0;
+				// insert before explicit permit, or append
+				for ($i = 0; isset($new_options[$i]); $i++) {
+					if ($new_options[$i] == 'permit') {
+						array_splice($new_options, $i, 0, array('reject_unknown_client_hostname'));
+						break;
+					}
+				}
+				if ($i == count($new_options)) {
+					$new_options[] = array('reject_unknown_client_hostname');
+				}
+
+				$app->system->exec_safe("postconf -e ?", 'smtpd_client_restrictions = '.implode(", ", $new_options));
+			} else {
+				$options = explode(", ", exec("postconf -h smtpd_client_restrictions"));
+				$new_options = array();
+				foreach ($options as $key => $value) {
+					if (trim($value) == '') continue;
+					if (!preg_match('/reject_unknown(_client)?_hostname/', $value)) {
+						$new_options[] = trim($value);
+					}
+				}
+				$app->system->exec_safe("postconf -e ?", 'smtpd_client_restrictions = '.implode(", ", $new_options));
+			}
 
-				if(version_compare($postfix_version , '3.0', '>=')) {
+			if (($mail_config['reject_unknown'] === 'helo') || ($mail_config['reject_unknown'] === 'client_helo')) {
+				$options = explode(", ", exec("postconf -h smtpd_helo_restrictions"));
+				$new_options = array();
+				foreach ($options as $key => $value) {
+					if (trim($value) == '') continue;
+					if (!preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
+						$new_options[] = trim($value);
+					}
+				}
+
+				reset($new_options); $i = 0;
+				// insert before explicit permit, or append
+				for ($i = 0; isset($new_options[$i]); $i++) {
+					if ($new_options[$i] == 'permit') {
+						array_splice($new_options, $i, 0, array('reject_unknown_helo_hostname'));
+						break;
+					}
+				}
+				if ($i == count($new_options)) {
+					$new_options[] = array('reject_unknown_helo_hostname');
+				}
+
+				$app->system->exec_safe("postconf -e ?", 'smtpd_helo_restrictions = '.implode(", ", $new_options));
+			} else {
+				$options = explode(", ", exec("postconf -h smtpd_helo_restrictions"));
+				$new_options = array();
+				foreach ($options as $key => $value) {
+					if (trim($value) == '') continue;
+					if (!preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
+						$new_options[] = trim($value);
+					}
+				}
+				$app->system->exec_safe("postconf -e ?", 'smtpd_helo_restrictions = '.implode(", ", $new_options));
+			}
+		}
+
+		if ($mail_config['stress_adaptive']) {
+			if ($mail_config['stress_adaptive'] == 'y') {
+				if (version_compare($postfix_version , '3.0', '>=')) {
 					$app->system->exec_safe("postconf -e ?", 'in_flow_delay = ${stress?{3}:{1}}s');
 					$app->system->exec_safe("postconf -e ?", 'smtp_connect_timeout = ${stress?{10}:{30}}s');
 					$app->system->exec_safe("postconf -e ?", 'smtp_helo_timeout = ${stress?{10}:{60}}s');
-- 
GitLab


From a49bb335aafb6b1edc76201e470cd0a1142b9178 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 10 Jun 2020 12:30:23 -0600
Subject: [PATCH 14/19] fix priveliges typo

---
 interface/lib/classes/remoting_lib.inc.php             | 2 +-
 interface/web/admin/server_config_edit.php             | 4 ++--
 interface/web/admin/system_config_edit.php             | 4 ++--
 interface/web/mail/mail_blacklist_del.php              | 2 +-
 interface/web/mail/mail_blacklist_edit.php             | 6 +++---
 interface/web/mail/mail_blacklist_list.php             | 2 +-
 interface/web/mail/mail_whitelist_del.php              | 2 +-
 interface/web/mail/mail_whitelist_edit.php             | 6 +++---
 interface/web/mail/mail_whitelist_list.php             | 2 +-
 interface/web/mail/spamfilter_config_edit.php          | 4 ++--
 server/plugins-available/mysql_clientdb_plugin.inc.php | 2 +-
 11 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/interface/lib/classes/remoting_lib.inc.php b/interface/lib/classes/remoting_lib.inc.php
index 6f310284dc..6436e6e792 100644
--- a/interface/lib/classes/remoting_lib.inc.php
+++ b/interface/lib/classes/remoting_lib.inc.php
@@ -131,7 +131,7 @@ class remoting_lib extends tform_base {
 			$this->sys_userid            = $user['userid'];
 			$this->sys_default_group     = $user['default_group'];
 			$this->sys_groups             = $user['groups'];
-			// we have to force admin priveliges for the remoting API as some function calls might fail otherwise.
+			// we have to force admin privileges for the remoting API as some function calls might fail otherwise.
 			if($client_login == false) $_SESSION["s"]["user"]["typ"] = 'admin';
 		}
 
diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php
index 5214d14037..339ac2f2f5 100644
--- a/interface/web/admin/server_config_edit.php
+++ b/interface/web/admin/server_config_edit.php
@@ -79,7 +79,7 @@ class page_action extends tform_actions {
 	function onShowEdit() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 
 		if($app->tform->errorMessage == '') {
 			$app->uses('ini_parser,getconf');
@@ -115,7 +115,7 @@ class page_action extends tform_actions {
 	function onUpdateSave($sql) {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		$app->uses('ini_parser,getconf');
 
 		if($conf['demo_mode'] != true) {
diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php
index 9b3102e60e..941f6e0bbe 100644
--- a/interface/web/admin/system_config_edit.php
+++ b/interface/web/admin/system_config_edit.php
@@ -56,7 +56,7 @@ class page_action extends tform_actions {
 	function onShowEdit() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 
 		if($app->tform->errorMessage == '') {
 			$app->uses('ini_parser,getconf');
@@ -133,7 +133,7 @@ class page_action extends tform_actions {
 	function onUpdateSave($sql) {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		$app->uses('ini_parser,getconf');
 
 		$section = $app->tform->getCurrentTab();
diff --git a/interface/web/mail/mail_blacklist_del.php b/interface/web/mail/mail_blacklist_del.php
index d3bbc5d5d5..aa671c4887 100644
--- a/interface/web/mail/mail_blacklist_del.php
+++ b/interface/web/mail/mail_blacklist_del.php
@@ -43,7 +43,7 @@ require_once '../../lib/config.inc.php';
 require_once '../../lib/app.inc.php';
 
 
-if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin priveliges');
+if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin privileges');
 
 //* Check permissions for module
 $app->auth->check_module_permissions('mail');
diff --git a/interface/web/mail/mail_blacklist_edit.php b/interface/web/mail/mail_blacklist_edit.php
index e2f284a34e..b86729b919 100644
--- a/interface/web/mail/mail_blacklist_edit.php
+++ b/interface/web/mail/mail_blacklist_edit.php
@@ -53,7 +53,7 @@ class page_action extends tform_actions {
 	function onShowNew() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		parent::onShowNew();
 	}
 
@@ -61,7 +61,7 @@ class page_action extends tform_actions {
 	function onBeforeUpdate() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 
 		//* Check if the server has been changed
 		// We do this only for the admin or reseller users, as normal clients can not change the server ID anyway
@@ -79,7 +79,7 @@ class page_action extends tform_actions {
 	function onSubmit() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		
 		if(substr($this->dataRecord['source'], 0, 1) === '@') $this->dataRecord['source'] = substr($this->dataRecord['source'], 1);
 		
diff --git a/interface/web/mail/mail_blacklist_list.php b/interface/web/mail/mail_blacklist_list.php
index 2bdc1e93b8..ecb24d867c 100644
--- a/interface/web/mail/mail_blacklist_list.php
+++ b/interface/web/mail/mail_blacklist_list.php
@@ -12,7 +12,7 @@ $list_def_file = "list/mail_blacklist.list.php";
 * End Form configuration
 ******************************************/
 
-if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin priveliges');
+if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin privileges');
 
 //* Check permissions for module
 $app->auth->check_module_permissions('mail');
diff --git a/interface/web/mail/mail_whitelist_del.php b/interface/web/mail/mail_whitelist_del.php
index 2294f44868..06ce88550b 100644
--- a/interface/web/mail/mail_whitelist_del.php
+++ b/interface/web/mail/mail_whitelist_del.php
@@ -42,7 +42,7 @@ $tform_def_file = "form/mail_whitelist.tform.php";
 require_once '../../lib/config.inc.php';
 require_once '../../lib/app.inc.php';
 
-if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin priveliges');
+if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin privileges');
 
