[bug] Add smtpd_relay_restrictions to postfix conf

smtpd_relay_restrictions was added in postfix 2.10 (jessie
has 2.11 atm). Without this, outbound mails are rejected to
be relayed.

from http://www.postfix.org/SMTPD_ACCESS_README.html:

    NOTE: Postfix versions before 2.10 did not have
    smtpd_relay_restrictions. They combined the mail relay and spam blocking
    policies, under smtpd_recipient_restrictions. This could lead to
    unexpected results. For example, a permissive spam blocking policy could
    unexpectedly result in a permissive mail relay policy. An example of
    this is documented under "Dangerous use of
    smtpd_recipient_restrictions".

smtpd_relay_restrictions defaults to
'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination'
and is configured here to check for a valid client cert.

see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

- Resolves: #7856

1 files changed, 4 insertions, 0 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0ea452ee..291d7ee4 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -1,3 +1,5 @@
+# smtpd checks for incoming mail on smtp port 25 and
+# mail sent via the bitmask client using smtps port 465
 class site_postfix::mx::smtpd_checks {
 
   postfix::config {
@@ -23,6 +25,8 @@ class site_postfix::mx::smtpd_checks {
     # disable a user by removing their valid client cert (#3634)
     'smtps_recipient_restrictions':
       value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    'smtps_relay_restrictions':
+      value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination';
     'smtps_helo_restrictions':
       value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
     'smtpd_sender_restrictions':