bastion: fix delivering non contributors emails locally

Should fix: https://pagure.io/fedora-infrastructure/issue/12361 Basically postfix default is: local_recipient_maps = proxy:unix:passwd.byname $alias_maps so if the user is a local user or an alias, it's valid. However, sssd and ipa show all users (even ones with no access to that host). This means we were accepting and delivering (locally) emails for anyuser@fedoraproject.org. Setting this to just $alias_maps will just treat aliases as valid and ignore all the local users. This should be fine as we use aliases to send even to root or other system users. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-01-17 15:31:21 -08:00 · 2025-01-17 15:31:21 -08:00 · 759ee55f18
commit 759ee55f18
parent 96a5107afa
1 changed files with 7 additions and 0 deletions
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@ -783,3 +783,10 @@ sender_dependent_relayhost_maps = hash:/etc/postfix/bysender
 # http://www.postfix.org/BDAT_README.html
 # but does so in a way which is noisy with logs. Turn it off without logging.
 smtpd_discard_ehlo_keywords = chunking, silent-discard
+
+# We don't want to deliver to local users at all here
+# because sssd/ldap shows all existing users as users, but
+# we only want 'contributors' to have aliases.
+# Non contibutor's should have their mail rejected as not existing.
+# contributors we want to send to their aliases.
+local_recipient_maps = $alias_maps