Allow external emails to send

postfix/Dockerfile

@@ -13,11 +13,13 @@ RUN apt-get update && \
 COPY main.cf.template /etc/postfix/main.cf.template
 COPY sasl_passwd.template /etc/postfix/sasl_passwd.template
 COPY virtual_aliases.cf /etc/postfix/virtual_aliases.cf
+COPY sender_access /etc/postfix/sender_access
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
-# Generate Postfix maps for virtual aliases
+# Generate Postfix maps for virtual aliases and sender access
 RUN postmap /etc/postfix/virtual_aliases.cf
+RUN postmap /etc/postfix/sender_access
 
 # Expose SMTP
 EXPOSE 25

postfix/entrypoint.sh

@@ -7,9 +7,13 @@ envsubst < /etc/postfix/main.cf.template > /etc/postfix/main.cf
 # Generate SASL password file from environment variables
 envsubst < /etc/postfix/sasl_passwd.template > /etc/postfix/sasl_passwd
 
-# Generate Postfix hash
+# Generate Postfix hash databases
 postmap /etc/postfix/sasl_passwd
 chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
 
+# Regenerate sender_access database (in case of updates)
+postmap /etc/postfix/sender_access
+chmod 644 /etc/postfix/sender_access /etc/postfix/sender_access.db
+
 # Start Postfix in foreground
 exec postfix start-fg

postfix/main.cf.template

@@ -3,6 +3,9 @@ myhostname = lists.sasalliance.org
 myorigin = sasalliance.org
 mydestination = $myhostname, localhost.$mydomain, localhost
 
+# Virtual alias domains - domains we handle via virtual_alias_maps
+virtual_alias_domains = lists.sasalliance.org
+
 # Relay through SES
 relayhost = [${SMTP_HOST}]:${SMTP_PORT}
 smtp_tls_security_level = encrypt
@@ -16,6 +19,17 @@ smtp_sasl_security_options = noanonymous
 # Virtual aliases (static for now)
 virtual_alias_maps = hash:/etc/postfix/virtual_aliases.cf
 
+# Sender restrictions - enforce whitelist
+smtpd_sender_restrictions = 
+    permit_mynetworks,
+    check_sender_access hash:/etc/postfix/sender_access,
+    reject
+
+# Recipient restrictions - accept mail for our domains
+smtpd_recipient_restrictions = 
+    permit_mynetworks,
+    reject_unauth_destination
+
 # Other recommended settings
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases

postfix/sender_access

@@ -0,0 +1,10 @@
+# Sender access control for mailing lists
+# Format: sender_address ACTION
+# Actions: OK (allow), REJECT (block with message), DISCARD (silently drop)
+
+# Allow all board members from sasalliance.org domain
+sasalliance.org    OK
+
+# Add other authorized senders as needed
+# user@external.com    OK
+# anotherdomain.com    OK