From 242a2315bede4821e432e8829e30fd42fa46498a Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 3 Feb 2024 01:07:49 +0100
Subject: [PATCH] mailserver: Disallow requesting DSN over SMTP

This still allows requesting a DSN over submission, so trusted clients
are not affected. It only affects sending DSN to other systems, which
now no longer takes place. This is done to avoid leaking rspamd
internals.
---
 modules/mailserver/postfix.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/mailserver/postfix.nix b/modules/mailserver/postfix.nix
index d1aca5d..5342054 100644
--- a/modules/mailserver/postfix.nix
+++ b/modules/mailserver/postfix.nix
@@ -141,6 +141,7 @@ lib.mkIf cfg.enable {
       # Postscreen
       smtpd = {
         type = "pass";
+        args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
       };
       smtp_inet = {
         # Partially overrides upstream