From 1264fffb4b41f9e46a2afb724a97bcdb1613fb81 Mon Sep 17 00:00:00 2001 From: "github@kiekerjan.isdronken.nl" Date: Wed, 28 Apr 2021 09:23:27 +0200 Subject: [PATCH] Add root@primary host alias --- management/mailconfig.py | 3 +++ setup/additionals.sh | 2 +- setup/mail-postfix.sh | 13 +++++++++++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/management/mailconfig.py b/management/mailconfig.py index 47faad5f..59ed3c0b 100755 --- a/management/mailconfig.py +++ b/management/mailconfig.py @@ -524,6 +524,9 @@ def get_required_aliases(env): # The hostmaster alias is exposed in the DNS SOA for each zone. aliases.add("hostmaster@" + env['PRIMARY_HOSTNAME']) + + # Setup root alias + aliases.add("root@" + env['PRIMARY_HOSTNAME']) # Get a list of domains we serve mail for, except ones for which the only # email on that domain are the required aliases or a catch-all/domain-forwarder. diff --git a/setup/additionals.sh b/setup/additionals.sh index 35e92797..57d2eaad 100644 --- a/setup/additionals.sh +++ b/setup/additionals.sh @@ -24,4 +24,4 @@ hide_output systemctl restart systemd-journald.service # Create forward for root emails cat > /root/.forward << EOF; administrator@$PRIMARY_HOSTNAME -EOF \ No newline at end of file +EOF diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 0a66cb0f..2ed8ff0d 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -137,6 +137,14 @@ tools/editconf.py /etc/postfix/main.cf \ tls_preempt_cipherlist=no \ smtpd_tls_received_header=yes +# Add block_root_external to block mail send to root@PRIMARY_HOSTNAME. This mail address is only supposed to be used for local +# mail delivery (cron etc) +cat > /etc/postfix/block_root_external << EOF; +root@$PRIMARY_HOSTNAME REJECT +EOF + +postmap /etc/postfix/block_root_external + # Prevent non-authenticated users from sending mail that requires being # relayed elsewhere. We don't want to be an "open relay". On outbound # mail, require one of: @@ -144,9 +152,10 @@ tools/editconf.py /etc/postfix/main.cf \ # * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587). # * `permit_mynetworks`: Mail that originates locally. # * `reject_unauth_destination`: No one else. (Permits mail whose destination is local and rejects other mail.) +# * `block_root_external`: Block mail addressed at root@PRIMARY_HOSTNAME. Root mail is only to receive mails locally send to root. +# permit_mynetworks will allow delivery of mail for root originating locally. tools/editconf.py /etc/postfix/main.cf \ - smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination - + smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,hash:/etc/postfix/block_root_external # ### DANE