...

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-06-07 10:21:02 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-06-07 10:21:02 +0200
commit: 0b0be3f0018f80f8345b60672eca6bcf37ec2b5c (patch)
tree: 6276b1c6b7af99ef71d24db8b5ed11e5502f4694
parent: 0c18d296b1b8c6be888ed334b086888a30e7e5a9 (diff)
download: nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar
nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar.gz
nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar.bz2
nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar.xz
nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.zip
3 files changed, 26 insertions, 4 deletions
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index ebb298b4..500194ae 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025052400 ; serial
+  2025060700 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -115,6 +115,8 @@ vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
 mailout                 IN      A       188.68.51.254
 mailout                 IN      AAAA    2a03:4000:6:d004::
+mailout                 IN      A       202.61.241.61
+mailout                 IN      AAAA    2a03:4000:52:ada::
 mailout                 IN      MX      0 ymir.yggdrasil.li
 mailout                 IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index 7117eb63..cf89ca27 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
        allowed = False
        user = None
+        relay_eligible = False
        if self.args['sasl_username']:
            user = self.args['sasl_username']
        if self.args['ccert_subject']:
            user = self.args['ccert_subject']
+            relay_eligible = True
        if user:
            with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
                with conn.cursor() as cur:
                    cur.row_factory = namedtuple_row
-                    cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                    if (row := cur.fetchone()) is not None:
+                    if relay_eligible:
-                        allowed = row.exists
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'domain': domain})
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+                    if not allowed:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
        action = '550 5.7.0 Sender address not authorized for current user'
        if allowed:
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index 0ae29058..dedd4c7c 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -297,6 +297,17 @@ in {
          COMMIT;
+          BEGIN;
+          SELECT _v.register_patch('013-internal', ARRAY['000-base'], null);
+          CREATE TABLE relay_access (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            mailbox uuid REFERENCES mailbox(id),
+            domain citext NOT NULL CONSTRAINT domain_non_empty CHECK (domain <> '''),
+          );
+          COMMIT;
        ''}
        psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-06-07 10:21:02 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-06-07 10:21:02 +0200
commit	0b0be3f0018f80f8345b60672eca6bcf37ec2b5c (patch)
tree	6276b1c6b7af99ef71d24db8b5ed11e5502f4694
parent	0c18d296b1b8c6be888ed334b086888a30e7e5a9 (diff)
download	nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar.gz nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar.bz2 nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.tar.xz nixos-0b0be3f0018f80f8345b60672eca6bcf37ec2b5c.zip

diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ebb298b4..500194ae 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025052400 ; serial	4	2025060700 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -115,6 +115,8 @@ vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
115		115
116	mailout IN A 188.68.51.254	116	mailout IN A 188.68.51.254
117	mailout IN AAAA 2a03:4000:6:d004::	117	mailout IN AAAA 2a03:4000:6:d004::
		118	mailout IN A 202.61.241.61
		119	mailout IN AAAA 2a03:4000:52:ada::
118	mailout IN MX 0 ymir.yggdrasil.li	120	mailout IN MX 0 ymir.yggdrasil.li
119	mailout IN TXT "v=spf1 redirect=yggdrasil.li"	121	mailout IN TXT "v=spf1 redirect=yggdrasil.li"
120		122


diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index 7117eb63..cf89ca27 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
28		28
29	allowed = False	29	allowed = False
30	user = None	30	user = None
		31	relay_eligible = False
31	if self.args['sasl_username']:	32	if self.args['sasl_username']:
32	user = self.args['sasl_username']	33	user = self.args['sasl_username']
33	if self.args['ccert_subject']:	34	if self.args['ccert_subject']:
34	user = self.args['ccert_subject']	35	user = self.args['ccert_subject']
		36	relay_eligible = True
35		37
36	if user:	38	if user:
37	with self.server.db_pool.connection() as conn:	39	with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
44		46
45	with conn.cursor() as cur:	47	with conn.cursor() as cur:
46	cur.row_factory = namedtuple_row	48	cur.row_factory = namedtuple_row
47	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)	49
48	if (row := cur.fetchone()) is not None:	50	if relay_eligible:
49	allowed = row.exists	51	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'domain': domain})
		52	if (row := cur.fetchone()) is not None:
		53	allowed = row.exists
		54
		55	if not allowed:
		56	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
		57	if (row := cur.fetchone()) is not None:
		58	allowed = row.exists
50		59
51	action = '550 5.7.0 Sender address not authorized for current user'	60	action = '550 5.7.0 Sender address not authorized for current user'
52	if allowed:	61	if allowed:


diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index 0ae29058..dedd4c7c 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix
@@ -297,6 +297,17 @@ in {
297		297
298	COMMIT;	298	COMMIT;
299		299
		300
		301	BEGIN;
		302	SELECT _v.register_patch('013-internal', ARRAY['000-base'], null);
		303
		304	CREATE TABLE relay_access (
		305	id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
		306	mailbox uuid REFERENCES mailbox(id),
		307	domain citext NOT NULL CONSTRAINT domain_non_empty CHECK (domain <> '''),
		308	);
		309
		310	COMMIT;
300	''}	311	''}
301		312
302	psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''	313	psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''