From fa83c74d4e135984a5deca3a827893e8bc4d2ae0 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 24 Oct 2014 17:48:39 +0100
Subject: [PATCH] Only allow external SMTP connections on the mail server

---
 cookbooks/exim/recipes/default.rb | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 1e333b42c..b92bc31f4 100644
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -126,7 +126,7 @@ end
 munin_plugin "exim_mailqueue"
 munin_plugin "exim_mailstats"
 
-if not relay_to_domains.empty? or not node[:exim][:local_domains].empty?
+if node[:exim][:smarthost_name]
   node[:exim][:daemon_smtp_ports].each do |port|
     firewall_rule "accept-inbound-smtp-#{port}" do
       action :accept
@@ -137,6 +137,17 @@ if not relay_to_domains.empty? or not node[:exim][:local_domains].empty?
       source_ports "1024:"
     end
   end
+else
+  node[:exim][:daemon_smtp_ports].each do |port|
+    firewall_rule "accept-inbound-smtp-#{port}" do
+      action :accept
+      source "bm:mail.openstreetmap.org"
+      dest "fw"
+      proto "tcp:syn"
+      dest_ports port
+      source_ports "1024:"
+    end
+  end
 end
 
 if node[:exim][:smarthost_via]
-- 
2.43.2