From a9aebf64bf28b1354ae8f064eae81990c12a22d4 Mon Sep 17 00:00:00 2001
From: Thomas Preisner <mail@tpreisner.de>
Date: Thu, 2 Jan 2025 23:06:14 +0100
Subject: [PATCH] Actually reject mails sent to system accounts and add
 respective testcase

---
 mailsystem/default.nix | 10 ++++++++++
 mailsystem/postfix.nix |  7 +++++++
 tests/basic.nix        | 13 +++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/mailsystem/default.nix b/mailsystem/default.nix
index 81c3b9e..dfc6435 100644
--- a/mailsystem/default.nix
+++ b/mailsystem/default.nix
@@ -112,7 +112,17 @@ in {
               account will be rejected.
             '';
           };
+
+          rejectMessage = lib.mkOption {
+            type = lib.types.str;
+            default = "This account cannot receive emails.";
+            description = ''
+              The message that will be returned to the sender when an email is
+              sent to a system account.
+            '';
+          };
         };
+
         config.name = lib.mkDefault name;
       }));
       example = {
diff --git a/mailsystem/postfix.nix b/mailsystem/postfix.nix
index 3328aca..708ad31 100644
--- a/mailsystem/postfix.nix
+++ b/mailsystem/postfix.nix
@@ -54,6 +54,9 @@ with (import ./common.nix {inherit config;}); let
 
   virtual_domains_file = builtins.toFile "virtual_domains" (lib.concatStringsSep "\n" cfg.domains);
 
+  denied_recipients = map (account: "${account.name} REJECT ${account.rejectMessage}") (lib.filter (account: account.isSystemUser) (lib.attrValues cfg.accounts));
+  denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients);
+
   submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''
     # Removes sensitive headers from mails handed in via the submission port.
     # See https://thomas-leister.de/mailserver-debian-stretch/
@@ -96,6 +99,7 @@ in {
       # TODO: create function to simplify this?
       mapFiles."virtual_aliases" = aliases_file;
       mapFiles."virtual_accounts" = virtual_accounts_file;
+      mapFiles."denied_recipients" = denied_recipients_file;
       virtual = lookupTableToString all_virtual_aliases;
 
       submissionsOptions = {
@@ -140,6 +144,9 @@ in {
           "permit_sasl_authenticated"
           "reject_unauth_destination"
         ];
+        smtpd_recipient_restrictions = [
+          "check_recipient_access ${mappedFile "denied_recipients"}"
+        ];
 
         # TLS settings, inspired by https://github.com/jeaye/nix-files
         # Submission by mail clients is handled in submissionOptions
diff --git a/tests/basic.nix b/tests/basic.nix
index 615d2a1..70bd13f 100644
--- a/tests/basic.nix
+++ b/tests/basic.nix
@@ -9,6 +9,11 @@ with (import ./common/lib.nix {inherit pkgs;}); let
       address = "user2@example.com";
       password = "secret-password2";
     };
+    "system" = {
+      address = "system@example.com";
+      password = "secret-password3";
+      isSystemUser = true;
+    };
   };
 in
   pkgs.nixosTest {
@@ -77,6 +82,14 @@ in
         I'm pretending to be someotheraddress@example.com and the mailserver should reject this attempt.
       ''}")
 
+      with subtest("mail sent to system-account is rejected"):
+          client.fail("${sendMail "normal" "someotheraddress@example.com" accounts."system".address ''
+        Subject: Mail to system-account
+
+        Hello System user,
+        this mail should never reach you as it should be rejected by postfix.
+      ''}")
+
       with subtest("server issues no warnings nor errors"):
           ${checkLogs "server"}
     '';