 //* Check permissions for module
 $app->auth->check_module_permissions('mail');
diff --git a/interface/web/mail/mail_whitelist_edit.php b/interface/web/mail/mail_whitelist_edit.php
index 2cf56b1ec4..35fa825ec7 100644
--- a/interface/web/mail/mail_whitelist_edit.php
+++ b/interface/web/mail/mail_whitelist_edit.php
@@ -53,7 +53,7 @@ class page_action extends tform_actions {
 	function onShowNew() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		
 		parent::onShowNew();
 	}
@@ -61,7 +61,7 @@ class page_action extends tform_actions {
 	function onBeforeUpdate() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		
 		//* Check if the server has been changed
 		// We do this only for the admin or reseller users, as normal clients can not change the server ID anyway
@@ -77,7 +77,7 @@ class page_action extends tform_actions {
 	function onSubmit() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 
 		if(substr($this->dataRecord['source'], 0, 1) === '@') $this->dataRecord['source'] = substr($this->dataRecord['source'], 1);
 
diff --git a/interface/web/mail/mail_whitelist_list.php b/interface/web/mail/mail_whitelist_list.php
index 1a09b6b165..73877797b4 100644
--- a/interface/web/mail/mail_whitelist_list.php
+++ b/interface/web/mail/mail_whitelist_list.php
@@ -12,7 +12,7 @@ $list_def_file = "list/mail_whitelist.list.php";
 * End Form configuration
 ******************************************/
 
-if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin priveliges');
+if($_SESSION["s"]["user"]["typ"] != 'admin') $app->error('This function needs admin privileges');
 
 //* Check permissions for module
 $app->auth->check_module_permissions('mail');
diff --git a/interface/web/mail/spamfilter_config_edit.php b/interface/web/mail/spamfilter_config_edit.php
index 5b3062ab77..9314feeccc 100644
--- a/interface/web/mail/spamfilter_config_edit.php
+++ b/interface/web/mail/spamfilter_config_edit.php
@@ -53,7 +53,7 @@ class page_action extends tform_actions {
 	function onShowEdit() {
 		global $app, $conf;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 
 		if($app->tform->errorMessage == '') {
 			$app->uses('ini_parser,getconf');
@@ -73,7 +73,7 @@ class page_action extends tform_actions {
 	function onUpdateSave($sql) {
 		global $app;
 
-		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin priveliges');
+		if($_SESSION["s"]["user"]["typ"] != 'admin') die('This function needs admin privileges');
 		$app->uses('ini_parser,getconf');
 
 		$section = $app->tform->getCurrentTab();
diff --git a/server/plugins-available/mysql_clientdb_plugin.inc.php b/server/plugins-available/mysql_clientdb_plugin.inc.php
index 72f602f9da..e1fba6e180 100644
--- a/server/plugins-available/mysql_clientdb_plugin.inc.php
+++ b/server/plugins-available/mysql_clientdb_plugin.inc.php
@@ -529,7 +529,7 @@ class mysql_clientdb_plugin {
 			//* Remote access option has changed.
 			if($data['new']['remote_access'] != $data['old']['remote_access']) {
 
-				//* set new priveliges
+				//* set new privileges
 				if($data['new']['remote_access'] == 'y') {
 					if($db_user) {
 						if($db_user['database_user'] == 'root'){
-- 
GitLab


From 0cd9a9310cb71369f69a1522a8d6d6451c8dca39 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 10 Jun 2020 15:39:20 -0600
Subject: [PATCH 15/19] use postfix proxymap server for all mysql lookup
 tables.  fixes #5472

