From 6811e39f4b065bf2271b57d0dd5aa58db14e9b7e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 28 Apr 2016 18:00:10 +0200
Subject: basic restrictions

---
 ymir.nix | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ymir.nix b/ymir.nix
index 8b2e1b12..80f1f11f 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -335,6 +335,28 @@ in rec {
       smtpd_sasl_security_options = noanonymous, noplaintext
       smtpd_sasl_tls_security_options = noanonymous
       smtpd_tls_auth_only = yes
+
+      smtpd_delay_reject = yes
+      smtpd_helo_required = yes
+      smtpd_helo_restrictions =
+        permit_mynetworks,
+        reject_non_fqdn_helo_hostname,
+        reject_invalid_helo_hostname,
+        permit
+
+      smtpd_sender_restrictions =
+        permit_mynetworks,
+        reject_non_fqdn_sender,
+        reject_unknown_sender_domain,
+        permit
+
+      smtpd_recipient_restrictions =
+        reject_unauth_pipelining,
+        reject_non_fqdn_recipient,
+        reject_unknown_recipient_domain,
+        permit_mynetworks,
+        reject_unauth_destination,
+        permit
     '';
     extraMasterConf = ''
       uucp unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a$sender - $nexthop!rmail ($recipient)
-- 
cgit v1.2.3