Adding functionality to restrict 'rcpt to' domains

2015-04-29 13:42:25 +02:00 · 2015-04-29 13:42:25 +02:00 · 2cbe7c42b4
commit 2cbe7c42b4
parent aebec52404
7 changed files with 80 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@ postfix Cookbook CHANGELOG
 ==========================
 This file is used to list changes made in each version of the postfix cookbook.

+v3.6.3 (2015-04-30)
+-------------------
+- Adding support for relay restrictions
+
 v3.6.2 (2014-10-31)
 -------------------
 - Fix FreeBSDisms
--- a/README.md
+++ b/README.md
@ -29,6 +29,7 @@ See `attributes/default.rb` for default values.
 * `node['postfix']['use_transport_maps']` - set to true if you want the cookbook to use/configure transport maps
 * `node['postfix']['use_access_maps']` - set to true if you want the cookbook to use/configure access maps
 * `node['postfix']['use_virtual_aliases']` - set to true if you want the cookbook to use/configure virtual alias maps
+* `node['postfix']['use_relay_restirictions_maps']` - set to true if you want the cookbook to use/configure a list of domains to which postfix will allow relay
 * `node['postfix']['aliases']` - hash of aliases to create with `recipe[postfix::aliases]`, see below under __Recipes__ for more information.
 * `node['postfix']['transports']` - hash of transports to create with `recipe[postfix::transports]`, see below under __Recipes__ for more information.
 * `node['postfix']['access']` - hash of access to create with `recipe[postfix::access]`, see below under __Recipes__ for more information.
@ -121,6 +122,10 @@ Manage `/etc/postfix/access` with this recipe.
 ### virtual_aliases
 Manage `/etc/postfix/virtual` with this recipe.

+### relay_restrictions
+Manage `/etc/postfix/relay_restriction` with this recipe
+The postfix option smtpd_relay_restrictions in main.cf will point to this hash map db.  
+

 http://wiki.chef.io/display/chef/Templates#Templates-TemplateLocationSpecificity

@ -268,6 +273,21 @@ override_attributes(
 )
 ```

+To use relay restrictions override the relay restrictions attribute in this format:
+
+```ruby
+override_attributes(
+  "postfix" => {
+    "use_relay_restirictions_maps" => true,
+    "relay_restrictions" => {
+      "chef.io" => "OK",
+      ".chef.io" => "OK",
+      "example.com" => "OK"
+    }
+  }
+)
+```
+
 License & Authors
 -----------------
 - Author:: Joshua Timberman <joshua@chef.io>
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -25,6 +25,7 @@ default['postfix']['use_transport_maps'] = false
 default['postfix']['use_access_maps'] = false
 default['postfix']['use_virtual_aliases'] = false
 default['postfix']['use_virtual_aliases_domains'] = false
+default['postfix']['use_relay_restirictions_maps'] = false
 default['postfix']['transports'] = {}
 default['postfix']['access'] = {}
 default['postfix']['virtual_aliases'] = {}
@ -47,6 +48,7 @@ when 'smartos'
  default['postfix']['access_db'] = '/opt/local/etc/postfix/access'
  default['postfix']['virtual_alias_db'] = '/opt/local/etc/postfix/virtual'
  default['postfix']['virtual_alias_domains_db'] = '/opt/local/etc/postfix/virtual_domains'
+  default['postfix']['relay_restrictions_db'] = '/opt/local/etc/postfix/relay_restrictions'
 when 'freebsd'
  default['postfix']['conf_dir'] = '/usr/local/etc/postfix'
  default['postfix']['aliases_db'] = '/etc/aliases'
@ -54,6 +56,7 @@ when 'freebsd'
  default['postfix']['access_db'] = '/usr/local/etc/postfix/access'
  default['postfix']['virtual_alias_db'] = '/usr/local/etc/postfix/virtual'
  default['postfix']['virtual_alias_domains_db'] = '/usr/local/etc/postfix/virtual_domains'
+  default['postfix']['relay_restrictions_db'] = '/etc/postfix/relay_restrictions'
 when 'omnios'
  default['postfix']['conf_dir'] = '/opt/omni/etc/postfix'
  default['postfix']['aliases_db'] = '/opt/omni/etc/postfix/aliases'
@ -61,6 +64,7 @@ when 'omnios'
  default['postfix']['access_db'] = '/opt/omni/etc/postfix/access'
  default['postfix']['virtual_alias_db'] = '/etc/omni/etc/postfix/virtual'
  default['postfix']['virtual_alias_domains_db'] = '/etc/omni/etc/postfix/virtual_domains'
+  default['postfix']['relay_restrictions_db'] = '/opt/omni/etc/postfix/relay_restrictions'
  default['postfix']['uid'] = 11
 else
  default['postfix']['conf_dir'] = '/etc/postfix'
@ -69,6 +73,7 @@ else
  default['postfix']['access_db'] = '/etc/postfix/access'
  default['postfix']['virtual_alias_db'] = '/etc/postfix/virtual'
  default['postfix']['virtual_alias_domains_db'] = '/etc/postfix/virtual_domains'
+  default['postfix']['relay_restrictions_db'] = '/etc/postfix/relay_restrictions'
 end

 # Non-default main.cf attributes
@ -136,3 +141,8 @@ when 'freebsd'
 else
  default['postfix']['aliases'] = {}
 end
+
+if node['postfix']['use_relay_restirictions_maps']
+  default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject"
+end
+
--- a/metadata.rb
+++ b/metadata.rb
@ -4,7 +4,7 @@ description 'Installs and configures postfix for client or outbound relayhost, o
 maintainer 'Chef Software, Inc.'
 maintainer_email 'cookbooks@chef.io'
 license 'Apache 2.0'
-version '3.6.2'
+version '3.6.3'
 recipe 'postfix', 'Installs and configures postfix'
 recipe 'postfix::sasl_auth', 'Set up postfix to auth to a server with sasl'
 recipe 'postfix::aliases', 'Manages /etc/aliases'
--- a/recipes/default.rb
+++ b/recipes/default.rb
@ -43,3 +43,8 @@ end
 if node['postfix']['use_virtual_aliases_domains']
  include_recipe 'postfix::virtual_aliases_domains'
 end
+
+if node['postfix']['use_relay_restirictions_maps']
+  include_recipe 'postfix::relay_restrictions'
+end
+
--- a/recipes/relay_restrictions.rb
+++ b/recipes/relay_restrictions.rb
@ -0,0 +1,29 @@
+# encoding: utf-8
+# Copyright:: Copyright (c) 2012, Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe 'postfix::_common'
+
+execute 'update-postfix-relay-restrictions' do
+  command "postmap #{node['postfix']['relay_restrictions_db']}"
+  environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
+  action :nothing
+end
+
+template node['postfix']['relay_restrictions_db'] do
+  source 'relay_restrictions.erb'
+  notifies :run, 'execute[update-postfix-relay-restrictions]'
+end
+
--- a/templates/default/relay_restrictions.erb
+++ b/templates/default/relay_restrictions.erb
@ -0,0 +1,11 @@
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
+# Attribute name is the domain name, Attribute value is either OK or REJECT
+
+<% node['postfix']['relay_restrictions'].each do |name, value| %>
+<%= name %> <%= value %>
+<% end unless node['postfix']['relay_restrictions'].nil? %>
+*			REJECT