---
 install/tpl/debian_postfix.conf.master             | 14 +++++++-------
 install/tpl/fedora_postfix.conf.master             | 14 +++++++-------
 install/tpl/gentoo_postfix.conf.master             | 14 +++++++-------
 install/tpl/opensuse_postfix.conf.master           | 14 +++++++-------
 .../postfix_server_plugin.inc.php                  |  4 ++--
 5 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 5ce4671691..156716dd62 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -5,8 +5,8 @@ virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{co
 virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
 virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
 virtual_mailbox_base = {vmail_mailbox_base}
-virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
-virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
+virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
+virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
 sender_bcc_maps = proxy:mysql:{config_dir}/mysql-virtual_outgoing_bcc.cf
 inet_protocols=all
 inet_interfaces = all
@@ -21,14 +21,14 @@ smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
 smtpd_tls_key_file = {config_dir}/smtpd.key
 transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
-relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
-relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
+relay_domains = proxy:mysql:{config_dir}/mysql-virtual_relaydomains.cf
+relay_recipient_maps = proxy:mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index d3f1eef6f3..9a14e7412c 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -3,8 +3,8 @@ virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{co
 virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
 virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
 virtual_mailbox_base = {vmail_mailbox_base}
-virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
-virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
+virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
+virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
 sender_bcc_maps = proxy:mysql:{config_dir}/mysql-virtual_outgoing_bcc.cf
 smtpd_sasl_auth_enable = yes
 broken_sasl_auth_clients = yes
@@ -17,14 +17,14 @@ smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
 smtpd_tls_key_file = {config_dir}/smtpd.key
 transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
-relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
-relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
+relay_domains = proxy:mysql:{config_dir}/mysql-virtual_relaydomains.cf
+relay_recipient_maps = proxy:mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index 9f57085209..e18d8cf33c 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -3,8 +3,8 @@ virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{co
 virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
 virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
 virtual_mailbox_base = {vmail_mailbox_base}
-virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
-virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
+virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
+virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
 smtpd_sasl_auth_enable = yes
 broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
@@ -16,14 +16,14 @@ smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
 smtpd_tls_key_file = {config_dir}/smtpd.key
 transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
-relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
-relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
+relay_domains = proxy:mysql:{config_dir}/mysql-virtual_relaydomains.cf
+relay_recipient_maps = proxy:mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index c98342c201..454f678daf 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -5,8 +5,8 @@ virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{co
 virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
 virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
 virtual_mailbox_base = {vmail_mailbox_base}
-virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
-virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
+virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
+virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
 sender_bcc_maps = proxy:mysql:{config_dir}/mysql-virtual_outgoing_bcc.cf
 smtpd_sasl_auth_enable = yes
 broken_sasl_auth_clients = yes
@@ -19,14 +19,14 @@ smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
 smtpd_tls_key_file = {config_dir}/smtpd.key
 transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
-relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
-relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
+relay_domains = proxy:mysql:{config_dir}/mysql-virtual_relaydomains.cf
+relay_recipient_maps = proxy:mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
-proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index e3e731fb1b..cb0566e505 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -338,7 +338,7 @@ class postfix_server_plugin {
 				exec("postconf -e 'milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}'");
 				exec("postconf -e 'milter_default_action = accept'");
 
-				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf'");
+				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
 				
 				$new_options = array();
 				$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
@@ -376,7 +376,7 @@ class postfix_server_plugin {
 				exec("postconf -e 'content_filter = " . ($configure_lmtp ? "lmtp" : "amavis" ) . ":[127.0.0.1]:10024'");
 
 				// fixme: should read this from conf templates
-				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf'");
+				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
 			}
 		}
 		
-- 
GitLab


From 1c7afd4d94d1adef13f381ae37cfc2fa37940297 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 17 Jun 2020 16:21:03 -0600
Subject: [PATCH 16/19] reject_sender_login_mismatch after permit_mynetworks

---
 install/dist/lib/fedora.lib.php               |  3 +
 install/dist/lib/gentoo.lib.php               |  3 +
 install/dist/lib/opensuse.lib.php             |  3 +
 install/lib/installer_base.lib.php            | 29 ++++++---
 install/tpl/debian_postfix.conf.master        |  2 +-
 install/tpl/fedora_postfix.conf.master        |  2 +-
 install/tpl/gentoo_postfix.conf.master        |  2 +-
 install/tpl/opensuse_postfix.conf.master      |  2 +-
 .../postfix_server_plugin.inc.php             | 65 +++++++++++--------
 9 files changed, 70 insertions(+), 41 deletions(-)

diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index 76d6ccae02..2d31b89bbd 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -153,8 +153,10 @@ class installer_dist extends installer_base {
 		}
 
 		$reject_sender_login_mismatch = '';
+		$reject_authenticated_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
+			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
 		}
 
 		# placeholder includes comment char
@@ -170,6 +172,7 @@ class installer_dist extends installer_base {
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
+			'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
 			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php
index 638de69735..342a583fac 100644
--- a/install/dist/lib/gentoo.lib.php
+++ b/install/dist/lib/gentoo.lib.php
@@ -102,8 +102,10 @@ class installer extends installer_base
 		}
 
 		$reject_sender_login_mismatch = '';
+		$reject_authenticated_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
+			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
 		}
 
