diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-07-03 13:39:08 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-07-03 13:39:08 +0200 |
commit | 04b2ab97a0206dedb2135be26cbc097d164072b2 (patch) | |
tree | 6c92d05f2ce36476f0e55124cfafad2551328545 | |
parent | aa4f91ad67fa6287217bf67e8122a703327e5e0e (diff) | |
download | Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.tar.gz Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.tar.zst Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.zip |
Add relay restrictions per domain
-rw-r--r-- | modules/private/mail/postfix.nix | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index ee4ac35..2dccc41 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -93,19 +93,30 @@ | |||
93 | }; | 93 | }; |
94 | config.services.postfix = { | 94 | config.services.postfix = { |
95 | mapFiles = let | 95 | mapFiles = let |
96 | name = n: i: "relay_${n}_${toString i}"; | 96 | recipient_maps = let |
97 | pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( | 97 | name = n: i: "relay_${n}_${toString i}"; |
98 | if m.type == "hash" | 98 | pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( |
99 | then pkgs.writeText (name n i) m.content | 99 | if m.type == "hash" |
100 | else null | 100 | then pkgs.writeText (name n i) m.content |
101 | ); | 101 | else null |
102 | pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; | 102 | ); |
103 | in | 103 | pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; |
104 | lib.attrsets.filterAttrs (k: v: v != null) ( | 104 | in lib.attrsets.filterAttrs (k: v: v != null) ( |
105 | lib.attrsets.listToAttrs (lib.flatten ( | 105 | lib.attrsets.listToAttrs (lib.flatten ( |
106 | lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains | 106 | lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains |
107 | )) | 107 | )) |
108 | ); | 108 | ); |
109 | relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) ( | ||
110 | lib.attrsets.mapAttrs' (n: v: | ||
111 | lib.attrsets.nameValuePair "recipient_access_${n}" ( | ||
112 | if lib.attrsets.hasAttr "relay_restrictions" v | ||
113 | then pkgs.writeText "recipient_access_${n}" v.relay_restrictions | ||
114 | else null | ||
115 | ) | ||
116 | ) myconfig.env.mail.postfix.backup_domains | ||
117 | ); | ||
118 | in | ||
119 | recipient_maps // relay_restrictions; | ||
109 | config = { | 120 | config = { |
110 | ### postfix module overrides | 121 | ### postfix module overrides |
111 | readme_directory = "${pkgs.postfix}/share/postfix/doc"; | 122 | readme_directory = "${pkgs.postfix}/share/postfix/doc"; |
@@ -138,6 +149,15 @@ | |||
138 | relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: | 149 | relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: |
139 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps | 150 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps |
140 | ) myconfig.env.mail.postfix.backup_domains); | 151 | ) myconfig.env.mail.postfix.backup_domains); |
152 | smtpd_relay_restrictions = [ | ||
153 | "permit_mynetworks" | ||
154 | "permit_sasl_authenticated" | ||
155 | "defer_unauth_destination" | ||
156 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: | ||
157 | if lib.attrsets.hasAttr "relay_restrictions" v | ||
158 | then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ] | ||
159 | else [] | ||
160 | ) myconfig.env.mail.postfix.backup_domains); | ||
141 | 161 | ||
142 | ### Additional smtpd configuration | 162 | ### Additional smtpd configuration |
143 | smtpd_tls_received_header = "yes"; | 163 | smtpd_tls_received_header = "yes"; |