superban asuswebstorage

liam/mail.nix

@@ -20,6 +20,9 @@ let
     "upgrade-plans@asuswebstorage.com"
     "info@rfidlabel.com"
   ];
+  banned_ips = [
+    "210.242.134.20/26"
+  ];
   # must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
   mailSizeLimit = 35 * 1024 * 1024;
 in
@@ -66,7 +69,10 @@ in
       ) domains)
     );
     mapFiles.sender_access = pkgs.writeText "sender-access" (
-      lib.concatMapStringsSep "\n" (pattern: "${pattern} REJECT") (domains ++ reject_spam_sources)
+      lib.concatMapStringsSep "\n" (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
+    );
+    mapFiles.banned_ips = pkgs.writeText "banned-ips" (
+      lib.concatMapStringsSep "\n" (ip: "${ip} REJECT spam") banned_ips
     );
     # hack to get postfix to add a X-Original-To header
     mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
@@ -86,8 +92,9 @@ in
       sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
 
       header_checks = pcre:/etc/postfix/header_checks
-      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
-      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
+      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
+      smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
+      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
       recipient_delimiter = +
 
       #we should never use these transport methods unless thru transport map