From 08773232e04f2f8d260fb5404cd9fbcd84f96f8b Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 8 Oct 2022 00:33:26 +0200
Subject: [PATCH] fix(postfix): Fix broken relay access

Currently for some reason postfix decided to drop all email that are
supposed to be relayed by default. This is obviously unwanted behaviour.
This patch takes the settings from the workaround.org project, applies
them to submission and submissions, which fixes the current issue.

However I still don't fully understand why.

References:
https://workaround.org/ispmail/bullseye/relay-outoing-email-through-postfix/
---
 charts/mok/Chart.yaml           |  2 +-
 charts/mok/README.md            |  4 ++--
 charts/mok/values.yaml          |  2 +-
 images/postfix/.release         |  2 +-
 images/postfix/config/main.cf   |  3 ++-
 images/postfix/config/master.cf | 15 ++++++++++++---
 6 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/charts/mok/Chart.yaml b/charts/mok/Chart.yaml
index 76128f726..858b97c5f 100644
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
 description: |
   Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 type: application
-version: 0.7.1
+version: 0.7.2
 sources:
   - https://de.postfix.org/ftpmirror/index.html
   - https://github.com/dovecot/core
diff --git a/charts/mok/README.md b/charts/mok/README.md
index 7971e50e3..e177905b6 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -1,6 +1,6 @@
 # mok
 
-![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 
@@ -56,7 +56,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | postfix.hostname | string | `nil` | explicitly set postfix hostname |
 | postfix.image.pullPolicy | string | `"IfNotPresent"` |  |
 | postfix.image.repository | string | `"quay.io/shivering-isles/postfix"` | postfix container image |
-| postfix.image.tag | string | `"0.4.1"` | Overrides the image tag whose default is "latest" |
+| postfix.image.tag | string | `"0.4.2"` | Overrides the image tag whose default is "latest" |
 | postfix.imagePullSecrets | list | `[]` |  |
 | postfix.nodeSelector | object | `{}` |  |
 | postfix.podAnnotations | object | `{}` |  |
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index 4e19505b2..8639ae59d 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -46,7 +46,7 @@ postfix:
     repository: quay.io/shivering-isles/postfix
     pullPolicy: IfNotPresent
     # -- Overrides the image tag whose default is "latest"
-    tag: "0.4.1"
+    tag: "0.4.2"
 
   imagePullSecrets: []
 
diff --git a/images/postfix/.release b/images/postfix/.release
index 802d813b7..332fb5fb6 100644
--- a/images/postfix/.release
+++ b/images/postfix/.release
@@ -1 +1 @@
-release=0.4.1
+release=0.4.2
diff --git a/images/postfix/config/main.cf b/images/postfix/config/main.cf
index 41664e218..108194c9b 100644
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -123,8 +123,9 @@ smtpd_recipient_restrictions =
         reject_invalid_hostname,
         warn_if_reject reject_unauth_pipelining,
         permit_mynetworks,
-        reject_unverified_recipient,
         reject_unauth_destination,
+        reject_known_sender_login_mismatch,
+        reject_unverified_recipient,
         permit
 
 smtpd_sender_restrictions =
diff --git a/images/postfix/config/master.cf b/images/postfix/config/master.cf
index c0ea1bccb..1b1485339 100644
--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
@@ -8,7 +8,6 @@
 smtpd     pass  -       -       -       -       -       smtpd
     -o smtpd_tls_received_header=yes
     -o content_filter=
-    -o smtpd_upstream_proxy_protocol=haproxy
 dnsblog   unix  -       -       -       -       0       dnsblog
 tlsproxy  unix  -       -       -       -       0       tlsproxy
 #smtps     inet  n       -       -       -       -       smtpd
@@ -116,8 +115,13 @@ submission inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o tls_preempt_cipherlist=yes
-    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_tls_auth_only=yes
+    -o smtpd_reject_unlisted_recipient=no
+    -o smtpd_recipient_restrictions=
+    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     -o smtpd_sender_login_maps=lmdb:/srv/tmp/sender-login-maps
+    -o sender_dependent_relayhost_maps=lmdb:/srv/tmp/relayhosts
     -o cleanup_service_name=headers-cleanup
 
 submissions inet  n       -       y       -       -       smtpd
@@ -125,8 +129,13 @@ submissions inet  n       -       y       -       -       smtpd
     -o smtpd_tls_wrappermode=yes
     -o smtpd_tls_security_level=encrypt
     -o tls_preempt_cipherlist=yes
-    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_tls_auth_only=yes
+    -o smtpd_reject_unlisted_recipient=no
+    -o smtpd_recipient_restrictions=
+    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     -o smtpd_sender_login_maps=lmdb:/srv/tmp/sender-login-maps
+    -o sender_dependent_relayhost_maps=lmdb:/srv/tmp/relayhosts
     -o cleanup_service_name=headers-cleanup
 
 dovecot   unix  -       n       n       -       -       pipe flags=DRhu
-- 
GitLab