 		# placeholder includes comment char
@@ -119,6 +121,7 @@ class installer extends installer_base
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
+			'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
 			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index de77dcd9d4..07dd5cc690 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -164,8 +164,10 @@ class installer_dist extends installer_base {
 		}
 
 		$reject_sender_login_mismatch = '';
+		$reject_authenticated_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
+			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
 		}
 
 		# placeholder includes comment char
@@ -181,6 +183,7 @@ class installer_dist extends installer_base {
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
+			'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
 			$stress_adaptive_placeholder => $stress_adaptive,
 		);
 
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 4c7ee2b772..12b86fae1e 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1077,8 +1077,10 @@ class installer_base {
 		}
 
 		$reject_sender_login_mismatch = '';
+		$reject_authenticated_sender_login_mismatch = '';
 		if (isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ',reject_sender_login_mismatch,';
+			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
 		}
 
 		# placeholder includes comment char
@@ -1095,8 +1097,8 @@ class installer_base {
 		}
 
 		unset($server_ini_array);
-
-		$tmp = str_replace('.','\.',$conf['hostname']);
+		
+		$myhostname = str_replace('.','\.',$conf['hostname']);
 
 		$postconf_placeholders = array('{config_dir}' => $config_dir,
 			'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
@@ -1105,7 +1107,8 @@ class installer_base {
 			'{rbl_list}' => $rbl_list,
 			'{greylisting}' => $greylisting,
 			'{reject_slm}' => $reject_sender_login_mismatch,
-			'{myhostname}' => $tmp,
+			'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
+			'{myhostname}' => $myhostname,
 			$stress_adaptive_placeholder => $stress_adaptive,
 			'{reject_unknown_client_hostname}' => $reject_unknown_client_hostname,
 			'{reject_unknown_helo_hostname}' => $reject_unknown_helo_hostname,
@@ -1692,24 +1695,30 @@ class installer_base {
 			if(! isset($mail_config['reject_sender_login_mismatch'])) {
 				$mail_config['reject_sender_login_mismatch'] = 'n';
 			}
-			$options = explode(", ", exec("postconf -h smtpd_sender_restrictions"));
+			$options = explode(",", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if (trim($value) == '') continue;
+				if (($value = trim($value)) == '') continue;
 				if (preg_match('/tag_as_(originating|foreign)\.re/', $value)) {
 					continue;
 				}
-				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
-					$new_options[] = trim($value);
+				if (preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
+					continue;
 				}
+				$new_options[] = $value;
 			}
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
-				reset($new_options);
-				array_splice($new_options, 0, 0, array('reject_sender_login_mismatch'));
+				array_splice($new_options, 0, 0, array('reject_authenticated_sender_login_mismatch'));
+
+				for ($i = 0; isset($new_options[$i]); $i++) {
+					if ($new_options[$i] == 'permit_mynetworks') {
+						array_splice($new_options, $i+1, 0, array('reject_sender_login_mismatch'));
+						break;
+					}
+				}
 			}
 			exec("postconf -e 'smtpd_sender_restrictions = ".implode(", ", $new_options)."'");
 
-
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
 			$new_options = array();
 			foreach ($options as $value) {
diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 156716dd62..05d95fa9b6 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -27,7 +27,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 9a14e7412c..5330b69c16 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -23,7 +23,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index e18d8cf33c..8210f809a6 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -22,7 +22,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 454f678daf..60873e9400 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -25,7 +25,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index cb0566e505..24c50f422d 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -121,7 +121,7 @@ class postfix_server_plugin {
 				$value = trim($value);
 				if ($value == '') continue;
 				if (!preg_match('/reject_rbl_client/', $value)) {
-					$new_options[] = trim($value);
+					$new_options[] = $value;
 				} else {
 					if(is_array($rbl_hosts) && !empty($rbl_hosts) && !$rbl_updated){
 						$rbl_updated = true;
@@ -146,31 +146,39 @@ class postfix_server_plugin {
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if (trim($value) == '') continue;
-				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
-					$new_options[] = trim($value);
+				if (($value = trim($value)) == '') continue;
+				if (preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
+					continue;
 				}
+				$new_options[] = $value;
 			}
 
