From 00e1682ec876ab09a00e116a38f5694bdcefb9c2 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Feb 2026 20:29:45 +0000
Subject: [PATCH] [ci skip] mailserver: add Postfix rate limiting

Add connection and message rate limits to protect against brute-force
attacks on SMTP/IMAP ports. 10 connections and 30 messages per minute
per client IP.
---
 stacks/platform/modules/mailserver/variables.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/stacks/platform/modules/mailserver/variables.tf b/stacks/platform/modules/mailserver/variables.tf
index b50a12d0..acca4d3a 100644
--- a/stacks/platform/modules/mailserver/variables.tf
+++ b/stacks/platform/modules/mailserver/variables.tf
@@ -18,6 +18,11 @@ header_size_limit = 4096000
 smtpd_tls_loglevel = 1
 #smtpd_tls_ciphers = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
 #tls_medium_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
+
+# Rate limiting (brute-force protection)
+smtpd_client_connection_rate_limit = 10
+smtpd_client_message_rate_limit = 30
+anvil_rate_time_unit = 60s
 EOT
 }