From 5a4cdf9c3060b6e93452031d43a0c0b7f8dd1b3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 6 Dec 2023 12:27:38 +0100
Subject: [PATCH] Prevent local users from impersonating other local users

---
 site-cookbooks/kosmos_email/recipes/postfix.rb | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos_email/recipes/postfix.rb b/site-cookbooks/kosmos_email/recipes/postfix.rb
index 69b7b57..d8892bd 100644
--- a/site-cookbooks/kosmos_email/recipes/postfix.rb
+++ b/site-cookbooks/kosmos_email/recipes/postfix.rb
@@ -68,8 +68,9 @@ node.normal['postfix']['master'] = {
       "-o smtpd_tls_security_level=encrypt",
       "-o smtpd_tls_wrappermode=no",
       "-o smtpd_sasl_auth_enable=yes",
+      "-o smtpd_sender_restrictions=reject_sender_login_mismatch",
       "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
-      "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
+      "-o smtpd_recipient_restrictions=permit_mynetworks,reject_sender_login_mismatch,permit_sasl_authenticated,reject",
       "-o smtpd_sasl_type=dovecot",
       "-o smtpd_sasl_path=private/auth",
       "-o smtpd_upstream_proxy_protocol=haproxy",
@@ -87,6 +88,7 @@ node.normal['postfix']['master'] = {
       "-o smtpd_tls_wrappermode=yes",
       "-o smtpd_sasl_auth_enable=yes",
       "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
+      "-o smtpd_sender_restrictions=reject_sender_login_mismatch",
       "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
       "-o smtpd_sasl_type=dovecot",
       "-o smtpd_sasl_path=private/auth",
@@ -133,6 +135,18 @@ template "/etc/postfix/ldap-aliases.cf" do
   notifies :restart, "service[postfix]", :delayed
 end
 
+template "/etc/postfix/ldap-username-aliases.cf" do
+  source    "ldap-aliases.cf.erb"
+  mode      0600
+  variables server_host: "ldap.kosmos.local",
+            bind_dn: credentials['ldap_dn'],
+            bind_pw: credentials['ldap_dnpass'],
+            search_base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
+            query_filter: "(&(objectClass=person)(cn=%u))",
+            result_attribute: "cn"
+  notifies :restart, "service[postfix]", :delayed
+end
+
 include_recipe 'postfix::server'
 
 service "postfix" do