2 files changed, 30 insertions, 5 deletions

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 66c39e8f..4d75dfae 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -902,9 +902,13 @@ in {
 
     services.postfwd = {
       enable = true;
+      cache = false;
       rules = ''
-        id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
-        id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
+        id=RCPT_SASL01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
+        id=RCPT_SASL02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
+
+        id=RCPT_CCERT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
+        id=RCPT_CCERT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
 
         id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL)
 
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
index e10c04a7..2ecfe9ab 100644
--- a/modules/postfwd.nix
+++ b/modules/postfwd.nix
@@ -9,6 +9,10 @@ in {
     services.postfwd = with types; {
       enable = mkEnableOption "postfwd3 - postfix firewall daemon";
 
+      cache = mkEnableOption "postfwd3 cache" // {
+        default = true;
+      };
+
       rules = mkOption {
         type = lines;
         default = "";
@@ -25,7 +29,7 @@ in {
       serviceConfig = {
         Type = "forking";
 
-        ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [
+        ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs ([
           "-vv"
           "--daemon" "--user" "postfwd" "--group" "postfwd"
           "--pidfile" "/run/postfwd3/postfwd3.pid"
@@ -34,11 +38,14 @@ in {
           "--save_rates" "/var/lib/postfwd/rates"
           "--save_groups" "/var/lib/postfwd/groups"
           "--summary" "3600"
+          "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
+        ] ++ lib.optionals cfg.cache [
           "--cache" "600"
           "--cache_proto" "unix"
           "--cache_port" "/run/postfwd3/cache.sock"
-          "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
-        ]}";
+        ] ++ lib.optionals (!cfg.cache) [
+          "--cache" "0"
+        ])}";
         PIDFile = "/run/postfwd3/postfwd3.pid";
 
         Restart = "always";
@@ -78,5 +85,19 @@ in {
         IPAddressDeny = "any";
       };
     };
+
+    environment.systemPackages = [
+      (pkgs.postfwd.overrideAttrs (oldAttrs: {
+        nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ pkgs.makeWrapper pkgs.coreutils ];
+
+        postInstall = ''
+          ${oldAttrs.postInstall or ""}
+
+          wrapProgram $out/bin/postfwd3 \
+            --add-flags "--proto unix --port /run/postfwd3/postfwd3.sock"
+          ln -s postfwd3 $out/bin/postfwd
+        '';
+      }))
+    ];
   };
 }