From 759ee55f184c8dd8b84d2a4bd1ea40d0fa5e6e47 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2025 15:31:21 -0800 Subject: [PATCH] bastion: fix delivering non contributors emails locally Should fix: https://pagure.io/fedora-infrastructure/issue/12361 Basically postfix default is: local_recipient_maps = proxy:unix:passwd.byname $alias_maps so if the user is a local user or an alias, it's valid. However, sssd and ipa show all users (even ones with no access to that host). This means we were accepting and delivering (locally) emails for anyuser@fedoraproject.org. Setting this to just $alias_maps will just treat aliases as valid and ignore all the local users. This should be fine as we use aliases to send even to root or other system users. Signed-off-by: Kevin Fenzi --- roles/base/files/postfix/main.cf/main.cf.gateway | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway index f7e4c77c91..3f640723fb 100644 --- a/roles/base/files/postfix/main.cf/main.cf.gateway +++ b/roles/base/files/postfix/main.cf/main.cf.gateway @@ -783,3 +783,10 @@ sender_dependent_relayhost_maps = hash:/etc/postfix/bysender # http://www.postfix.org/BDAT_README.html # but does so in a way which is noisy with logs. Turn it off without logging. smtpd_discard_ehlo_keywords = chunking, silent-discard + +# We don't want to deliver to local users at all here +# because sssd/ldap shows all existing users as users, but +# we only want 'contributors' to have aliases. +# Non contibutor's should have their mail rejected as not existing. +# contributors we want to send to their aliases. +local_recipient_maps = $alias_maps