Restrict mail relaying [+Docs]

This patch adds tasks that check for postfix and set restrictions for mail
relaying.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I8c0ae38f2264fae20fe9055fde47e9abbb355767

defaults/main.yml

@@ -564,6 +564,8 @@ security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210
 security_rhel7_session_timeout: 600                          # RHEL-07-040160
 # Enable chrony for NTP time synchronization.
 security_rhel7_enable_chrony: yes                            # RHEL-07-040210
+# Restrict mail relaying.
+security_rhel7_restrict_mail_relaying: yes                   # RHEL-07-040480
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these

doc/metadata/rhel7/RHEL-07-040480.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040480
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The ``smtpd_client_restrictions`` configuration in postfix is set to
+``permit_mynetworks, reject`` to meet the STIG's requirements.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_restrict_mail_relaying: no

tasks/rhel7stig/misc.yml

@@ -265,3 +265,23 @@
     - medium
     - misc
     - RHEL-07-040470
+
+- name: Check for postfix configuration file
+  stat:
+    path: /etc/postfix/main.cf
+  register: postfix_conf_check
+  tags:
+    - always
+
+- name: RHEL-07-040480 - Prevent unrestricted mail relaying
+  lineinfile:
+    dest: /etc/postfix/main.cf
+    regexp: '^smtpd_client_restrictions'
+    line: 'smtpd_client_restrictions = permit_mynetworks, reject'
+  when:
+    - postfix_conf_check.stat.exists
+    - security_rhel7_restrict_mail_relaying | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040480