simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

mailserver: Allow restricting users to local domains

Browse source
This commit is contained in:
Simon Bruder 2024-08-28 11:30:05 +02:00
parent 729427f68e
commit 3e88ea9241
Signed by: simon
GPG key ID: 347FF8699CDA0776
2 changed files with 36 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
modules/mailserver/default.nix
View file

@ -69,6 +69,12 @@ in
"postmaster@example.com" "postmaster@example.com"
]; ];
}; };
localOnly = mkOption {
type = bool;
description = "Whether the user should only be able to send mails to local domains.";
default = false;
example = true;
};
}; };
}); });
description = "Users of the mail server"; description = "Users of the mail server";

33
modules/mailserver/postfix.nix
View file

@ -54,6 +54,20 @@ lib.mkIf cfg.enable {
mapFiles = { mapFiles = {
inherit valiases; inherit valiases;
restricted_senders = pkgs.writeText "restricted_senders"
(lib.concatStringsSep
"\n"
(lib.flatten
(map
(user: (map (address: "${address} local_only") ([ user.address ] ++ user.aliases)))
(lib.filter (user: user.localOnly) cfg.users))));
local_domains = pkgs.writeText "local_domains"
(lib.concatMapStringsSep
"\n"
(domain: "${domain} OK")
cfg.domains);
}; };
config = { config = {
@ -86,6 +100,21 @@ lib.mkIf cfg.enable {
"reject_unknown_sender_domain" "reject_unknown_sender_domain"
]; ];
# cant be in submissionOptions (which does not support spaces in NixOS)
submission_sender_restrictions = listToString [
"reject_sender_login_mismatch"
"check_sender_access hash:/etc/postfix/restricted_senders"
];
smtpd_restriction_classes = listToString [
"local_only"
];
local_only = listToString [
"check_recipient_access hash:/etc/postfix/local_domains"
"reject"
];
# generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration # generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration
# https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6 # https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6
smtpd_tls_security_level = "may"; smtpd_tls_security_level = "may";
@ -125,9 +154,7 @@ lib.mkIf cfg.enable {
"reject" "reject"
]; ];
smtpd_sender_restrictions = listToString [ smtpd_sender_restrictions = "$submission_sender_restrictions";
"reject_sender_login_mismatch"
];
cleanup_service_name = "submission-header-cleanup"; cleanup_service_name = "submission-header-cleanup";
}; };