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
-				reset($new_options);
-				array_splice($new_options, 0, 0, array('reject_sender_login_mismatch'));
+				array_splice($new_options, 0, 0, array('reject_authenticated_sender_login_mismatch'));
+
+				for ($i = 0; isset($new_options[$i]); $i++) {
+					if ($new_options[$i] == 'permit_mynetworks') {
+						array_splice($new_options, $i+1, 0, array('reject_sender_login_mismatch'));
+						break;
+					}
+				}
 			}
+
 			$app->system->exec_safe("postconf -e ?", 'smtpd_sender_restrictions = '.implode(", ", $new_options));
 		}
 
 		if ($mail_config['reject_unknown']) {
 			if (($mail_config['reject_unknown'] === 'client') || ($mail_config['reject_unknown'] === 'client_helo')) {
-				$options = explode(", ", exec("postconf -h smtpd_client_restrictions"));
+				$options = explode(",", exec("postconf -h smtpd_client_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (trim($value) == '') continue;
-					if (!preg_match('/reject_unknown(_client)?_hostname/', $value)) {
-						$new_options[] = trim($value);
+					if (($value = trim($value)) == '') continue;
+					if (preg_match('/reject_unknown(_client)?_hostname/', $value)) {
+						continue;
 					}
+					$new_options[] = $value;
 				}
 
-				reset($new_options); $i = 0;
 				// insert before explicit permit, or append
 				for ($i = 0; isset($new_options[$i]); $i++) {
 					if ($new_options[$i] == 'permit') {
@@ -184,28 +192,29 @@ class postfix_server_plugin {
 
 				$app->system->exec_safe("postconf -e ?", 'smtpd_client_restrictions = '.implode(", ", $new_options));
 			} else {
-				$options = explode(", ", exec("postconf -h smtpd_client_restrictions"));
+				$options = explode(",", exec("postconf -h smtpd_client_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (trim($value) == '') continue;
-					if (!preg_match('/reject_unknown(_client)?_hostname/', $value)) {
-						$new_options[] = trim($value);
+					if (($value = trim($value)) == '') continue;
+					if (preg_match('/reject_unknown(_client)?_hostname/', $value)) {
+						continue;
 					}
+					$new_options[] = $value;
 				}
 				$app->system->exec_safe("postconf -e ?", 'smtpd_client_restrictions = '.implode(", ", $new_options));
 			}
 
 			if (($mail_config['reject_unknown'] === 'helo') || ($mail_config['reject_unknown'] === 'client_helo')) {
-				$options = explode(", ", exec("postconf -h smtpd_helo_restrictions"));
+				$options = explode(",", exec("postconf -h smtpd_helo_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (trim($value) == '') continue;
-					if (!preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
-						$new_options[] = trim($value);
+					if (($value = trim($value)) == '') continue;
+					if (preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
+						continue;
 					}
+					$new_options[] = $value;
 				}
 
-				reset($new_options); $i = 0;
 				// insert before explicit permit, or append
 				for ($i = 0; isset($new_options[$i]); $i++) {
 					if ($new_options[$i] == 'permit') {
@@ -219,13 +228,14 @@ class postfix_server_plugin {
 
 				$app->system->exec_safe("postconf -e ?", 'smtpd_helo_restrictions = '.implode(", ", $new_options));
 			} else {
-				$options = explode(", ", exec("postconf -h smtpd_helo_restrictions"));
+				$options = explode(",", exec("postconf -h smtpd_helo_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (trim($value) == '') continue;
-					if (!preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
-						$new_options[] = trim($value);
+					if (($value = trim($value)) == '') continue;
+					if (preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
+						continue;
 					}
+					$new_options[] = $value;
 				}
 				$app->system->exec_safe("postconf -e ?", 'smtpd_helo_restrictions = '.implode(", ", $new_options));
 			}
@@ -254,7 +264,7 @@ class postfix_server_plugin {
 					$app->system->exec_safe("postconf -e ?", 'smtpd_soft_error_limit = ${stress?2}${stress:5}');
 					$app->system->exec_safe("postconf -e ?", 'smtpd_timeout = ${stress?10}${stress:60}s');
 				}
-			} else { // mail_config['reject_sender_login_mismatch'] == 'n'
+			} else { // mail_config['stress_adaptive'] == 'n'
 				exec("postconf -X 'in_flow_delay'");
 				exec("postconf -X 'smtp_connect_timeout'");
 				exec("postconf -X 'smtp_helo_timeout'");
@@ -327,6 +337,7 @@ class postfix_server_plugin {
 
 		if($mail_config['content_filter'] != $old_ini_data['mail']['content_filter']) {
 			$rslm = ($mail_config['reject_sender_login_mismatch'] == 'y') ? "reject_sender_login_mismatch," : "";
+			$raslm = ($mail_config['reject_sender_login_mismatch'] == 'y') ? "reject_authenticated_sender_login_mismatch," : "";
 
 			if($mail_config['content_filter'] == 'rspamd'){
 				exec("postconf -X 'receive_override_options'");
@@ -338,7 +349,7 @@ class postfix_server_plugin {
 				exec("postconf -e 'milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}'");
 				exec("postconf -e 'milter_default_action = accept'");
 
