diff --git a/Dockerfile b/Dockerfile index 5e12689d..34bce662 100644 --- a/Dockerfile +++ b/Dockerfile @@ -201,7 +201,7 @@ RUN echo 'Reason_Message = Message {rejectdefer} due to: {spf}.' >>/etc/postfix- COPY target/fetchmail/fetchmailrc /etc/fetchmailrc_general COPY target/getmail/getmailrc /etc/getmailrc_general -COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ +COPY target/postfix/main.cf target/postfix/master.cf target/postfix/esmtp_access /etc/postfix/ # DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3 # This file is for TLS <1.3 handshakes that rely on DHE cipher suites diff --git a/mailserver.env b/mailserver.env index 1a57ceca..120aaaa6 100644 --- a/mailserver.env +++ b/mailserver.env @@ -332,6 +332,17 @@ REPORT_SENDER= LOGROTATE_INTERVAL=weekly +# Choose how Postfix handles DSN (Delivery Status Notification) requests +# empty => Regardless of its origin, a DSN request is always fulfilled. +# 1 => It can only be requested by authenticated users. +# 2 => DSN is completely disabled. (not recommended) +# +# Note: If this option is left empty and you are using DMARC (reject, quarantine), +# add an SPF record for the FQDN, since the email won't be signd with DKIM and will +# be sent from mail.example.com instead of example.com. +# +POSTFIX_DSN= + # If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration. # # - **0** => Disabled diff --git a/target/postfix/esmtp_access b/target/postfix/esmtp_access new file mode 100644 index 00000000..83edaebc --- /dev/null +++ b/target/postfix/esmtp_access @@ -0,0 +1,2 @@ +0.0.0.0/0 silent-discard, dsn +::/0 silent-discard, dsn diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh index 0d7cb1ae..c79f0346 100644 --- a/target/scripts/startup/setup.d/postfix.sh +++ b/target/scripts/startup/setup.d/postfix.sh @@ -57,6 +57,15 @@ EOF __postfix__log 'trace' "Configuring virtual mailbox size limit to '${POSTFIX_MAILBOX_SIZE_LIMIT}'" postconf "virtual_mailbox_limit = ${POSTFIX_MAILBOX_SIZE_LIMIT}" + if [[ ${POSTFIX_DSN} -eq 1 ]]; then + __postfix__log 'trace' 'Disabling DSN for unauthenticated users' + sedfile -i -E '/^submissions?\>/a\ -o smtpd_discard_ehlo_keyword_address_maps=' /etc/postfix/master.cf + postconf 'smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access' + elif [[ ${POSTFIX_DSN} -eq 2 ]]; then + __postfix__log 'trace' 'Disabling DSN completely' + postconf 'smtpd_discard_ehlo_keywords = silent-discard, dsn' + fi + if [[ ${POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME} -eq 1 ]]; then __postfix__log 'trace' 'Enabling reject_unknown_client_hostname to dms_smtpd_sender_restrictions' sedfile -i -E \ diff --git a/target/scripts/startup/variables-stack.sh b/target/scripts/startup/variables-stack.sh index 3b575f50..7dc8712d 100644 --- a/target/scripts/startup/variables-stack.sh +++ b/target/scripts/startup/variables-stack.sh @@ -115,6 +115,7 @@ function __environment_variables_general_setup() { VARS[DOVECOT_MAILBOX_FORMAT]="${DOVECOT_MAILBOX_FORMAT:=maildir}" VARS[DOVECOT_TLS]="${DOVECOT_TLS:=no}" + VARS[POSTFIX_DSN]="${POSTFIX_DSN:=0}" VARS[POSTFIX_DAGENT]="${POSTFIX_DAGENT:=}" VARS[POSTFIX_INET_PROTOCOLS]="${POSTFIX_INET_PROTOCOLS:=all}" VARS[POSTFIX_MAILBOX_SIZE_LIMIT]="${POSTFIX_MAILBOX_SIZE_LIMIT:=0}"