Allow rejecting mails to selected local addresses from remote systems

This commit is contained in:
Daniel Frank 2018-04-15 01:37:30 +02:00
parent 1dd394e63f
commit f613779999
2 changed files with 21 additions and 2 deletions

View File

@ -166,6 +166,17 @@ in
default = {};
};
rejectRecipients = mkOption {
type = types.listOf types.str;
example = [ "sales@example.com" "info@example.com" ];
description = ''
Reject emails addressed to these local addresses from unauthorized senders.
Use if a spammer has found email addresses in a catchall domain but you do
not want to disable the catchall.
'';
default = [];
};
vmailUID = mkOption {
type = types.int;
default = 5000;

View File

@ -55,6 +55,13 @@ let
(lib.concatStringsSep "\n" (all_valiases_postfix ++
catchAllPostfix));
reject_recipients_postfix = (map
(recipient:
"${recipient} REJECT")
(cfg.rejectRecipients));
# rejectRecipients :: [ Path ]
reject_recipients_file = builtins.toFile "reject_recipients" (lib.concatStringsSep "\n" (reject_recipients_postfix)) ;
# vhosts_file :: Path
vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains);
@ -87,6 +94,7 @@ in
networksStyle = "host";
mapFiles."valias" = valiases_file;
mapFiles."vaccounts" = vaccounts_file;
mapFiles."reject_recipients" = reject_recipients_file;
sslCert = certificatePath;
sslKey = keyPath;
enableSubmission = true;
@ -115,8 +123,8 @@ in
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# quota
smtpd_recipient_restrictions = check_policy_service inet:localhost:12340
# reject selected recipients, quota
smtpd_recipient_restrictions = check_recipient_access hash:/var/lib/postfix/conf/reject_recipients, check_policy_service inet:localhost:12340
# TLS settings, inspired by https://github.com/jeaye/nix-files
# Submission by mail clients is handled in submissionOptions