preisi/mailnix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Actually reject mails sent to system accounts and add respective testcase

Browse source
This commit is contained in:
Thomas Preisner 2025-01-02 23:06:14 +01:00
parent 55183f5585
commit 30532bbfca
3 changed files with 30 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
mailsystem/default.nix
View file

@ -112,7 +112,17 @@ in {
account will be rejected. account will be rejected.
''; '';
}; };
rejectMessage = lib.mkOption {
type = lib.types.str;
default = "This account cannot receive emails.";
description = ''
The message that will be returned to the sender when an email is
sent to a system account.
'';
}; };
};
config.name = lib.mkDefault name; config.name = lib.mkDefault name;
})); }));
example = { example = {

7
mailsystem/postfix.nix
View file

@ -54,6 +54,9 @@ with (import ./common.nix {inherit config;}); let
virtual_domains_file = builtins.toFile "virtual_domains" (lib.concatStringsSep "\n" cfg.domains); virtual_domains_file = builtins.toFile "virtual_domains" (lib.concatStringsSep "\n" cfg.domains);
denied_recipients = map (account: "${account.name} REJECT ${account.rejectMessage}") (lib.filter (account: account.isSystemUser) (lib.attrValues cfg.accounts));
denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients);
submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" '' submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''
# Removes sensitive headers from mails handed in via the submission port. # Removes sensitive headers from mails handed in via the submission port.
# See https://thomas-leister.de/mailserver-debian-stretch/ # See https://thomas-leister.de/mailserver-debian-stretch/
@ -96,6 +99,7 @@ in {
# TODO: create function to simplify this? # TODO: create function to simplify this?
mapFiles."virtual_aliases" = aliases_file; mapFiles."virtual_aliases" = aliases_file;
mapFiles."virtual_accounts" = virtual_accounts_file; mapFiles."virtual_accounts" = virtual_accounts_file;
mapFiles."denied_recipients" = denied_recipients_file;
virtual = lookupTableToString all_virtual_aliases; virtual = lookupTableToString all_virtual_aliases;
submissionsOptions = { submissionsOptions = {
@ -140,6 +144,9 @@ in {
"permit_sasl_authenticated" "permit_sasl_authenticated"
"reject_unauth_destination" "reject_unauth_destination"
]; ];
smtpd_recipient_restrictions = [
"check_recipient_access ${mappedFile "denied_recipients"}"
];
# TLS settings, inspired by https://github.com/jeaye/nix-files # TLS settings, inspired by https://github.com/jeaye/nix-files
# Submission by mail clients is handled in submissionOptions # Submission by mail clients is handled in submissionOptions

13
tests/basic.nix
View file

@ -9,6 +9,11 @@ with (import ./common/lib.nix {inherit pkgs;}); let
address = "user2@example.com"; address = "user2@example.com";
password = "secret-password2"; password = "secret-password2";
}; };
"system" = {
address = "system@example.com";
password = "secret-password3";
isSystemUser = true;
};
}; };
in in
pkgs.nixosTest { pkgs.nixosTest {
@ -77,6 +82,14 @@ in
I'm pretending to be someotheraddress@example.com and the mailserver should reject this attempt. I'm pretending to be someotheraddress@example.com and the mailserver should reject this attempt.
''}") ''}")
with subtest("mail sent to system-account is rejected"):
client.fail("${sendMail "normal" "someotheraddress@example.com" accounts."system".address ''
Subject: Mail to system-account
Hello System user,
this mail should never reach you as it should be rejected by postfix.
''}")
with subtest("server issues no warnings nor errors"): with subtest("server issues no warnings nor errors"):
${checkLogs "server"} ${checkLogs "server"}
''; '';