postfix: toy with some spam protection (but don't actually enable it)

2023-04-20 09:17:25 +00:00 · 2023-04-20 09:17:25 +00:00 · 89e2a83067
commit 89e2a83067
parent ae78f2b6c2
1 changed files with 24 additions and 0 deletions
--- a/hosts/by-name/servo/services/postfix.nix
+++ b/hosts/by-name/servo/services/postfix.nix
@ -1,5 +1,16 @@
 # DOCS:
+# - postfix config options: <https://www.postfix.org/postconf.5.html>
 # - dovecot config: <https://doc.dovecot.org/configuration_manual/>
+# - rspamd nixos: <https://nixos.wiki/wiki/Rspamd>
+# - rspamd guide: <https://rspamd.com/doc/quickstart.html>
+#
+# nix configs to reference:
+# - <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver>
+# - <https://github.com/nix-community/nur-combined/-/tree/master/repos/eh5/machines/srv-m/mail-rspamd.nix>
+#   - postfix / dovecot / rspamd / stalwart-jmap / sogo
+
+# TODO:
+# - rspamd integration: <https://dataswamp.org/~solene/2021-07-13-smtpd-rspamd.html>

 { config, lib, ... }:

@ -109,6 +120,12 @@ in
    milter_default_action = accept
    inet_protocols = ipv4
    smtp_tls_security_level = may
+
+    # anti-spam options: <https://www.postfix.org/SMTPD_ACCESS_README.html>
+    # reject_unknown_sender_domain: causes postfix to `dig <sender> MX` and make sure that exists.
+    # but may cause problems receiving mail from google & others who load-balance?
+    # - <https://unix.stackexchange.com/questions/592131/how-to-reject-email-from-unknown-domains-with-postfix-on-centos>
+    # smtpd_sender_restrictions = reject_unknown_sender_domain
  '';

  services.postfix.enableSubmission = true;
@ -158,15 +175,18 @@ in
    #   - Drafts: ?
    #   - Sent: works
    #   - Trash: works
+    #   - Junk: ?
    # aerc
    #   - Drafts: works
    #   - Sent: works
    #   - Trash: no; deleted messages are actually deleted
    #       use `:move trash` instead
+    #   - Junk: ?
    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
    Drafts = { specialUse = "Drafts"; auto = "create"; };
    Sent = { specialUse = "Sent"; auto = "create"; };
    Trash = { specialUse = "Trash"; auto = "create"; };
+    Junk = { specialUse = "Junk"; auto = "create"; };
  };
  services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
  services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
@ -222,6 +242,10 @@ in
    # }
  ];

+  #### SPAM FILTERING
+  # services.rspamd.enable = true;
+  # services.rspamd.postfix.enable = true;
+
  sops.secrets."dovecot_passwd" = {
    owner = config.users.users.dovecot2.name;
    # TODO: debug why mail can't be sent without this being world-readable