-				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
+				exec("postconf -e 'smtpd_sender_restrictions = ${raslm} permit_mynetworks, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
 				
 				$new_options = array();
 				$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
@@ -376,7 +387,7 @@ class postfix_server_plugin {
 				exec("postconf -e 'content_filter = " . ($configure_lmtp ? "lmtp" : "amavis" ) . ":[127.0.0.1]:10024'");
 
 				// fixme: should read this from conf templates
-				exec("postconf -e 'smtpd_sender_restrictions = ${rslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
+				exec("postconf -e 'smtpd_sender_restrictions = ${raslm} check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, ${rslm} permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf'");
 			}
 		}
 		
-- 
GitLab


From 72fbc875e0846405c4113859c1656ef0c009daf6 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Mon, 13 Jul 2020 17:19:13 -0600
Subject: [PATCH 17/19] enable_original_recipient = no for postfix > 3.2

---
 install/lib/installer_base.lib.php  | 9 +++++++--
 install/tpl/postfix_3-3.conf.master | 4 ++++
 2 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 install/tpl/postfix_3-3.conf.master

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 12b86fae1e..d80c1872bf 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1137,6 +1137,12 @@ class installer_base {
 		    $content = strtr($content, $postconf_placeholders);
 		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
 		}
+		if(version_compare($postfix_version , '3.3', '>=')) {
+		    $configfile = 'postfix_3-3.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
 
 		//* These postconf commands will be executed on installation only
 		if($this->is_update == false) {
@@ -1453,7 +1459,6 @@ class installer_base {
 				$postconf_commands[] = "enable_original_recipient = yes";
 			}
 		}
-		#exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
 		$postconf_commands[] = "smtpd_recipient_restrictions = ".implode(", ", $new_options);
 
 		// Executing the postconf commands
@@ -1675,7 +1680,7 @@ class installer_base {
 
 	public function configure_rspamd() {
 		global $conf;
-
+		
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
diff --git a/install/tpl/postfix_3-3.conf.master b/install/tpl/postfix_3-3.conf.master
new file mode 100644
index 0000000000..01b3e7f590
--- /dev/null
+++ b/install/tpl/postfix_3-3.conf.master
@@ -0,0 +1,4 @@
+# Postfix configuration for version 3.3 and up
+
+# 3.2 and earlier should not have this set when using reject_unverified_recipient
+enable_original_recipient = no
-- 
GitLab


From 3d74fe27ef979953be79aebb643560d64ca15304 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 15 Jul 2020 10:55:29 -0600
Subject: [PATCH 18/19] fix issues from MR 1053 review

---
 install/lib/installer_base.lib.php            |  7 +++---
 .../postfix_server_plugin.inc.php             | 25 +++++++++++--------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index d80c1872bf..fc27da8df3 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1450,7 +1450,7 @@ class installer_base {
 		if ($configure_lmtp) {
 			for ($i = 0; isset($new_options[$i]); $i++) {
 				if ($new_options[$i] == 'reject_unlisted_recipient') {
-					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${config_dir}/mysql-verify_recipients.cf"));
+					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${quoted_config_dir}/mysql-verify_recipients.cf"));
 					break;
 				}
 			}
@@ -1700,10 +1700,11 @@ class installer_base {
 			if(! isset($mail_config['reject_sender_login_mismatch'])) {
 				$mail_config['reject_sender_login_mismatch'] = 'n';
 			}
-			$options = explode(",", exec("postconf -h smtpd_sender_restrictions"));
+			$options = preg_split("/,\s*/", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if (($value = trim($value)) == '') continue;
+				$value = trim($value);
+				if ($value == '') continue;
 				if (preg_match('/tag_as_(originating|foreign)\.re/', $value)) {
 					continue;
 				}
diff --git a/server/plugins-available/postfix_server_plugin.inc.php b/server/plugins-available/postfix_server_plugin.inc.php
index 24c50f422d..2d6f063cd8 100644
--- a/server/plugins-available/postfix_server_plugin.inc.php
+++ b/server/plugins-available/postfix_server_plugin.inc.php
@@ -146,7 +146,8 @@ class postfix_server_plugin {
 			$options = preg_split("/,\s*/", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if (($value = trim($value)) == '') continue;
+				$value = trim($value);
+				if ($value == '') continue;
 				if (preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
 					continue;
 				}
@@ -169,10 +170,11 @@ class postfix_server_plugin {
 
