From 775037b6223718d5f02f4638b70734887a4210c6 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 21 Oct 2020 19:29:56 +0200
Subject: [PATCH] Support reject_sender_login_mismatch and
 smtpd_sender_login_maps

---
 defaults/main.yml    |  7 +++++++
 templates/main.cf.j2 | 21 +++++++++++++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index d99d468..19454c3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -88,6 +88,13 @@ postfix_smtpd_mx_client_restrictions:
   - reject_unknown_recipient_domain
   - reject_unlisted_recipient
 
+#############################################################################
+# SMTP sender restrictions
+#############################################################################
+postfix_smtpd_sender_restrictions: True
+postfix_reject_sender_login_mismatch: False
+postfix_smtpd_sender_login_maps: []
+postfix_smtpd_additional_sender_restrictions: []
 #############################################################################
 # SMTP submission server: accepts authenticated clients
 #############################################################################
diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index 6a017ff..f496e6f 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -616,16 +616,33 @@ broken_sasl_auth_clients = yes
 # Block clients that speak too early.
 smtpd_data_restrictions = reject_unauth_pipelining
 {% endif %}
+{% if postfix_reject_sender_login_mismatch %}
+smtpd_sender_login_maps
+{% for login_map in postfix_smtpd_sender_login_maps %}
+        {{ login_map }}
+{% endfor %}
+
+{% endif %}
+
 {% if postfix_smtpd_reject_unknown_helo_hostname %}
 # Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups
 smtpd_helo_restrictions = reject_unknown_helo_hostname
 {% endif %}
-{% if postfix_reject_unknown_sender_domain %}
-# Don't accept mail from domains that don't exist.
+{% if postfix_smtpd_sender_restrictions %}
+# Do not accept everything
 smtpd_sender_restrictions =
+{% if postfix_reject_unknown_sender_domain %}
         reject_unknown_sender_domain
         reject_non_fqdn_sender
 {% endif %}
+{% if postfix_reject_sender_login_mismatch %}
+        reject_sender_login_mismatch
+{% endif %}
+{% for rule in postfix_smtpd_additional_sender_restrictions %}
+        {{ rule }}
+{% endfor %}
+{% endif %}
+
 {% if postfix_submission_server %}
 # Relay control: local clients and
 # authenticated clients may specify any destination domain.