From 34684dc4e1fed6c7e13dc2ada3020c4c4359c10a Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 17 Dec 2023 19:23:18 +0100
Subject: [PATCH] feat(MoK): Restrict incoming emails for owned domains

This patch configures postfix to reject incoming email from its own
domains this is an effort to fight phishing of emails from my own domain
claiming to be from postmaster or alike.

References:
https://superuser.com/questions/964958/make-postfix-reject-incoming-email-spoofed-as-from-my-own-domain
---
 charts/mok/Chart.yaml                             |  2 +-
 charts/mok/README.md                              |  2 +-
 charts/mok/templates/postfix-config.yaml          |  2 +-
 charts/mok/templates/secret.yaml                  | 15 +++++++++++++++
 .../mok/tests/__snapshot__/domains_test.yaml.snap |  4 ++++
 .../mok/tests/__snapshot__/dovecot_test.yaml.snap |  3 ++-
 .../mok/tests/__snapshot__/postfix_test.yaml.snap |  7 ++++---
 .../mok/tests/__snapshot__/relay_test.yaml.snap   |  1 +
 charts/mok/tests/dovecot_test.yaml                |  4 ++--
 charts/mok/tests/postfix_test.yaml                |  4 ++--
 10 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/charts/mok/Chart.yaml b/charts/mok/Chart.yaml
index cf23cbfbb..2db9d72ff 100644
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
 description: |
   Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 type: application
-version: 0.10.9
+version: 0.11.0
 sources:
   - https://de.postfix.org/ftpmirror/index.html
   - https://github.com/dovecot/core
diff --git a/charts/mok/README.md b/charts/mok/README.md
index d843f9422..9dab7bc73 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -1,6 +1,6 @@
 # mok
 
