rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-14 21:03:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

falkenstein: add some spoofing restrictions

Browse source
This commit is contained in:
Rouven Seifert 2024-01-25 18:20:24 +01:00
parent 7a8e304ca1
commit 0fb57287bd
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
hosts/falkenstein/modules/mail/default.nix
View file

@ -12,6 +12,10 @@ let
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version/ IGNORE
'';
login_maps = pkgs.writeText "login_maps.pcre" ''
# basic username => username@rfive.de
/^([^@+]*)(\+[^@]*)?@rfive\.de$/ ''${1}
'';
in
{
networking.firewall.allowedTCPPorts = [
@ -93,6 +97,10 @@ in
"permit_mynetworks"
"reject_unauth_destination"
];
smtpd_sender_restrictions = [
"reject_authenticated_sender_login_mismatch"
];
smtpd_sender_login_maps = [ "pcre:${login_maps}" ];
smtp_header_checks = "pcre:${header_cleanup}";
alias_maps = [ "hash:/etc/aliases" ];