Fix for #38

The postfix configuration was a bit too permissive with `mynetworks`.

This commit:
- adds `reject` at the end of `*restrictions` list
- adds tests for this feature

integration-tests/basic-test/docker-compose.yml

@@ -25,7 +25,7 @@ services:
       - "../tester:/code"
     build:
       context: ../tester
-    command: "/"
+    command: "/" # relative path to /code
     environment:
       FROM: "demo@example.org"
       TO: "test@gmail.com"

integration-tests/deprecated/docker-compose.yml

@@ -26,7 +26,7 @@ services:
       - "../tester:/code"
     build:
       context: ../tester
-    command: "/"
+    command: "/" # relative path to /code
     environment:
       FROM: "demo@example.org"
       TO: "test@gmail.com"

integration-tests/generate-dkim-keys/docker-compose.yml

@@ -24,7 +24,7 @@ services:
       - "../tester:/code"
     build:
       context: ../tester
-    command: "/"
+    command: "/" # relative path to /code
     environment:
       FROM: "demo@example.org"
       TO: "test@gmail.com"

integration-tests/no-dkim-test/docker-compose.yml

@@ -26,7 +26,7 @@ services:
       - "../tester:/code"
     build:
       context: ../tester
-    command: "/"
+    command: "/" # relative path to /code
     environment:
       FROM: "demo@example.org"
       TO: "test@gmail.com"

integration-tests/non-allowed-networks/docker-compose.yml

@@ -0,0 +1,32 @@
+version: '3.7'
+services:
+  postfix_test_587:
+    hostname: "postfix"
+    image: "boky/postfix"
+    build:
+      context: ../..
+    restart: always
+    healthcheck:
+      test: [ "CMD", "sh", "-c", "netstat -an | fgrep 587 | fgrep -q LISTEN" ]
+      interval: 10s
+      timeout: 5s
+      start_period: 10s
+      retries: 2
+    environment:
+      FORCE_COLOR: "1"
+      ALLOWED_SENDER_DOMAINS: "example.org"
+      POSTFIX_mynetworks: "1.1.1.1/32"
+      POSTFIX_smtpd_end_of_data_restrictions: "check_client_access static:discard"
+      LOG_FORMAT: "json"
+  tests:
+    image: "boky/postfix-integration-test"
+    restart: "no"
+    volumes:
+      - ".:/code"
+    build:
+      context: ../tester
+    command: "/"
+    environment:
+      FROM: "demo@example.org"
+      TO: "test@gmail.com"
+      SKIP_INVALID_DOMAIN_SEND: "1"

integration-tests/non-allowed-networks/test.bats

@@ -0,0 +1,25 @@
+#!/usr/bin/env bats
+
+FROM=$1
+TO=$2
+
+if [ -z "$FROM" ]; then
+    FROM="demo@example.org"
+fi
+
+if [ -z "$TO" ]; then
+    TO="test@gmail.com"
+fi
+
+# Wait for postfix to startup
+wait-for-service -q tcp://postfix_test_587:587
+
+SMTP_DATA="-smtp postfix_test_587 -port 587"
+
+@test "Make sure postfix rejects the message from us" {
+	! mailsend \
+		-sub "Test email 1" $SMTP_DATA \
+			-from "$FROM" -to "$TO" \
+		body \
+			-msg "Hello world!\nThis is a simple test message!"
+}

scripts/common-run.sh

@@ -71,8 +71,12 @@ postfix_restrict_message_size() {
 postfix_reject_invalid_helos() {
 	do_postconf -e smtpd_delay_reject=yes
 	do_postconf -e smtpd_helo_required=yes
+	# Fast reject -- reject straight away when the client is connecting
+	do_postconf -e "smtpd_client_restrictions=permit_mynetworks,reject"
+	# Reject / accept on EHLO / HELO command
 	do_postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit"
-	do_postconf -e "smtpd_sender_restrictions=permit_mynetworks"
+	# Delayed reject -- reject on MAIL FROM command. Not strictly neccessary to have both, but doesn't hurt
+	do_postconf -e "smtpd_sender_restrictions=permit_mynetworks,reject"
 }
 
 postfix_set_hostname() {

unit-tests/Dockerfile

@@ -13,5 +13,4 @@ RUN        apk add --no-cache bash bats && \
 
 WORKDIR    /code
 ENTRYPOINT ["/usr/bin/bats"]
-
 CMD        ["-v"]

unit-tests/dkim_auto_generate.bats

@@ -19,4 +19,4 @@ chown -R opendkim:opendkim /etc/opendkim
 
     su opendkim -s /bin/bash -c 'cat /etc/opendkim/keys/example.org.private' > /dev/null
     su opendkim -s /bin/bash -c 'cat /etc/opendkim/keys/example.org.txt' > /dev/null
-}
+}