 		if ($mail_config['reject_unknown']) {
 			if (($mail_config['reject_unknown'] === 'client') || ($mail_config['reject_unknown'] === 'client_helo')) {
-				$options = explode(",", exec("postconf -h smtpd_client_restrictions"));
+				$options = preg_split("/,\s*/", exec("postconf -h smtpd_client_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (($value = trim($value)) == '') continue;
+					$value = trim($value);
+					if ($value == '') continue;
 					if (preg_match('/reject_unknown(_client)?_hostname/', $value)) {
 						continue;
 					}
@@ -192,10 +194,11 @@ class postfix_server_plugin {
 
 				$app->system->exec_safe("postconf -e ?", 'smtpd_client_restrictions = '.implode(", ", $new_options));
 			} else {
-				$options = explode(",", exec("postconf -h smtpd_client_restrictions"));
+				$options = preg_split("/,\s*/", exec("postconf -h smtpd_client_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (($value = trim($value)) == '') continue;
+					$value = trim($value);
+					if ($value == '') continue;
 					if (preg_match('/reject_unknown(_client)?_hostname/', $value)) {
 						continue;
 					}
@@ -205,10 +208,11 @@ class postfix_server_plugin {
 			}
 
 			if (($mail_config['reject_unknown'] === 'helo') || ($mail_config['reject_unknown'] === 'client_helo')) {
-				$options = explode(",", exec("postconf -h smtpd_helo_restrictions"));
+				$options = preg_split("/,\s*/", exec("postconf -h smtpd_helo_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (($value = trim($value)) == '') continue;
+					$value = trim($value);
+					if ($value == '') continue;
 					if (preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
 						continue;
 					}
@@ -228,10 +232,11 @@ class postfix_server_plugin {
 
 				$app->system->exec_safe("postconf -e ?", 'smtpd_helo_restrictions = '.implode(", ", $new_options));
 			} else {
-				$options = explode(",", exec("postconf -h smtpd_helo_restrictions"));
+				$options = preg_split("/,\s*/", exec("postconf -h smtpd_helo_restrictions"));
 				$new_options = array();
 				foreach ($options as $key => $value) {
-					if (($value = trim($value)) == '') continue;
+					$value = trim($value);
+					if ($value == '') continue;
 					if (preg_match('/reject_unknown(_helo)?_hostname/', $value)) {
 						continue;
 					}
@@ -324,7 +329,7 @@ class postfix_server_plugin {
 		if (defined($configure_lmtp) && $configure_lmtp) {
 			for ($i = 0; isset($new_options[$i]); $i++) {
 				if ($new_options[$i] == 'reject_unlisted_recipient') {
-					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${postfix_config_dir}/mysql-verify_recipients.cf"));
+					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${quoted_postfix_config_dir}/mysql-verify_recipients.cf"));
 					break;
 				}
 			}
-- 
GitLab


From b5c621ff0bd24b1c979b1a8eb3de588d8d43a35e Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 15 Jul 2020 11:51:10 -0600
Subject: [PATCH 19/19] client whitelist bypasses rbl lookup.  fixes #5667

---
 install/tpl/debian_postfix.conf.master   | 4 ++--
 install/tpl/fedora_postfix.conf.master   | 4 ++--
 install/tpl/gentoo_postfix.conf.master   | 4 ++--
 install/tpl/opensuse_postfix.conf.master | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 05d95fa9b6..07128357e4 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -15,7 +15,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -28,7 +28,7 @@ proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks{rbl_list}, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 5330b69c16..a580f6a042 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -11,7 +11,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -24,7 +24,7 @@ proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks{rbl_list}, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index 8210f809a6..d0ed3d69f7 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -10,7 +10,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -23,7 +23,7 @@ proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks{rbl_list}, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 60873e9400..9065e9fa03 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -13,7 +13,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
+smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -26,7 +26,7 @@ proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks{rbl_list}, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100
-- 
GitLab