summary refs log tree commit diff
path: root/nixos/modules/services/mail/postfix.nix
diff options
context:
space:
mode:
authorMatt McHenry <github@matt.mchenryfamily.org>2016-01-07 22:38:22 -0500
committerMatt McHenry <github@matt.mchenryfamily.org>2016-02-11 22:13:09 -0500
commit40c7d554d42d544005afb5c35dc3552b9e4d29df (patch)
tree1436175eafbfecc78e2f3c6ca77acc8b58cde5ff /nixos/modules/services/mail/postfix.nix
parentd28a06553eaf2d065c6f867d6a90d8ba51c90121 (diff)
downloadnixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.tar
nixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.tar.gz
nixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.tar.bz2
nixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.tar.lz
nixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.tar.xz
nixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.tar.zst
nixlib-40c7d554d42d544005afb5c35dc3552b9e4d29df.zip
postfix service: implement DNS blacklist support
Diffstat (limited to 'nixos/modules/services/mail/postfix.nix')
-rw-r--r--nixos/modules/services/mail/postfix.nix30


1 files changed, 30 insertions, 0 deletions
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index f2d8189de6ef..e03aabd6f2b1 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -13,6 +13,18 @@ let
   haveTransport = cfg.transport != "";
   haveVirtual = cfg.virtual != "";
 
+  clientAccess =
+    if (cfg.dnsBlacklistOverrides != "")
+    then [ "check_client_access hash:/etc/postfix/client_access" ]
+    else [];
+
+  dnsBl =
+    if (cfg.dnsBlacklists != [])
+    then [ (concatStringsSep ", " (map (s: "reject_rbl_client " + s) cfg.dnsBlacklists)) ]
+    else [];
+
+  clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl);
+
   mainCf =
     ''
       compatibility_level = 2
@@ -104,6 +116,9 @@ let
     + optionalString haveVirtual ''
       virtual_alias_maps = hash:/etc/postfix/virtual
     ''
+    + optionalString (cfg.dnsBlacklists != []) ''
+      smtpd_client_restrictions = ${clientRestrictions}
+    ''
     + cfg.extraConfig;
 
   masterCf = ''
@@ -161,6 +176,7 @@ let
 
   aliasesFile = pkgs.writeText "postfix-aliases" aliases;
   virtualFile = pkgs.writeText "postfix-virtual" cfg.virtual;
+  checkClientAccessFile = pkgs.writeText "postfix-check-client-access" cfg.dnsBlacklistOverrides;
   mainCfFile = pkgs.writeText "postfix-main.cf" mainCf;
   masterCfFile = pkgs.writeText "postfix-master.cf" masterCf;
   transportFile = pkgs.writeText "postfix-transport" cfg.transport;
@@ -366,6 +382,17 @@ in
         ";
       };
 
+      dnsBlacklists = mkOption {
+        default = [];
+        type = with types; listOf string;
+        description = "dns blacklist servers to use with smtpd_client_restrictions";
+      };
+
+      dnsBlacklistOverrides = mkOption {
+        default = "";
+        description = "contents of check_client_access for overriding dnsBlacklists";
+      };
+
       extraMasterConf = mkOption {
         type = types.lines;
         default = "";
@@ -494,6 +521,9 @@ in
     (mkIf haveVirtual {
       services.postfix.mapFiles."virtual" = virtualFile;
     })
+    (mkIf (cfg.dnsBlacklists != []) {
+      services.postfix.mapFiles."client_access" = checkClientAccessFile;
+    })
   ]);
 
 }

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-03 05:51:29 +0000