[bug] Add smtpd_relay_restrictions to postfix conf

smtpd_relay_restrictions was added in postfix 2.10 (jessie
has 2.11 atm). Without this, outbound mails are rejected to
be relayed.

from http://www.postfix.org/SMTPD_ACCESS_README.html:

    NOTE: Postfix versions before 2.10 did not have
    smtpd_relay_restrictions. They combined the mail relay and spam blocking
    policies, under smtpd_recipient_restrictions. This could lead to
    unexpected results. For example, a permissive spam blocking policy could
    unexpectedly result in a permissive mail relay policy. An example of
    this is documented under "Dangerous use of
    smtpd_recipient_restrictions".

smtpd_relay_restrictions defaults to
'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination'
and is configured here to check for a valid client cert.

see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

- Resolves: #7856

2 files changed, 24 insertions, 9 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index cd493807..02b9fbdd 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -93,20 +93,31 @@ class site_postfix::mx {
   # greater verbosity for debugging, take out for production
   #include site_postfix::debug
 
-  class { 'postfix':
-    preseed             => true,
-    root_mail_recipient => $root_mail_recipient,
-    smtp_listen         => 'all',
-    mastercf_tail       =>
-    "smtps     inet  n       -       -       -       -       smtpd
+  case $::operatingsystemrelease {
+    /^7.*/: {
+      $smtpd_relay_restrictions=''
+    }
+    default:  {
+      $smtpd_relay_restrictions="  -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n"
+    }
+  }
+
+  $mastercf_tail = "
+smtps     inet  n       -       -       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_tls_security_level=encrypt
-  -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
+${smtpd_relay_restrictions}  -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
   -o smtpd_helo_restrictions=\$smtps_helo_restrictions
   -o smtpd_client_restrictions=
   -o cleanup_service_name=clean_smtps
-clean_smtps	  unix	n	-	n	-	0	cleanup
-  -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers",
+clean_smtps   unix  n - n - 0 cleanup
+  -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers"
+
+  class { 'postfix':
+    preseed             => true,
+    root_mail_recipient => $root_mail_recipient,
+    smtp_listen         => 'all',
+    mastercf_tail       => $mastercf_tail,
     require             => [
       Class['Site_config::X509::Key'],
       Class['Site_config::X509::Cert'],
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0ea452ee..291d7ee4 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -1,3 +1,5 @@
+# smtpd checks for incoming mail on smtp port 25 and
+# mail sent via the bitmask client using smtps port 465
 class site_postfix::mx::smtpd_checks {
 
   postfix::config {
@@ -23,6 +25,8 @@ class site_postfix::mx::smtpd_checks {
     # disable a user by removing their valid client cert (#3634)
     'smtps_recipient_restrictions':
       value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    'smtps_relay_restrictions':
+      value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination';
     'smtps_helo_restrictions':
       value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
     'smtpd_sender_restrictions':