Prevent local users from impersonating other local users

site-cookbooks/kosmos_email/recipes/postfix.rb

@@ -68,8 +68,9 @@ node.normal['postfix']['master'] = {
       "-o smtpd_tls_security_level=encrypt",
       "-o smtpd_tls_wrappermode=no",
       "-o smtpd_sasl_auth_enable=yes",
+      "-o smtpd_sender_restrictions=reject_sender_login_mismatch",
       "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
-      "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
+      "-o smtpd_recipient_restrictions=permit_mynetworks,reject_sender_login_mismatch,permit_sasl_authenticated,reject",
       "-o smtpd_sasl_type=dovecot",
       "-o smtpd_sasl_path=private/auth",
       "-o smtpd_upstream_proxy_protocol=haproxy",
@@ -87,6 +88,7 @@ node.normal['postfix']['master'] = {
       "-o smtpd_tls_wrappermode=yes",
       "-o smtpd_sasl_auth_enable=yes",
       "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
+      "-o smtpd_sender_restrictions=reject_sender_login_mismatch",
       "-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
       "-o smtpd_sasl_type=dovecot",
       "-o smtpd_sasl_path=private/auth",
@@ -133,6 +135,18 @@ template "/etc/postfix/ldap-aliases.cf" do
   notifies :restart, "service[postfix]", :delayed
 end
 
+template "/etc/postfix/ldap-username-aliases.cf" do
+  source    "ldap-aliases.cf.erb"
+  mode      0600
+  variables server_host: "ldap.kosmos.local",
+            bind_dn: credentials['ldap_dn'],
+            bind_pw: credentials['ldap_dnpass'],
+            search_base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
+            query_filter: "(&(objectClass=person)(cn=%u))",
+            result_attribute: "cn"
+  notifies :restart, "service[postfix]", :delayed
+end
+
 include_recipe 'postfix::server'
 
 service "postfix" do