mailu: harden postfix relay restrictions

services/mailu/helmrelease.yaml

@@ -218,22 +218,26 @@ spec:
         hardware: rpi4
       overrides:
         postfix.cf: |
+          mynetworks = 127.0.0.0/8 [::1]/128 10.42.0.0/16 10.43.0.0/16 192.168.22.0/24
+          smtpd_delay_reject = yes
           smtpd_helo_required = yes
-          smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
+          smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
           smtpd_sasl_auth_enable = yes
           smtpd_sasl_type = dovecot
           smtpd_sasl_path = private/auth
           smtpd_sasl_security_options = noanonymous
           smtpd_sasl_tls_security_options = noanonymous
-          smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining
+          smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_client_hostname
           smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain
           smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
           smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch
           smtpd_tls_auth_only = yes
           smtpd_forbid_unauth_pipelining = yes
+          smtpd_client_connection_count_limit = 20
           smtpd_client_connection_rate_limit = 30
           smtpd_client_message_rate_limit = 100
           smtpd_client_recipient_rate_limit = 200
+          smtpd_recipient_limit = 100
       podAnnotations:
         bstein.dev/restarted-at: "2026-01-06T00:00:00Z"
     redis: