diff --git a/default.nix b/default.nix index 86cbe19..7e2eb6c 100644 --- a/default.nix +++ b/default.nix @@ -137,6 +137,26 @@ in Per-user sieve script. ''; }; + + sendOnly = mkOption { + type = types.bool; + default = false; + description = '' + Specifies if the account should be a send-only account. + Emails sent to send-only accounts will be rejected with the + rejectMessage stating the reason. + ''; + }; + + rejectMessage = mkOption { + type = types.str; + default = "This account cannot receive emails."; + description = '' + The message that will be returned to the sender when an email is + sent to a send-only account. Only used if the account is marked + as send-only. + ''; + }; }; config.name = mkDefault name; diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index b61f038..00c62c5 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -50,6 +50,13 @@ let # all_valiases_postfix :: [ String ] all_valiases_postfix = valiases_postfix ++ extra_valiases_postfix; + # denied_recipients_postfix :: [ String ] + denied_recipients_postfix = (map + (acct: "${acct.name} REJECT ${acct.rejectMessage}") + (lib.filter (acct: acct.sendOnly) (lib.attrValues cfg.loginAccounts))); + denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients_postfix); + + # valiases_file :: Path valiases_file = builtins.toFile "valias" (lib.concatStringsSep "\n" (all_valiases_postfix ++ @@ -122,6 +129,7 @@ in networksStyle = "host"; mapFiles."valias" = valiases_file; mapFiles."vaccounts" = vaccounts_file; + mapFiles."denied_recipients" = denied_recipients_file; mapFiles."reject_senders" = reject_senders_file; mapFiles."reject_recipients" = reject_recipients_file; sslCert = certificatePath; @@ -160,6 +168,7 @@ in # quota and spf checking smtpd_recipient_restrictions = + check_recipient_access ${mappedFile "denied_recipients"}, check_recipient_access ${mappedFile "reject_recipients"}, check_policy_service inet:localhost:12340, check_policy_service unix:private/policy-spf