From e2b7dfc8e8c2bef60245efefe64f79724b218a90 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 12 Jan 2021 17:26:32 -0700
Subject: [PATCH] whitelist senders before reject_sender_login_mismatch

---
 install/tpl/debian_postfix.conf.master   | 2 +-
 install/tpl/fedora_postfix.conf.master   | 2 +-
 install/tpl/gentoo_postfix.conf.master   | 2 +-
 install/tpl/opensuse_postfix.conf.master | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index a6a48e0e02..03077cbe7d 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -27,7 +27,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_reject_unlisted_sender = yes
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated{rbl_list}, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 3cd8357a66..fb284e4885 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -23,7 +23,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_reject_unlisted_sender = yes
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated{rbl_list}, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index f4a1d4025c..8a50cce3cd 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -22,7 +22,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_reject_unlisted_sender = yes
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated{rbl_list}, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index 7d3669853a..8186c2ad8a 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -25,7 +25,7 @@ smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_ma
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
-smtpd_sender_restrictions =  {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
+smtpd_sender_restrictions = {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_reject_unlisted_sender = yes
 smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated{rbl_list}, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
-- 
GitLab