From 3aa462bd2402c81ac85720ca9337d45acbf04ff3 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 28 Apr 2015 14:28:21 +0200
Subject: Reject inbound mail to local system users that don't appear in
 /ect/aliases #6829

We began to recieve spam for vmail@DOMAIN. So we want to block
inbound mail to local system users. However, users in the /etc/aliases
file are still accepted on inbound mail - see
https://leap.se/code/issues/6909 for a follow up.

Change-Id: I03d3014984c4bd27f90147125fb037b68716624d
---
 puppet/modules/site_postfix/manifests/mx.pp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 81f10b77..49692d24 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -1,3 +1,6 @@
+#
+# configure mx node
+#
 class site_postfix::mx {
 
   $domain_hash         = hiera('domain')
@@ -35,6 +38,12 @@ class site_postfix::mx {
     # because the satellites need to have a different value
     'smtp_tls_security_level':
       value => 'may';
+    # reject inbound mail to system users
+    # see https://leap.se/code/issues/6829
+    # this blocks *only* mails to system users, that don't appear in the
+    # alias map
+    'local_recipient_maps':
+      value => '$alias_maps';
   }
 
   include site_postfix::mx::smtpd_checks
-- 
cgit v1.2.3