From: Tom Hughes <tom@compton.nu>
Date: Fri, 24 Oct 2014 16:48:39 +0000 (+0100)
Subject: Only allow external SMTP connections on the mail server
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/fa83c74d4e135984a5deca3a827893e8bc4d2ae0

Only allow external SMTP connections on the mail server
---

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 1e333b42c..b92bc31f4 100644
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -126,7 +126,7 @@ end
 munin_plugin "exim_mailqueue"
 munin_plugin "exim_mailstats"
 
-if not relay_to_domains.empty? or not node[:exim][:local_domains].empty?
+if node[:exim][:smarthost_name]
   node[:exim][:daemon_smtp_ports].each do |port|
     firewall_rule "accept-inbound-smtp-#{port}" do
       action :accept
@@ -137,6 +137,17 @@ if not relay_to_domains.empty? or not node[:exim][:local_domains].empty?
       source_ports "1024:"
     end
   end
+else
+  node[:exim][:daemon_smtp_ports].each do |port|
+    firewall_rule "accept-inbound-smtp-#{port}" do
+      action :accept
+      source "bm:mail.openstreetmap.org"
+      dest "fw"
+      proto "tcp:syn"
+      dest_ports port
+      source_ports "1024:"
+    end
+  end
 end
 
 if node[:exim][:smarthost_via]