2 files changed, 27 insertions, 7 deletions
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index 7117eb63..7c931559 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
        allowed = False
        user = None
+        relay_eligible = False
        if self.args['sasl_username']:
            user = self.args['sasl_username']
        if self.args['ccert_subject']:
            user = self.args['ccert_subject']
+            relay_eligible = True
        if user:
            with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
                with conn.cursor() as cur:
                    cur.row_factory = namedtuple_row
-                    cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                    if (row := cur.fetchone()) is not None:
+                    if relay_eligible:
-                        allowed = row.exists
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+                    if not allowed:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
        action = '550 5.7.0 Sender address not authorized for current user'
        if allowed:
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 85f3a439..c993bb18 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -268,13 +268,24 @@ in {
        virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
        smtputf8_enable = false;
-        authorized_submit_users = "inline:{ postfwd= dovecot2= }";
+        authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";
-        authorized_flush_users = "fail:flush_users";
+        authorized_flush_users = "inline:{ root= }";
-        authorized_mailq_users = "fail:mailq_users";
+        authorized_mailq_users = "inline:{ root= }";
        postscreen_access_list = "";
        postscreen_denylist_action = "drop";
        postscreen_greet_action = "enforce";
+        sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
+        ''}'';
+        recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
+        ''}'';
      };
      masterConfig = {
        "465" = {
@@ -392,7 +403,7 @@ in {
      enable = true;
      user = "postfix"; group = "postfix";
      socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
+      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
      selector = "surtr";
      configFile = builtins.toFile "opendkim.conf" ''
        Syslog true

diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index 7117eb63..7c931559 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
28		28
29	allowed = False	29	allowed = False
30	user = None	30	user = None
		31	relay_eligible = False
31	if self.args['sasl_username']:	32	if self.args['sasl_username']:
32	user = self.args['sasl_username']	33	user = self.args['sasl_username']
33	if self.args['ccert_subject']:	34	if self.args['ccert_subject']:
34	user = self.args['ccert_subject']	35	user = self.args['ccert_subject']
		36	relay_eligible = True
35		37
36	if user:	38	if user:
37	with self.server.db_pool.connection() as conn:	39	with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
44		46
45	with conn.cursor() as cur:	47	with conn.cursor() as cur:
46	cur.row_factory = namedtuple_row	48	cur.row_factory = namedtuple_row
47	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)	49
48	if (row := cur.fetchone()) is not None:	50	if relay_eligible:
49	allowed = row.exists	51	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
		52	if (row := cur.fetchone()) is not None:
		53	allowed = row.exists
		54
		55	if not allowed:
		56	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
		57	if (row := cur.fetchone()) is not None:
		58	allowed = row.exists
50		59
51	action = '550 5.7.0 Sender address not authorized for current user'	60	action = '550 5.7.0 Sender address not authorized for current user'
52	if allowed:	61	if allowed:


diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 85f3a439..c993bb18 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -268,13 +268,24 @@ in {
268	virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";	268	virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
269	smtputf8_enable = false;	269	smtputf8_enable = false;
270		270
271	authorized_submit_users = "inline:{ postfwd= dovecot2= }";	271	authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";
272	authorized_flush_users = "fail:flush_users";	272	authorized_flush_users = "inline:{ root= }";
273	authorized_mailq_users = "fail:mailq_users";	273	authorized_mailq_users = "inline:{ root= }";
274		274
275	postscreen_access_list = "";	275	postscreen_access_list = "";
276	postscreen_denylist_action = "drop";	276	postscreen_denylist_action = "drop";
277	postscreen_greet_action = "enforce";	277	postscreen_greet_action = "enforce";
		278
		279	sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
		280	hosts = postgresql:///email
		281	dbname = email
		282	query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
		283	''}'';
		284	recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
		285	hosts = postgresql:///email
		286	dbname = email
		287	query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
		288	''}'';
278	};	289	};
279	masterConfig = {	290	masterConfig = {
280	"465" = {	291	"465" = {
@@ -392,7 +403,7 @@ in {
392	enable = true;	403	enable = true;
393	user = "postfix"; group = "postfix";	404	user = "postfix"; group = "postfix";
394	socket = "local:/run/opendkim/opendkim.sock";	405	socket = "local:/run/opendkim/opendkim.sock";
395	domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';	406	domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
396	selector = "surtr";	407	selector = "surtr";
397	configFile = builtins.toFile "opendkim.conf" ''	408	configFile = builtins.toFile "opendkim.conf" ''
398	Syslog true	409	Syslog true