2 files changed, 11 insertions, 8 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index e5dc1c7b..2d8f3db5 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -37,13 +37,14 @@ class site_postfix::mx {
     root_mail_recipient => $root_mail_recipient,
     smtp_listen         => 'all',
     mastercf_tail       =>
-    "smtps     inet  n       -       -       -       -       smtpd\n
-    -o smtpd_tls_wrappermode=yes\n
-    -o smtpd_tls_security_level=encrypt\n
-    submission inet n        -       n       -       -       smtpd\n
-    -o smtpd_tls_security_level=encrypt\n
-    -o smtpd_recipient_restrictions=\$submission_recipient_restrictions",
-    require             => [ X509::Key[$cert_name], X509::Cert[$cert_name],
-                             User['vmail'] ]
+    "smtps     inet  n       -       -       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_tls_security_level=encrypt
+submission inet n        -       n       -       -       smtpd
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
+  -o smtpd_helo_restrictions=\$submission_helo_restrictions",
+    require             => [
+      X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ]
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index b1536d64..0f1500a4 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -24,6 +24,8 @@ class site_postfix::mx::smtpd_checks {
       value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
     'submission_recipient_restrictions':
       value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
+    'submission_helo_restrictions':
+      value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
     'smtpd_sender_restrictions':
       value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
     }