From 02e8754d759918b6f6ac16e4a2e4b5b66fe82ce9 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Mon, 17 Feb 2020 10:56:38 +0100
Subject: [PATCH] minifirewall: Backport changes from minifirewall (properly
 open outgoing smtp(s))

---
 CHANGELOG.md                           | 1 +
 minifirewall/templates/minifirewall.j2 | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b0a4f0bb..83739288 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -83,6 +83,7 @@ The **patch** part changes incrementally at each release.
 * certbot: Properly evaluate when apache is installed
 * evolinux-base: Don't make alert5.service executable as systemd will complain
 * webapps/evoadmin-web: Set default evoadmin_mail_tpl_force to True to fix a regression where the mail template would not get updated because the file is created before the role is first run.
+* minifirewall: Backport changes from minifirewall (properly open outgoing smtp(s))
 
 ### Security
 
diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2
index 49852e42..8045ce60 100755
--- a/minifirewall/templates/minifirewall.j2
+++ b/minifirewall/templates/minifirewall.j2
@@ -7,7 +7,7 @@
 # Copyright (c) 2007-2015 Evolix
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
+# as published by the Free Software Foundation; either version 3
 # of the License.
 
 # Description
@@ -262,14 +262,14 @@ for x in $SSHOK
 # SMTP authorizations
 for x in $SMTPOK
     do
-        $IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -j ACCEPT
+        $IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $x -j ACCEPT
     done
 
 # secure SMTP (TCP/465 et TCP/587) authorizations
 for x in $SMTPSECUREOK
     do
-        $IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -j ACCEPT
-        $IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -j ACCEPT
+        $IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $x -j ACCEPT
+        $IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $x -j ACCEPT
     done
 
 # NTP authorizations