From 186589dd5fc110433e9433cc84e7a7b249b82049 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Mon, 2 Oct 2023 13:56:50 -0700
Subject: [PATCH] Nope, imap does need net access

---
 mail-server.nix | 3 ++-
 postfix.nix     | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/mail-server.nix b/mail-server.nix
index 1c6a83d..a087ae0 100644
--- a/mail-server.nix
+++ b/mail-server.nix
@@ -322,7 +322,8 @@ in {
           };
           imap = {
             service = {
-              networks = [ "internal_network" "ldap_network" ];
+              networks =
+                [ "internal_network" "external_network" "ldap_network" ];
               ports = [ "143:143" "993:993" ];
               volumes = [
                 "${cfg.state-directory}/dovecot:/state"
diff --git a/postfix.nix b/postfix.nix
index 805a186..9b8a07e 100644
--- a/postfix.nix
+++ b/postfix.nix
@@ -243,12 +243,13 @@ in {
           cfg.blacklist.dns) ++ [ "reject" ];
 
         relay-restrictions = [
-          "reject_unauth_pipelining"
-          "reject_unknown_sender_domain"
           "permit_sasl_authenticated"
+          "permit_mynetworks"
+          "reject_unknown_sender_domain"
+          "reject_unauth_destination"
+          "reject_unauth_pipelining"
         ] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
-          cfg.blacklist.dns)
-          ++ [ "permit_mynetworks" "reject_unauth_destination" "permit" ];
+          cfg.blacklist.dns) ++ [ "permit" ];
 
         recipient-restrictions = [
           "check_recipient_access ${mappedFile "reject_recipients"}"