From ffeb47cd5e4485c3f71b1e8dfac1c5664a922baf Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 24 Jan 2024 16:02:58 +0100
Subject: [PATCH] verify mail senders

---
 modules/mail/default.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/mail/default.nix b/modules/mail/default.nix
index daf6c04..095ff95 100644
--- a/modules/mail/default.nix
+++ b/modules/mail/default.nix
@@ -24,6 +24,11 @@ let
     /^\s*X-Originating-IP/ IGNORE
     /^\s*Mime-Version/ IGNORE
   '';
+  # https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
+  login_maps = pkgs.writeText "login_maps.pcre" ''
+    # basic username => username@ifsr.de
+    /^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
+  '';
 in
 {
   sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
@@ -119,6 +124,13 @@ in
         smtpd_data_restrictions = [
           "reject_unauth_pipelining"
         ];
+        smtpd_sender_restrictions = [
+          "reject_authenticated_sender_login_mismatch"
+        ];
+        smtpd_sender_login_maps = [
+          "pcre:/etc/special-aliases.pcre"
+          "pcre:${login_maps}"
+        ];
         smtp_header_checks = "pcre:${header_cleanup}";
         # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
         alias_maps = [ "hash:/etc/aliases" ];