mailserver: Allow restricting users to local domains

2024-08-28 11:30:05 +02:00 · 2024-08-28 11:30:05 +02:00 · 3e88ea9241
parent 729427f68e
commit 3e88ea9241
2 changed files with 36 additions and 3 deletions
--- a/modules/mailserver/default.nix
+++ b/modules/mailserver/default.nix
@ -69,6 +69,12 @@ in
              "postmaster@example.com"
            ];
          };
+          localOnly = mkOption {
+            type = bool;
+            description = "Whether the user should only be able to send mails to local domains.";
+            default = false;
+            example = true;
+          };
        };
      });
      description = "Users of the mail server";
--- a/modules/mailserver/postfix.nix
+++ b/modules/mailserver/postfix.nix
@ -54,6 +54,20 @@ lib.mkIf cfg.enable {

    mapFiles = {
      inherit valiases;
+
+      restricted_senders = pkgs.writeText "restricted_senders"
+        (lib.concatStringsSep
+          "\n"
+          (lib.flatten
+            (map
+              (user: (map (address: "${address} local_only") ([ user.address ] ++ user.aliases)))
+              (lib.filter (user: user.localOnly) cfg.users))));
+
+      local_domains = pkgs.writeText "local_domains"
+        (lib.concatMapStringsSep
+          "\n"
+          (domain: "${domain} OK")
+          cfg.domains);
    };

    config = {
@ -86,6 +100,21 @@ lib.mkIf cfg.enable {
        "reject_unknown_sender_domain"
      ];

+      # can’t be in submissionOptions (which does not support spaces in NixOS)
+      submission_sender_restrictions = listToString [
+        "reject_sender_login_mismatch"
+        "check_sender_access hash:/etc/postfix/restricted_senders"
+      ];
+
+      smtpd_restriction_classes = listToString [
+        "local_only"
+      ];
+
+      local_only = listToString [
+        "check_recipient_access hash:/etc/postfix/local_domains"
+        "reject"
+      ];
+
      # generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration
      # https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6
      smtpd_tls_security_level = "may";
@ -125,9 +154,7 @@ lib.mkIf cfg.enable {
        "reject"
      ];

-      smtpd_sender_restrictions = listToString [
-        "reject_sender_login_mismatch"
-      ];
+      smtpd_sender_restrictions = "$submission_sender_restrictions";

      cleanup_service_name = "submission-header-cleanup";
    };