From 7d64f0d1d91b42615a848bd767decabafa467d57 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 6 Jan 2026 09:03:28 -0300
Subject: [PATCH] mailu: harden relay restrictions

---
 services/mailu/helmrelease.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml
index 32e3068..e591e64 100644
--- a/services/mailu/helmrelease.yaml
+++ b/services/mailu/helmrelease.yaml
@@ -219,6 +219,11 @@ spec:
       overrides:
         postfix.cf: |
           smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
+          smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch
+          smtpd_tls_auth_only = yes
+          smtpd_client_connection_rate_limit = 30
+          smtpd_client_message_rate_limit = 100
+          smtpd_client_recipient_rate_limit = 200
       podAnnotations:
         bstein.dev/restarted-at: "2026-01-06T00:00:00Z"
     redis: