From d187b0a5553edafc4751ac774fbda011fcad5883 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Mon, 2 Oct 2023 14:27:47 -0700
Subject: [PATCH] Sender restrictions apply to ALL messages.

Even incoming.

So permit if there's nothing wrong with the sender address. We still
won't relay.
---
 postfix.nix | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/postfix.nix b/postfix.nix
index 9b8a07e..31bf494 100644
--- a/postfix.nix
+++ b/postfix.nix
@@ -232,6 +232,8 @@ in {
         pcreFile = name: "pcre:/var/lib/postfix/conf/${name}";
         mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
 
+        # Applied to the MAIL FROM header for ALL mail, not just mail we're
+        # sending
         sender-restrictions = [
           "check_sender_access ${mappedFile "reject_senders"}"
           "reject_sender_login_mismatch"
@@ -240,16 +242,14 @@ in {
           "permit_mynetworks"
           "permit_sasl_authenticated"
         ] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
-          cfg.blacklist.dns) ++ [ "reject" ];
+          cfg.blacklist.dns) ++ [ "permit" ];
 
         relay-restrictions = [
           "permit_sasl_authenticated"
           "permit_mynetworks"
-          "reject_unknown_sender_domain"
           "reject_unauth_destination"
-          "reject_unauth_pipelining"
-        ] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
-          cfg.blacklist.dns) ++ [ "permit" ];
+          "permit"
+        ];
 
         recipient-restrictions = [
           "check_recipient_access ${mappedFile "reject_recipients"}"
@@ -257,7 +257,8 @@ in {
           "reject_unknown_recipient_domain"
           "permit_sasl_authenticated"
           "reject_unauth_pipelining"
-          "reject_unauth_destination"
+          ## Not needed, since relay did it already
+          # "reject_unauth_destination"
           "reject_invalid_hostname"
           "reject_non_fqdn_hostname"
           "reject_non_fqdn_sender"