From 5394a505b954facece39ab0016441b3f41f13260 Mon Sep 17 00:00:00 2001
From: 17Halbe <github-alex@gar-nich.net>
Date: Wed, 7 Feb 2018 21:33:07 +0100
Subject: [PATCH] Restrict access (Closes #452, #816)

new setup.sh function, new tests, new script
---
 setup.sh                              | 12 ++++--
 target/bin/restrict-access            | 56 +++++++++++++++++++++++++++
 target/postfix/main.cf                |  5 +--
 test/config/postfix-receive-access.cf |  1 +
 test/config/postfix-send-access.cf    |  1 +
 test/tests.bats                       | 23 ++++++++++-
 6 files changed, 90 insertions(+), 8 deletions(-)
 create mode 100755 target/bin/restrict-access
 create mode 100644 test/config/postfix-receive-access.cf
 create mode 100644 test/config/postfix-send-access.cf

diff --git a/setup.sh b/setup.sh
index 6269e9ec..6b279202 100755
--- a/setup.sh
+++ b/setup.sh
@@ -42,9 +42,10 @@ SUBCOMMANDS:
 
   email:
 
-    $0 email add <email> <password>
-    $0 email update <email> <password>
+    $0 email add <email> [<password>]
+    $0 email update <email> [<password>]
     $0 email del <email>
+    $0 email restrict <add|del|list> <send|receive> [<email>]
     $0 email list
 
   alias:
@@ -60,7 +61,7 @@ SUBCOMMANDS:
   debug:
 
     $0 debug fetchmail
-    $0 debug fail2ban <unban> <ip-address>               
+    $0 debug fail2ban [<unban> <ip-address>]               
     $0 debug show-mail-logs
     $0 debug inspect
     $0 debug login <commands>
@@ -117,7 +118,6 @@ case $1 in
   email)
     shift
     case $1 in
-
       add)
         shift
         _docker_image addmailuser $@
@@ -130,6 +130,10 @@ case $1 in
         shift
         _docker_image delmailuser $@
         ;;
+      restrict)
+        shift
+        _docker_image restrict-access $@
+        ;;  
       list)
         _docker_image listmailuser
         ;;
diff --git a/target/bin/restrict-access b/target/bin/restrict-access
new file mode 100755
index 00000000..7b693bd4
--- /dev/null
+++ b/target/bin/restrict-access
@@ -0,0 +1,56 @@
+#! /bin/bash
+
+MODE="$1"
+USER="$3"
+
+usage() {
+	echo "Usage: $0 <add|del|list> <send|receive> [<email@domain.com>]"
+}
+
+raise() {
+	echo "$@" 1>&2
+	exit 1
+}
+
+escape() {
+	echo "${1//./\\.}"
+}
+[ -z "$MODE" ] && raise "missing parameters: <add|del|list> <send|receive> [<email@domain.com>]"
+
+case $2 in
+	send)
+		DATABASE="/tmp/docker-mailserver/postfix-send-access.cf"
+		;;
+	receive)
+		DATABASE="/tmp/docker-mailserver/postfix-receive-access.cf"
+		;;
+	*)
+		usage; raise "missing parameters. Specify \"send\" or \"receive\"";
+		;;
+esac
+
+if [ -z "$USER" ] && [ "$MODE" != list ]; then
+	read -p "User(user@domain.com): " USER
+	echo
+	[ -z "$USER" ] && raise "User must not be empty"
+fi
+ 
+
+case $MODE in 
+	add)
+		grep -qi "^$(escape "$USER")" $DATABASE 2>/dev/null &&
+			raise "User \"$USER\" already denied to $2 mails"
+		echo -e "$USER \t\t REJECT" >>$DATABASE
+	;;
+	del)
+		sed -ie "/^$(escape "$USER")/d" $DATABASE 2>/dev/null ||
+			raise "User \"$USER\" not found."
+	;;
+	list)
+		grep "REJECT" $DATABASE 2>/dev/null || 
+		    echo "Everyone is allowed to $2 mails."
+    ;;
+	*)
+		usage; raise "missing mode. Specify \"add\", \"del\" or \"list\"";
+	;;
+esac
\ No newline at end of file
diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index b9fc7d7f..01b7823a 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -44,10 +44,9 @@ smtpd_helo_required = yes
 smtpd_delay_reject = yes
 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf,
-    reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
+smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain,  reject_sender_login_mismatch
+smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
 disable_vrfy_command = yes
 
 # Postscreen settings to drop zombies/open relays/spam early
diff --git a/test/config/postfix-receive-access.cf b/test/config/postfix-receive-access.cf
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/test/config/postfix-receive-access.cf
@@ -0,0 +1 @@
+
diff --git a/test/config/postfix-send-access.cf b/test/config/postfix-send-access.cf
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/test/config/postfix-send-access.cf
@@ -0,0 +1 @@
+
diff --git a/test/tests.bats b/test/tests.bats
index 53099a4f..1d7b009c 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -146,7 +146,7 @@ load 'test_helper/bats-assert/load'
   run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*policyd-spf,$//g' /etc/postfix/main.cf"
   run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf"
   run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf"
-  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions = /smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
+  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions =/smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
 
   run docker exec mail_with_postgrey /bin/sh -c "/etc/init.d/postfix reload"
   run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
@@ -1122,6 +1122,27 @@ load 'test_helper/bats-assert/load'
   [ -z "$value" ]
 }
 
+@test "checking setup.sh: setup.sh email restrict" {
+  run ./setup.sh -c mail email restrict 
+  assert_failure
+  run ./setup.sh -c mail email restrict add
+  assert_failure
+  ./setup.sh -c mail email restrict add send lorem@impsum.org
+  run ./setup.sh -c mail email restrict list send
+  assert_output --regexp "^lorem@impsum.org.*REJECT"
+
+  run ./setup.sh -c mail email restrict del send lorem@impsum.org
+  assert_success
+  run ./setup.sh -c mail email restrict list send
+  assert_output --partial "Everyone is allowed"
+  
+  ./setup.sh -c mail email restrict add receive rec_lorem@impsum.org
+  run ./setup.sh -c mail email restrict list receive
+  assert_output --regexp "^rec_lorem@impsum.org.*REJECT"
+  run ./setup.sh -c mail email restrict del receive rec_lorem@impsum.org
+  assert_success
+}
+
 # alias
 @test "checking setup.sh: setup.sh alias list" {
   echo "test@example.org test@forward.com" > ./config/postfix-virtual.cf