diff --git a/default.nix b/default.nix index 5ef87a3..cddb221 100644 --- a/default.nix +++ b/default.nix @@ -166,6 +166,17 @@ in default = {}; }; + rejectRecipients = mkOption { + type = types.listOf types.str; + example = [ "sales@example.com" "info@example.com" ]; + description = '' + Reject emails addressed to these local addresses from unauthorized senders. + Use if a spammer has found email addresses in a catchall domain but you do + not want to disable the catchall. + ''; + default = []; + }; + vmailUID = mkOption { type = types.int; default = 5000; diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 8fd67b5..c2658ca 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -55,6 +55,13 @@ let (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix)); + reject_recipients_postfix = (map + (recipient: + "${recipient} REJECT") + (cfg.rejectRecipients)); + # rejectRecipients :: [ Path ] + reject_recipients_file = builtins.toFile "reject_recipients" (lib.concatStringsSep "\n" (reject_recipients_postfix)) ; + # vhosts_file :: Path vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains); @@ -87,6 +94,7 @@ in networksStyle = "host"; mapFiles."valias" = valiases_file; mapFiles."vaccounts" = vaccounts_file; + mapFiles."reject_recipients" = reject_recipients_file; sslCert = certificatePath; sslKey = keyPath; enableSubmission = true; @@ -115,8 +123,8 @@ in smtpd_sasl_auth_enable = yes smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination - # quota - smtpd_recipient_restrictions = check_policy_service inet:localhost:12340 + # reject selected recipients, quota + smtpd_recipient_restrictions = check_recipient_access hash:/var/lib/postfix/conf/reject_recipients, check_policy_service inet:localhost:12340 # TLS settings, inspired by https://github.com/jeaye/nix-files # Submission by mail clients is handled in submissionOptions