fix(postfix): Fix broken relay access

Currently for some reason postfix decided to drop all email that are supposed to be relayed by default. This is obviously unwanted behaviour. This patch takes the settings from the workaround.org project, applies them to submission and submissions, which fixes the current issue. However I still don't fully understand why. References: https://workaround.org/ispmail/bullseye/relay-outoing-email-through-postfix/

fix(postfix): Fix broken relay access
08773232 · Sheogorath · 4b863ce8 · 08773232 · 08773232 · 08773232
Verified Commit 08773232 authored 2 years ago by Sheogorath
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
 description: |
  Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 type: application
-version: 0.7.1
+version: 0.7.2
 sources:
  - https://de.postfix.org/ftpmirror/index.html
  - https://github.com/dovecot/core

--- a/charts/mok/README.md
+++ b/charts/mok/README.md
 # mok
-![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
@@ -56,7 +56,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | postfix.hostname | string | `nil` | explicitly set postfix hostname |
 | postfix.image.pullPolicy | string | `"IfNotPresent"` |  |
 | postfix.image.repository | string | `"quay.io/shivering-isles/postfix"` | postfix container image |
-| postfix.image.tag | string | `"0.4.1"` | Overrides the image tag whose default is "latest" |
+| postfix.image.tag | string | `"0.4.2"` | Overrides the image tag whose default is "latest" |
 | postfix.imagePullSecrets | list | `[]` |  |
 | postfix.nodeSelector | object | `{}` |  |
 | postfix.podAnnotations | object | `{}` |  |

--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -46,7 +46,7 @@ postfix:
    repository: quay.io/shivering-isles/postfix
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is "latest"
-    tag: "0.4.1"
+    tag: "0.4.2"
  imagePullSecrets: []

--- a/images/postfix/.release
+++ b/images/postfix/.release
-release=0.4.1
+release=0.4.2
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -123,8 +123,9 @@ smtpd_recipient_restrictions =
        reject_invalid_hostname,
        warn_if_reject reject_unauth_pipelining,
        permit_mynetworks,
-        reject_unverified_recipient,
        reject_unauth_destination,
+        reject_known_sender_login_mismatch,
+        reject_unverified_recipient,
        permit
 smtpd_sender_restrictions =

--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
@@ -8,7 +8,6 @@
 smtpd     pass  -       -       -       -       -       smtpd
    -o smtpd_tls_received_header=yes
    -o content_filter=
-    -o smtpd_upstream_proxy_protocol=haproxy
 dnsblog   unix  -       -       -       -       0       dnsblog
 tlsproxy  unix  -       -       -       -       0       tlsproxy
 #smtps     inet  n       -       -       -       -       smtpd
@@ -116,8 +115,13 @@ submission inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o tls_preempt_cipherlist=yes
-    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_tls_auth_only=yes
+    -o smtpd_reject_unlisted_recipient=no
+    -o smtpd_recipient_restrictions=
+    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_login_maps=lmdb:/srv/tmp/sender-login-maps
+    -o sender_dependent_relayhost_maps=lmdb:/srv/tmp/relayhosts
    -o cleanup_service_name=headers-cleanup
 submissions inet  n       -       y       -       -       smtpd
@@ -125,8 +129,13 @@ submissions inet  n       -       y       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_tls_security_level=encrypt
    -o tls_preempt_cipherlist=yes
-    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_tls_auth_only=yes
+    -o smtpd_reject_unlisted_recipient=no
+    -o smtpd_recipient_restrictions=
+    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_login_maps=lmdb:/srv/tmp/sender-login-maps
+    -o sender_dependent_relayhost_maps=lmdb:/srv/tmp/relayhosts
    -o cleanup_service_name=headers-cleanup
 dovecot   unix  -       n       n       -       -       pipe flags=DRhu