From 2fa00b4c73b8cf7b05b5e0251ef95de60cfcb612 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 21 Oct 2023 11:48:45 +0000
Subject: [PATCH] postfix: fix connectivity issues

---
 .../by-name/servo/services/email/default.nix  |  7 ++++
 .../by-name/servo/services/email/postfix.nix  | 35 ++++++++++---------
 2 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/hosts/by-name/servo/services/email/default.nix b/hosts/by-name/servo/services/email/default.nix
index c2b46173..848df134 100644
--- a/hosts/by-name/servo/services/email/default.nix
+++ b/hosts/by-name/servo/services/email/default.nix
@@ -22,6 +22,13 @@
 #     - but postfix delegates authorization of that outgoing mail to dovecot, on the server side
 #
 # - local clients (i.e. sendmail) interact only with postfix
+#
+# debugging: general connectivity issues
+# - test that inbound port 25 is unblocked:
+#   - `curl https://canyouseeme.org/ --data 'port=25&IP=185.157.162.178' | grep 'see your service'`
+#     - and retry with port 465, 587
+#     - i think this API requires the queried IP match the source IP
+#   - if necessary, `systemctl stop postfix` and `sudo nc -l 185.157.162.178 25`, then try https://canyouseeme.org
 
 { ... }:
 {
diff --git a/hosts/by-name/servo/services/email/postfix.nix b/hosts/by-name/servo/services/email/postfix.nix
index 284851ab..586e334f 100644
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@@ -28,22 +28,25 @@ in
     # "/var/lib/dovecot"
   ];
 
-  sane.ports.ports."25" = {
-    protocol = [ "tcp" ];
-    # XXX visibleTo.lan effectively means "open firewall, but don't configure any NAT/forwarding"
-    visibleTo.lan = true;
-    description = "colin-smtp-mx.uninsane.org";
-  };
-  sane.ports.ports."465" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    description = "colin-smtps-mx.uninsane.org";
-  };
-  sane.ports.ports."587" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    description = "colin-smtps-submission-mx.uninsane.org";
-  };
+  # XXX(2023/10/20): opening these ports in the firewall has the OPPOSITE effect as intended.
+  # these ports are only routable so long as they AREN'T opened.
+  # probably some cursed interaction with network namespaces introduced after 2023/10/10.
+  # sane.ports.ports."25" = {
+  #   protocol = [ "tcp" ];
+  #   # XXX visibleTo.lan effectively means "open firewall, but don't configure any NAT/forwarding"
+  #   visibleTo.lan = true;
+  #   description = "colin-smtp-mx.uninsane.org";
+  # };
+  # sane.ports.ports."465" = {
+  #   protocol = [ "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = "colin-smtps-mx.uninsane.org";
+  # };
+  # sane.ports.ports."587" = {
+  #   protocol = [ "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = "colin-smtps-submission-mx.uninsane.org";
+  # };
 
   # exists only to manage certs for Postfix
   services.nginx.virtualHosts."mx.uninsane.org" = {