public
/
mail-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restrictions are needed by both smtp & submission

This commit is contained in:
niten 2023-09-25 09:45:56 -07:00
parent f13b0302e7
commit 07b7b50d63
1 changed files with 52 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
postfix.nix
View File

@ -231,7 +231,57 @@ in {
# # TODO: secret # # TODO: secret
# }; # };
postfix = { postfix = let
pcreFile = name: "pcre:/var/lib/postfix/conf/${name}";
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
sender-restrictions = [
"check_sender_access ${mappedFile "reject_senders"}"
"reject_sender_login_mismatch"
"reject_non_fqdn_sender"
"reject_unknown_sender_domain"
"permit_mynetworks"
"permit_sasl_authenticated"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns) ++ [ "reject" ];
relay-restrictions = [
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_unauth_destination"
"reject_unknown_sender_domain"
"permit_mynetworks"
"permit_sasl_authenticated"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns) ++ [ "reject" ];
recipient-restrictions = [
"check_sender_access ${mappedFile "reject_recipients"}"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_pipelining"
"reject_unauth_destination"
"reject_invalid_hostname"
"reject_non_fqdn_hostname"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"check_policy_service unix:private/policy-spf"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns)
++ [ "permit_mynetworks" "permit_sasl_authenticated" "reject" ];
client-restrictions =
[ "permit_sasl_authenticated" "permit_mynetworks" "reject" ];
helo-restrictions = [
"permit_mynetworks"
"reject_invalid_hostname"
"reject_non_fqdn_helo_hostname"
"reject_unknown_helo_hostname"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns) ++ [ "permit" ];
in {
enable = true; enable = true;
user = cfg.user; user = cfg.user;
@ -284,57 +334,7 @@ in {
sslCert = cfg.ssl.certificate; sslCert = cfg.ssl.certificate;
sslKey = cfg.ssl.private-key; sslKey = cfg.ssl.private-key;
config = let config = {
pcreFile = name: "pcre:/var/lib/postfix/conf/${name}";
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
sender-restrictions = [
"check_sender_access ${mappedFile "reject_senders"}"
"reject_sender_login_mismatch"
"reject_non_fqdn_sender"
"reject_unknown_sender_domain"
"permit_mynetworks"
"permit_sasl_authenticated"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns) ++ [ "reject" ];
relay-restrictions = [
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_unauth_destination"
"reject_unknown_sender_domain"
"permit_mynetworks"
"permit_sasl_authenticated"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns) ++ [ "reject" ];
recipient-restrictions = [
"check_sender_access ${mappedFile "reject_recipients"}"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_pipelining"
"reject_unauth_destination"
"reject_invalid_hostname"
"reject_non_fqdn_hostname"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"check_policy_service unix:private/policy-spf"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns)
++ [ "permit_mynetworks" "permit_sasl_authenticated" "reject" ];
client-restrictions =
[ "permit_sasl_authenticated" "permit_mynetworks" "reject" ];
helo-restrictions = [
"permit_mynetworks"
"reject_invalid_hostname"
"reject_non_fqdn_helo_hostname"
"reject_unknown_helo_hostname"
] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
cfg.blacklist.dns) ++ [ "permit" ];
in {
virtual_mailbox_domains = allDomains; virtual_mailbox_domains = allDomains;
virtual_mailbox_maps = mappedFile "virtual_mailbox_map"; virtual_mailbox_maps = mappedFile "virtual_mailbox_map";