puppet: Restrict postfix incoming addresses to postmaster and zulip.

This removes the possibility of local user enumeration via RCPT TO.

puppet/zulip/files/postfix/access

@@ -0,0 +1,9 @@
+# This is the list of email addresses that are accepted via SMTP;
+# these consist of only the addresses in `virtual`, as well as the
+# RFC822-specified postmaster.
+
+/\+.*@/         OK
+/\..*@/         OK
+/^mm/           OK
+
+/^postmaster@/  OK

puppet/zulip/files/postfix/virtual

@@ -1,3 +1,6 @@
-/\+.*@/ zulip@localhost
+# Changes to this list require a corresponding change to `access` as
-/\..*@/ zulip@localhost
+# well.
-/^mm/ zulip@localhost
+
+/\+.*@/  zulip@localhost
+/\..*@/  zulip@localhost
+/^mm/    zulip@localhost

puppet/zulip/manifests/postfix_localmail.pp

@@ -67,4 +67,12 @@ class zulip::postfix_localmail {
     ],
   }
 
+  file {'/etc/postfix/access':
+    ensure  => file,
+    mode    => '0644',
+    owner   => root,
+    group   => root,
+    source  => 'puppet:///modules/zulip/postfix/access',
+    require => Package[postfix],
+  }
 }

puppet/zulip/templates/postfix/main.cf.erb

@@ -16,6 +16,7 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
+smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/access, reject
 myhostname = <%= @fqdn %>
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases