From 6509375f1dbdd56d6ef6460ada76ce2a6381c530 Mon Sep 17 00:00:00 2001
From: Jamie Nguyen <j@jamielinux.com>
Date: Wed, 11 Jul 2018 15:35:42 +0100
Subject: [PATCH] Restrict dc_relay_nets by default

---
 stretch/docker-entrypoint.sh | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/stretch/docker-entrypoint.sh b/stretch/docker-entrypoint.sh
index 51bc62f..c68c550 100755
--- a/stretch/docker-entrypoint.sh
+++ b/stretch/docker-entrypoint.sh
@@ -2,8 +2,15 @@
 set -e
 CONFDIR=/etc/exim4
 
-# Set smarthost.
+# By default, send email directly to the recipient.
 DC_EXIMCONFIG_CONFIGTYPE="internet"
+
+# By default, only hosts on the private network can use the smart host (ie,
+# only other containers, not the whole internet); a thin layer of protection
+# in case port 25 is accidentally exposed to the public internet.
+DC_RELAY_NETS="10.0.0.0/8;172.16.0.0/12;192.168.0.0/16"
+
+# Set smarthost.
 if [ "x$RELAY_HOST" != "x" ]; then
     DC_EXIMCONFIG_CONFIGTYPE="satellite"
     DC_SMARTHOST="$RELAY_HOST::${RELAY_PORT:-25}"
@@ -12,6 +19,11 @@ if [ "x$RELAY_HOST" != "x" ]; then
     fi
 fi
 
+# Set which hosts can use the smart host.
+if [ "x$RELAY_NETS" != "x" ]; then
+    DC_RELAY_NETS="$RELAY_NETS"
+fi
+
 # Write exim configuration.
 cat << EOF > "$CONFDIR/update-exim4.conf.conf"
 dc_eximconfig_configtype='$DC_EXIMCONFIG_CONFIGTYPE'
@@ -20,7 +32,7 @@ dc_local_interfaces=''
 dc_readhost=''
 dc_relay_domains=''
 dc_minimaldns='false'
-dc_relay_nets='0.0.0.0/0'
+dc_relay_nets='$DC_RELAY_NETS'
 dc_smarthost='${DC_SMARTHOST:-}'
 CFILEMODE='644'
 dc_use_split_config='false'