1
0
mirror of https://github.com/Mailu/Mailu.git synced 2025-01-26 03:52:50 +02:00

Re-enable sender access check to prevent source spoofing

This commit is contained in:
kaiyou 2018-10-07 01:52:01 +02:00
parent f3f0b98755
commit fc99eb7b34
3 changed files with 14 additions and 0 deletions

View File

@ -40,3 +40,15 @@ def postfix_transport(email):
localpart, domain = email.split('@', 1) if '@' in email else (None, email)
relay = models.Relay.query.get(domain) or flask.abort(404)
return flask.jsonify("smtp:[{}]".format(relay.smtp))
@internal.route("/postfix/sender/<sender>")
def postfix_sender(sender):
""" Simply reject any sender that pretends to be from a local domain
"""
localpart, domain_name = sender.split('@', 1) if '@' in sender else (None, sender)
domain = models.Domain.query.get(domain_name)
alternative = models.Alternative.query.get(domain_name)
if domain or alternative:
return flask.jsonify("REJECT")
return flask.abort(404)

View File

@ -87,6 +87,7 @@ smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
check_sender_access ${podop}sender,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,

View File

@ -17,6 +17,7 @@ def start_podop():
("alias", "url", "http://admin/internal/postfix/alias/§"),
("domain", "url", "http://admin/internal/postfix/domain/§"),
("mailbox", "url", "http://admin/internal/postfix/mailbox/§"),
("sender", "url", "http://admin/internal/postfix/sender/§")
])
convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))