Actually reject mails sent to system accounts and add respective testcase

2025-01-02 23:06:14 +01:00 · 2025-01-02 23:06:14 +01:00 · a9aebf64bf
commit a9aebf64bf
parent bb2ccd6408
3 changed files with 30 additions and 0 deletions
--- a/mailsystem/default.nix
+++ b/mailsystem/default.nix
@ -112,7 +112,17 @@ in {
              account will be rejected.
            '';
          };
+
+          rejectMessage = lib.mkOption {
+            type = lib.types.str;
+            default = "This account cannot receive emails.";
+            description = ''
+              The message that will be returned to the sender when an email is
+              sent to a system account.
+            '';
+          };
        };
+
        config.name = lib.mkDefault name;
      }));
      example = {
--- a/mailsystem/postfix.nix
+++ b/mailsystem/postfix.nix
@ -54,6 +54,9 @@ with (import ./common.nix {inherit config;}); let

  virtual_domains_file = builtins.toFile "virtual_domains" (lib.concatStringsSep "\n" cfg.domains);

+  denied_recipients = map (account: "${account.name} REJECT ${account.rejectMessage}") (lib.filter (account: account.isSystemUser) (lib.attrValues cfg.accounts));
+  denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients);
+
  submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''
    # Removes sensitive headers from mails handed in via the submission port.
    # See https://thomas-leister.de/mailserver-debian-stretch/
@ -96,6 +99,7 @@ in {
      # TODO: create function to simplify this?
      mapFiles."virtual_aliases" = aliases_file;
      mapFiles."virtual_accounts" = virtual_accounts_file;
+      mapFiles."denied_recipients" = denied_recipients_file;
      virtual = lookupTableToString all_virtual_aliases;

      submissionsOptions = {
@ -140,6 +144,9 @@ in {
          "permit_sasl_authenticated"
          "reject_unauth_destination"
        ];
+        smtpd_recipient_restrictions = [
+          "check_recipient_access ${mappedFile "denied_recipients"}"
+        ];

        # TLS settings, inspired by https://github.com/jeaye/nix-files
        # Submission by mail clients is handled in submissionOptions
--- a/tests/basic.nix
+++ b/tests/basic.nix
@ -9,6 +9,11 @@ with (import ./common/lib.nix {inherit pkgs;}); let
      address = "user2@example.com";
      password = "secret-password2";
    };
+    "system" = {
+      address = "system@example.com";
+      password = "secret-password3";
+      isSystemUser = true;
+    };
  };
 in
  pkgs.nixosTest {
@ -77,6 +82,14 @@ in
        I'm pretending to be someotheraddress@example.com and the mailserver should reject this attempt.
      ''}")

+      with subtest("mail sent to system-account is rejected"):
+          client.fail("${sendMail "normal" "someotheraddress@example.com" accounts."system".address ''
+        Subject: Mail to system-account
+
+        Hello System user,
+        this mail should never reach you as it should be rejected by postfix.
+      ''}")
+
      with subtest("server issues no warnings nor errors"):
          ${checkLogs "server"}
    '';