Restrict dc_relay_nets by default

stretch/docker-entrypoint.sh

@@ -2,8 +2,15 @@
 set -e
 CONFDIR=/etc/exim4
 
-# Set smarthost.
+# By default, send email directly to the recipient.
 DC_EXIMCONFIG_CONFIGTYPE="internet"
+
+# By default, only hosts on the private network can use the smart host (ie,
+# only other containers, not the whole internet); a thin layer of protection
+# in case port 25 is accidentally exposed to the public internet.
+DC_RELAY_NETS="10.0.0.0/8;172.16.0.0/12;192.168.0.0/16"
+
+# Set smarthost.
 if [ "x$RELAY_HOST" != "x" ]; then
     DC_EXIMCONFIG_CONFIGTYPE="satellite"
     DC_SMARTHOST="$RELAY_HOST::${RELAY_PORT:-25}"
@@ -12,6 +19,11 @@ if [ "x$RELAY_HOST" != "x" ]; then
     fi
 fi
 
+# Set which hosts can use the smart host.
+if [ "x$RELAY_NETS" != "x" ]; then
+    DC_RELAY_NETS="$RELAY_NETS"
+fi
+
 # Write exim configuration.
 cat << EOF > "$CONFDIR/update-exim4.conf.conf"
 dc_eximconfig_configtype='$DC_EXIMCONFIG_CONFIGTYPE'
@@ -20,7 +32,7 @@ dc_local_interfaces=''
 dc_readhost=''
 dc_relay_domains=''
 dc_minimaldns='false'
-dc_relay_nets='0.0.0.0/0'
+dc_relay_nets='$DC_RELAY_NETS'
 dc_smarthost='${DC_SMARTHOST:-}'
 CFILEMODE='644'
 dc_use_split_config='false'