From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D940A91D29 for ; Mon, 20 Mar 2023 11:36:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BBE632954 for ; Mon, 20 Mar 2023 11:36:02 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 20 Mar 2023 11:36:02 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B957545A3B for ; Mon, 20 Mar 2023 11:36:01 +0100 (CET) From: Christoph Heiss To: pmg-devel@lists.proxmox.com Date: Mon, 20 Mar 2023 11:35:45 +0100 Message-Id: <20230320103548.382757-2-c.heiss@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230320103548.382757-1-c.heiss@proxmox.com> References: <20230320103548.382757-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.072 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH v2 pmg-api 1/4] fix #2437: config: Add new tls_inbound_domains postfix map X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2023 10:36:32 -0000 Add a new configuration file /etc/pmg/tls_inbound_domains, which is a postfix map containing all domains having `reject_plaintext_session` action set. This is the only allowed action value and enforced while parsing. This map is then used for `smtpd_sender_restriction` in the main.cf template. Signed-off-by: Christoph Heiss --- Changes v1 -> v2: * Rename `tls_inbound_policy` to `tls_inbound_domains` * Move API endpoint implementation to separate patch * Add `tls_inbound_domains` to cluster sync src/PMG/Cluster.pm | 1 + src/PMG/Config.pm | 56 ++++++++++++++++++++++++++++++++++++++++ src/templates/main.cf.in | 1 + 3 files changed, 58 insertions(+) diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm index 31384b2..7622a88 100644 --- a/src/PMG/Cluster.pm +++ b/src/PMG/Cluster.pm @@ -464,6 +464,7 @@ sub sync_config_from_master { 'mynetworks', 'transport', 'tls_policy', + 'tls_inbound_domains', 'fetchmailrc', ]; diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm index 699a622..08ba1f5 100755 --- a/src/PMG/Config.pm +++ b/src/PMG/Config.pm @@ -1160,6 +1160,61 @@ sub postmap_tls_policy { PMG::Utils::run_postmap($tls_policy_map_filename); } +sub read_tls_inbound_domains { + my ($filename, $fh) = @_; + + return {} if !defined($fh); + + my $domains = {}; + + while (defined(my $line = <$fh>)) { + chomp $line; + next if $line =~ m/^\s*$/; + next if $line =~ m/^#(.*)\s*$/; + + my $parse_error = sub { + my ($err) = @_; + die "parse error in '$filename': $line - $err"; + }; + + if ($line =~ m/^(\S+) reject_plaintext_session$/) { + my $domain = $1; + + eval { pmg_verify_transport_domain($domain) }; + if (my $err = $@) { + $parse_error->($err); + next; + } + + $domains->{$domain} = 1; + } else { + $parse_error->('wrong format'); + } + } + + return $domains; +} + +sub write_tls_inbound_domains { + my ($filename, $fh, $domains) = @_; + + return if !$domains; + + foreach my $domain (sort keys %$domains) { + PVE::Tools::safe_print($filename, $fh, "$domain reject_plaintext_session\n"); + } +} + +my $tls_inbound_domains_map_filename = "/etc/pmg/tls_inbound_domains"; +PVE::INotify::register_file('tls_inbound_domains', $tls_inbound_domains_map_filename, + \&read_tls_inbound_domains, + \&write_tls_inbound_domains, + undef, always_call_parser => 1); + +sub postmap_tls_inbound_domains { + PMG::Utils::run_postmap($tls_inbound_domains_map_filename); +} + my $transport_map_filename = "/etc/pmg/transport"; sub postmap_pmg_transport { @@ -1696,6 +1751,7 @@ sub rewrite_config_postfix { postmap_pmg_domains(); postmap_pmg_transport(); postmap_tls_policy(); + postmap_tls_inbound_domains(); rewrite_postfix_whitelist($rulecache) if $rulecache; diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in index 190c913..1f4fa91 100644 --- a/src/templates/main.cf.in +++ b/src/templates/main.cf.in @@ -79,6 +79,7 @@ smtpd_sender_restrictions = reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess + check_sender_access hash:/etc/pmg/tls_inbound_domains check_recipient_access regexp:/etc/postfix/rcptaccess [%- IF pmg.mail.rejectunknown %] reject_unknown_client_hostname[% END %] [%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %] -- 2.39.2