diff --git a/modules/mailserver/default.nix b/modules/mailserver/default.nix index 06ca91b..d6119c8 100644 --- a/modules/mailserver/default.nix +++ b/modules/mailserver/default.nix @@ -69,6 +69,12 @@ in "postmaster@example.com" ]; }; + localOnly = mkOption { + type = bool; + description = "Whether the user should only be able to send mails to local domains."; + default = false; + example = true; + }; }; }); description = "Users of the mail server"; diff --git a/modules/mailserver/postfix.nix b/modules/mailserver/postfix.nix index 4418a8a..13a9533 100644 --- a/modules/mailserver/postfix.nix +++ b/modules/mailserver/postfix.nix @@ -54,6 +54,20 @@ lib.mkIf cfg.enable { mapFiles = { inherit valiases; + + restricted_senders = pkgs.writeText "restricted_senders" + (lib.concatStringsSep + "\n" + (lib.flatten + (map + (user: (map (address: "${address} local_only") ([ user.address ] ++ user.aliases))) + (lib.filter (user: user.localOnly) cfg.users)))); + + local_domains = pkgs.writeText "local_domains" + (lib.concatMapStringsSep + "\n" + (domain: "${domain} OK") + cfg.domains); }; config = { @@ -86,6 +100,21 @@ lib.mkIf cfg.enable { "reject_unknown_sender_domain" ]; + # can’t be in submissionOptions (which does not support spaces in NixOS) + submission_sender_restrictions = listToString [ + "reject_sender_login_mismatch" + "check_sender_access hash:/etc/postfix/restricted_senders" + ]; + + smtpd_restriction_classes = listToString [ + "local_only" + ]; + + local_only = listToString [ + "check_recipient_access hash:/etc/postfix/local_domains" + "reject" + ]; + # generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration # https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6 smtpd_tls_security_level = "may"; @@ -125,9 +154,7 @@ lib.mkIf cfg.enable { "reject" ]; - smtpd_sender_restrictions = listToString [ - "reject_sender_login_mismatch" - ]; + smtpd_sender_restrictions = "$submission_sender_restrictions"; cleanup_service_name = "submission-header-cleanup"; };