From 807b01c97b420713b6f1f6f73d35f2a440eb24e0 Mon Sep 17 00:00:00 2001
From: Y <theYinYeti@yalis.fr>
Date: Thu, 13 Sep 2018 08:33:22 +0200
Subject: [PATCH] exim+dovecot: let recipient-check work; fixes #6

---
 roles/dmz_exim/tasks/main.yml                  | 11 ++++++-----
 roles/dovecot/templates/dovecot.conf.j2        | 16 ++++++++--------
 roles/nftables_back/templates/nftables.conf.j2 |  5 +++++
 3 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/roles/dmz_exim/tasks/main.yml b/roles/dmz_exim/tasks/main.yml
index 1897fcd..ec21899 100644
--- a/roles/dmz_exim/tasks/main.yml
+++ b/roles/dmz_exim/tasks/main.yml
@@ -496,9 +496,10 @@
     block: |
       lmtp_user:
         debug_print = "R: lmtp_user for $local_part@$domain"
-        driver = accept
+        driver = manualroute
         domains = +local_domains
         transport = lmtp_transport
+        route_list = * {{SafeZone_IP}} byname
         cannot_route_message = Unknown user
     insertbefore: '^#localuser:'
   notify:
@@ -510,10 +511,10 @@
     marker: '  # {mark} LMTP transport'
     block: |
       lmtp_transport:
-        driver = lmtp
-        socket = /run/shared_sockets/lmtp
-        user = exim
-        current_directory = /var/spool/exim
+        driver = smtp
+        protocol = lmtp
+        rcpt_include_affixes
+        port = 24
     insertbefore: '^# This transport is used'
   notify:
     - restart exim.service
diff --git a/roles/dovecot/templates/dovecot.conf.j2 b/roles/dovecot/templates/dovecot.conf.j2
index f606323..c92ff10 100644
--- a/roles/dovecot/templates/dovecot.conf.j2
+++ b/roles/dovecot/templates/dovecot.conf.j2
@@ -51,15 +51,15 @@ service imap-login {
   }
 }
 service lmtp {
-  unix_listener /run/shared_sockets/lmtp {
-    mode = 0666
+  #unix_listener /run/shared_sockets/lmtp {
+  #  mode = 0666
+  #}
+  # Create inet listener only if you can't use the above UNIX socket
+  # https://yalis.fr/git/yves/home-server/issues/6
+  inet_listener lmtp {
+    address = {{SafeZone_IP}}
+    port = 24
   }
-#  # Create inet listener only if you can't use the above UNIX socket
-#  #inet_listener lmtp {
-#    # Avoid making LMTP visible for the entire internet
-#    #address =
-#    #port = 
-#  #}
 }
 service imap {
 }
diff --git a/roles/nftables_back/templates/nftables.conf.j2 b/roles/nftables_back/templates/nftables.conf.j2
index dcdda2d..4d60287 100644
--- a/roles/nftables_back/templates/nftables.conf.j2
+++ b/roles/nftables_back/templates/nftables.conf.j2
@@ -72,6 +72,11 @@ table ip{{v}} Inet{{V}} {
 
     # ssh
     tcp dport 22 accept
+{% call(net) trust(DMZ_IP) %}
+
+    # lmtp
+    tcp dport 24 ip saddr {{net}} accept
+{% endcall %}
 
     # portmapper
     tcp dport 111 accept