-![Version: 0.10.9](https://img.shields.io/badge/Version-0.10.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 
diff --git a/charts/mok/templates/postfix-config.yaml b/charts/mok/templates/postfix-config.yaml
index 32d2db47f..fabf83b41 100644
--- a/charts/mok/templates/postfix-config.yaml
+++ b/charts/mok/templates/postfix-config.yaml
@@ -304,7 +304,7 @@ data:
     #        check_recipient_access pgsql:/srv/tmp/recipient-access.cf
     #        check_client_access cidr:/srv/config/access_client,
     #        check_helo_access btree:/srv/config/access_helo,
-    #        check_sender_access btree:/srv/config/access_sender,
+            check_sender_access lmdb:/srv/tmp/access_sender,
             reject_non_fqdn_sender,
             reject_non_fqdn_recipient,
             reject_unknown_sender_domain,
diff --git a/charts/mok/templates/secret.yaml b/charts/mok/templates/secret.yaml
index b710d88e2..f88f18546 100644
--- a/charts/mok/templates/secret.yaml
+++ b/charts/mok/templates/secret.yaml
@@ -32,6 +32,21 @@ stringData:
     {{- end }}
     {{- end }}
     {{- end }}
+  access_sender: |
+    {{- $domainList := list }}
+    {{- range $domain,$config := .Values.domains }}
+    {{- $domainList = (append $domainList $domain | uniq) }}
+    {{- range $config.users }}
+    {{- $username := .name }}
+    {{- range .aliases }}
+    {{- $domainList = (append $domainList  (regexFind "@.*" .) | uniq) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{- range $domainList }}
+    {{ trimPrefix "@" . }} REJECT
+    {{- end }}
   domains: |
     {{- $domainList := list }}
     {{- range $domain,$config := .Values.domains }}
diff --git a/charts/mok/tests/__snapshot__/domains_test.yaml.snap b/charts/mok/tests/__snapshot__/domains_test.yaml.snap
index 3b58bb924..4909af5a2 100644
--- a/charts/mok/tests/__snapshot__/domains_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/domains_test.yaml.snap
@@ -26,6 +26,10 @@ keeps stays the same:
         helm.sh/chart: mok-1.2.3
       name: RELEASE-NAME-mok-postfix-maps
     stringData:
+      access_sender: |
+        example.com REJECT
+        example.net REJECT
+        example.info REJECT
       aliases: |
         steve@example.net john@example.com
         @example.info john@example.com
diff --git a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
index e23581c40..dedef7148 100644
--- a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
@@ -79,7 +79,7 @@ should match snapshot:
       template:
         metadata:
           annotations:
-            checksum/config: 8169e727a431edd14dee881a9db5779aa38f2dad6008da57bf280862cfed621c
+            checksum/config: 4a9a25e04ee01efbca95ac61fbbeb7adc3623a3494e86cd91f2b0cabc281f936
           labels:
             app.kubernetes.io/component: dovecot
             app.kubernetes.io/instance: RELEASE-NAME
@@ -192,6 +192,7 @@ should match snapshot:
         helm.sh/chart: mok-1.2.3
       name: RELEASE-NAME-mok-postfix-maps
     stringData:
+      access_sender: ""
       aliases: ""
       domains: ""
       header_checks: |
diff --git a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
index deaf86867..11c748d04 100644
--- a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
@@ -113,7 +113,7 @@ should match snapshot:
         #        check_recipient_access pgsql:/srv/tmp/recipient-access.cf
         #        check_client_access cidr:/srv/config/access_client,
         #        check_helo_access btree:/srv/config/access_helo,
-        #        check_sender_access btree:/srv/config/access_sender,
+                check_sender_access lmdb:/srv/tmp/access_sender,
                 reject_non_fqdn_sender,
                 reject_non_fqdn_recipient,
                 reject_unknown_sender_domain,
@@ -418,8 +418,8 @@ should match snapshot:
       template:
         metadata:
           annotations:
-            checksum/config: 7957f3df6d998c42c57e91d61ff347f0fcc9d0f89b3d09b5716f60c019b7528c
-            checksum/secret: 8169e727a431edd14dee881a9db5779aa38f2dad6008da57bf280862cfed621c
+            checksum/config: ae779e82df8eab92d5ed337c3cae34b82ea65cc7e11637e47b3f91cf130e8de9
+            checksum/secret: 4a9a25e04ee01efbca95ac61fbbeb7adc3623a3494e86cd91f2b0cabc281f936
           labels:
             app.kubernetes.io/component: postfix
             app.kubernetes.io/instance: RELEASE-NAME
@@ -663,6 +663,7 @@ should match snapshot:
         helm.sh/chart: mok-1.2.3
       name: RELEASE-NAME-mok-postfix-maps
     stringData:
+      access_sender: ""
       aliases: ""
       domains: ""
       header_checks: |
diff --git a/charts/mok/tests/__snapshot__/relay_test.yaml.snap b/charts/mok/tests/__snapshot__/relay_test.yaml.snap
index 339525ec5..dd9f02e9b 100644
--- a/charts/mok/tests/__snapshot__/relay_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/relay_test.yaml.snap
@@ -25,6 +25,7 @@ keeps stays the same:
         helm.sh/chart: mok-1.2.3
       name: RELEASE-NAME-mok-postfix-maps
     stringData:
+      access_sender: ""
       aliases: ""
       domains: ""
       header_checks: |
diff --git a/charts/mok/tests/dovecot_test.yaml b/charts/mok/tests/dovecot_test.yaml
index 4c3c75825..7b4f890d8 100644
--- a/charts/mok/tests/dovecot_test.yaml
+++ b/charts/mok/tests/dovecot_test.yaml
@@ -97,7 +97,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.metadata.annotations["checksum/config"]
-          value: 8169e727a431edd14dee881a9db5779aa38f2dad6008da57bf280862cfed621c
+          value: 4a9a25e04ee01efbca95ac61fbbeb7adc3623a3494e86cd91f2b0cabc281f936
         documentIndex: 2
         template: dovecot.yaml
   - it: has a changing config hash for auto-reload
@@ -114,7 +114,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.metadata.annotations["checksum/config"]
-          value: 6ee744494b7b05190228983d6f941dbf677e8211991a887c2995597942e7eedf
+          value: 62bd4dba04cb98321727fed0c6f6885e1144139422581895130e64ecad6f6ab2
         documentIndex: 2
         template: dovecot.yaml
   - it: scales with replicaCount
diff --git a/charts/mok/tests/postfix_test.yaml b/charts/mok/tests/postfix_test.yaml
index a78420284..4fada3b54 100644
--- a/charts/mok/tests/postfix_test.yaml
+++ b/charts/mok/tests/postfix_test.yaml
@@ -84,7 +84,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.metadata.annotations["checksum/secret"]
-          value: 8169e727a431edd14dee881a9db5779aa38f2dad6008da57bf280862cfed621c
+          value: 4a9a25e04ee01efbca95ac61fbbeb7adc3623a3494e86cd91f2b0cabc281f936
         documentIndex: 1
         template: postfix.yaml
   - it: has a changing config hash for auto-reload
@@ -101,7 +101,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.metadata.annotations["checksum/secret"]
-          value: 6ee744494b7b05190228983d6f941dbf677e8211991a887c2995597942e7eedf
+          value: 62bd4dba04cb98321727fed0c6f6885e1144139422581895130e64ecad6f6ab2
         documentIndex: 1
         template: postfix.yaml
   - it: has a PDB by default if the replica count is > 1
-- 
GitLab