feat: Add support for defining an allowlist for recipients#136
feat: Add support for defining an allowlist for recipients#136PyroDevil wants to merge 1 commit intojuanluisbaptiste:masterfrom
Conversation
As this Postfix relay server doesn't require authentication to send emails, devices that aren't fully trusted could spam emails using this relay. And this could result in the IP address of the mail server being blacklisted. To prevent this server being used to send spam messages, this patch implements an allowlist for recipients via the `RECIPIENT_ALLOWLIST` environment variable. This variable can contain a list of recipient addresses or domains separated by spaces or commas. Signed-off-by: Pyro Devil <p.devil@randman.org>
|
Oh, I didn't notice that #130 exists. I should have looked into PRs first I guess. |
|
@juanluisbaptiste, I solved this a bit differently, I named it 'recipients' because it can be full email addresses as well as domains, and the logic is a bit simpler, IMO. So if you are preferring this I can reopen it again. But I am fine with either #130 or this PR. |
| add_config_value "transport_maps" "lmdb://etc/postfix/transport" | ||
| IFS=', ' read -r -a recipient_allowlist_array <<< "${RECIPIENT_ALLOWLIST}" | ||
| for allowed_recipient in "${recipient_allowlist_array[@]}"; do | ||
| printf "%s :\n" "$allowed_recipient" >> /etc/postfix/transport |
There was a problem hiding this comment.
Haven't tested it yet, but this code I think will have the same problem as with issue #130 , it will add duplicate lines to the configuration on restart.
There was a problem hiding this comment.
I force pushed a fix shortly after I closed this PR, which prevents me from opening this PR now.
But this is a easy fix. I just added a rm -f /etc/postfix/transport before writing the first line:
https://github.com/PyroDevil/docker-postfix/blob/feat-destination-allowlist/run.sh#L130
2 participants
As this Postfix relay server doesn't require authentication to send emails, devices that aren't fully trusted could spam emails using this relay. And this could result in the IP address of the mail server being blacklisted.
To prevent this server being used to send spam messages, this patch implements an allowlist for recipients via the
RECIPIENT_ALLOWLISTenvironment variable. This variable can contain a list of recipient addresses or domains separated by spaces or commas.Description of the change
This adds a
RECIPIENT_ALLOWLISTenvironment variable, which allows to restrict allowed recipients to a certain allowlist.Generally I use this postfix relay to allow devices, that either don't support TLS1.3 or for other reasons cannot send emails directly on my mail server.
However I also don't want to just allow any device to use my mail server to send anyone emails. I want to limit the allowed recipients or domains. This allows more control over what is allowed, thus it prevents rogue devices from sending spam, or accidentally sending/leaking emails to people outside of the organization.
How Has This Been Tested?
I tested sending emails to allowed recipients and not allowed recipients, and the result was as expected.
Types of Changes
Checklist:
.env.examplefile accordingly.