Actually reject mails sent to system accounts and add respective testcase

mailsystem/postfix.nix

@@ -54,6 +54,9 @@ with (import ./common.nix {inherit config;}); let
 
   virtual_domains_file = builtins.toFile "virtual_domains" (lib.concatStringsSep "\n" cfg.domains);
 
+  denied_recipients = map (account: "${account.name} REJECT ${account.rejectMessage}") (lib.filter (account: account.isSystemUser) (lib.attrValues cfg.accounts));
+  denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients);
+
   submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''
     # Removes sensitive headers from mails handed in via the submission port.
     # See https://thomas-leister.de/mailserver-debian-stretch/
@@ -96,6 +99,7 @@ in {
       # TODO: create function to simplify this?
       mapFiles."virtual_aliases" = aliases_file;
       mapFiles."virtual_accounts" = virtual_accounts_file;
+      mapFiles."denied_recipients" = denied_recipients_file;
       virtual = lookupTableToString all_virtual_aliases;
 
       submissionsOptions = {
@@ -140,6 +144,9 @@ in {
           "permit_sasl_authenticated"
           "reject_unauth_destination"
         ];
+        smtpd_recipient_restrictions = [
+          "check_recipient_access ${mappedFile "denied_recipients"}"
+        ];
 
         # TLS settings, inspired by https://github.com/jeaye/nix-files
         # Submission by mail clients is handled in submissionOptions