add server config select list for unknown (dns) rejection

Author: jnorell

install/lib/installer_base.lib.php

@@ -1077,14 +1077,23 @@ public function configure_postfix($options = '') {
 		}
 
 		$reject_sender_login_mismatch = '';
-		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
+		if (isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ',reject_sender_login_mismatch,';
 		}
 
 		# placeholder includes comment char
 		$stress_adaptive_placeholder = '#{stress_adaptive}';
 		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
 
+		$reject_unknown_client_hostname='';
+		if (isset($server_ini_array['mail']['reject_unknown']) && ($server_ini_array['mail']['reject_unknown'] == 'client' || $server_ini_array['mail']['reject_unknown'] == 'client_helo')) {
+			$reject_unknown_client_hostname=',reject_unknown_client_hostname';
+		}
+		$reject_unknown_helo_hostname='';
+		if ((!isset($server_ini_array['mail']['reject_unknown'])) || $server_ini_array['mail']['reject_unknown'] == 'helo' || $server_ini_array['mail']['reject_unknown'] == 'client_helo') {
+			$reject_unknown_helo_hostname=',reject_unknown_helo_hostname';
+		}
+
 		unset($server_ini_array);
 
 		$tmp = str_replace('.','\.',$conf['hostname']);
@@ -1098,6 +1107,8 @@ public function configure_postfix($options = '') {
 			'{reject_slm}' => $reject_sender_login_mismatch,
 			'{myhostname}' => $tmp,
 			$stress_adaptive_placeholder => $stress_adaptive,
+			'{reject_unknown_client_hostname}' => $reject_unknown_client_hostname,
+			'{reject_unknown_helo_hostname}' => $reject_unknown_helo_hostname,
 		);
 
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_postfix.conf.master', 'tpl/debian_postfix.conf.master');
@@ -1684,14 +1695,12 @@ public function configure_rspamd() {
 			$options = explode(", ", exec("postconf -h smtpd_sender_restrictions"));
 			$new_options = array();
 			foreach ($options as $key => $value) {
-				if ($value == '') {
-					continue;
-				}
+				if (trim($value) == '') continue;
 				if (preg_match('/tag_as_(originating|foreign)\.re/', $value)) {
 					continue;
 				}
 				if (!preg_match('/reject_(authenticated_)?sender_login_mismatch/', $value)) {
-					$new_options[] = $value;
+					$new_options[] = trim($value);
 				}
 			}
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {

install/tpl/debian_postfix.conf.master

@@ -26,9 +26,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100

install/tpl/fedora_postfix.conf.master

@@ -22,9 +22,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100

install/tpl/gentoo_postfix.conf.master

@@ -21,9 +21,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100

install/tpl/opensuse_postfix.conf.master

@@ -24,9 +24,9 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtpd_recipient_restrictions
 smtpd_helo_required = yes
-smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, reject_unknown_helo_hostname, permit
+smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
 smtpd_sender_restrictions = {reject_slm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
+smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
 smtpd_etrn_restrictions = permit_mynetworks, reject
 smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
 smtpd_client_message_rate_limit = 100

interface/web/admin/form/server_config.tform.php

@@ -456,11 +456,13 @@
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '/home/vmail/',
-			'validators' => array(	0 => array('type' => 'NOTEMPTY',
-										'errmsg' => 'homedir_path_error_empty'),
-									1 => array ( 	'type' => 'REGEX',
-										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
-										'errmsg'=> 'homedir_path_error_regex'),
+			'validators' => array(	0 => array ( 'type' => 'NOTEMPTY',
+						           'errmsg' => 'homedir_path_error_empty'
+						    ),
+						1 => array ( 'type' => 'REGEX',
+						            'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+							    'errmsg'=> 'homedir_path_error_regex'
+						    ),
 			),
 			'value' => '',
 			'width' => '40',
@@ -638,6 +640,17 @@
 			'default' => 'n',
 			'value' => array(0 => 'n', 1 => 'y')
 		),
+		'reject_unknown' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'SELECT',
+			'default' => 'helo',
+			'value' => array(
+				'helo' => 'reject_unknown_helo_txt',
+				'client' => 'reject_unknown_client_txt',
+				'client_helo' => 'reject_unknown_client_helo_txt',
+				'none' => 'disabled_txt',
+			)
+		),
 		'mailbox_size_limit' => array(
 			'datatype' => 'INTEGER',
 			'formtype' => 'TEXT',

interface/web/admin/lib/lang/ar_server_config.lng

@@ -40,6 +40,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';

interface/web/admin/lib/lang/bg_server_config.lng

@@ -38,6 +38,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP адрес';

interface/web/admin/lib/lang/br_server_config.lng

@@ -51,6 +51,11 @@ $wb['relayhost_txt'] = 'Servidor de retransmissão';
 $wb['relayhost_user_txt'] = 'Usuário de retransmissão';
 $wb['relayhost_password_txt'] = 'Senha do usuário de retransmissão';
 $wb['reject_sender_login_mismatch_txt'] = 'Rejeitar acesso com erro de usuário e/ou senha';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Limite do tamanho da conta de e-mail';
 $wb['message_size_limit_txt'] = 'Limite do tamanho da mensagem';
 $wb['ip_address_txt'] = 'Endereço IP';

interface/web/admin/lib/lang/ca_server_config.lng

@@ -51,6 +51,11 @@ $wb['relayhost_txt'] = 'Relayhost';
 $wb['relayhost_user_txt'] = 'Relayhost User';
 $wb['relayhost_password_txt'] = 'Relayhost Password';
 $wb['reject_sender_login_mismatch_txt'] = 'Reject sender and login mismatch';
+$wb['reject_unknown_txt'] = 'Reject unknown hostnames';
+$wb['tooltip_reject_unknown_txt'] = 'Requires hostnames to pass DNS checks.  Not checked for authenticated users.';
+$wb['reject_unknown_helo_txt'] = 'Reject unknown helo hostnames';
+$wb['reject_unknown_client_txt'] = 'Reject unknown client hostnames';
+$wb['reject_unknown_client_helo_txt'] = 'Reject unknown helo and client hostnames';
 $wb['mailbox_size_limit_txt'] = 'Mailbox Size Limit';
 $wb['message_size_limit_txt'] = 'Message Size Limit';
 $wb['ip_address_txt'] = 'IP Address';