4 files changed, 35 insertions, 7 deletions
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index ebb298b4..500194ae 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025052400 ; serial
+  2025060700 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -115,6 +115,8 @@ vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
 mailout                 IN      A       188.68.51.254
 mailout                 IN      AAAA    2a03:4000:6:d004::
+mailout                 IN      A       202.61.241.61
+mailout                 IN      AAAA    2a03:4000:52:ada::
 mailout                 IN      MX      0 ymir.yggdrasil.li
 mailout                 IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index 7117eb63..7c931559 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
        allowed = False
        user = None
+        relay_eligible = False
        if self.args['sasl_username']:
            user = self.args['sasl_username']
        if self.args['ccert_subject']:
            user = self.args['ccert_subject']
+            relay_eligible = True
        if user:
            with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
                with conn.cursor() as cur:
                    cur.row_factory = namedtuple_row
-                    cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                    if (row := cur.fetchone()) is not None:
+                    if relay_eligible:
-                        allowed = row.exists
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+                    if not allowed:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
        action = '550 5.7.0 Sender address not authorized for current user'
        if allowed:
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 85f3a439..0a42b808 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -268,9 +268,9 @@ in {
        virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
        smtputf8_enable = false;
-        authorized_submit_users = "inline:{ postfwd= dovecot2= }";
+        authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";
-        authorized_flush_users = "fail:flush_users";
+        authorized_flush_users = "inline:{ root= }";
-        authorized_mailq_users = "fail:mailq_users";
+        authorized_mailq_users = "inline:{ root= }";
        postscreen_access_list = "";
        postscreen_denylist_action = "drop";
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index 0ae29058..e29da0b8 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -297,6 +297,23 @@ in {
          COMMIT;
+          BEGIN;
+          SELECT _v.register_patch('014-relay', ARRAY['000-base'], null);
+          CREATE TABLE relay_access (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            mailbox uuid REFERENCES mailbox(id),
+            domain citext NOT NULL CONSTRAINT domain_non_empty CHECK (domain <> ''')
+          );
+          COMMIT;
+          BEGIN;
+          SELECT _v.register_patch('015-relay-unique', ARRAY['000-base', '014-relay'], null);
+          CREATE UNIQUE INDEX relay_unique ON relay_access (mailbox, domain);
+          COMMIT;
        ''}
        psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''

diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ebb298b4..500194ae 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025052400 ; serial	4	2025060700 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -115,6 +115,8 @@ vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
115		115
116	mailout IN A 188.68.51.254	116	mailout IN A 188.68.51.254
117	mailout IN AAAA 2a03:4000:6:d004::	117	mailout IN AAAA 2a03:4000:6:d004::
		118	mailout IN A 202.61.241.61
		119	mailout IN AAAA 2a03:4000:52:ada::
118	mailout IN MX 0 ymir.yggdrasil.li	120	mailout IN MX 0 ymir.yggdrasil.li
119	mailout IN TXT "v=spf1 redirect=yggdrasil.li"	121	mailout IN TXT "v=spf1 redirect=yggdrasil.li"
120		122


diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index 7117eb63..7c931559 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
28		28
29	allowed = False	29	allowed = False
30	user = None	30	user = None
		31	relay_eligible = False
31	if self.args['sasl_username']:	32	if self.args['sasl_username']:
32	user = self.args['sasl_username']	33	user = self.args['sasl_username']
33	if self.args['ccert_subject']:	34	if self.args['ccert_subject']:
34	user = self.args['ccert_subject']	35	user = self.args['ccert_subject']
		36	relay_eligible = True
35		37
36	if user:	38	if user:
37	with self.server.db_pool.connection() as conn:	39	with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
44		46
45	with conn.cursor() as cur:	47	with conn.cursor() as cur:
46	cur.row_factory = namedtuple_row	48	cur.row_factory = namedtuple_row
47	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)	49
48	if (row := cur.fetchone()) is not None:	50	if relay_eligible:
49	allowed = row.exists	51	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
		52	if (row := cur.fetchone()) is not None:
		53	allowed = row.exists
		54
		55	if not allowed:
		56	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
		57	if (row := cur.fetchone()) is not None:
		58	allowed = row.exists
50		59
51	action = '550 5.7.0 Sender address not authorized for current user'	60	action = '550 5.7.0 Sender address not authorized for current user'
52	if allowed:	61	if allowed:


diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 85f3a439..0a42b808 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -268,9 +268,9 @@ in {
268	virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";	268	virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
269	smtputf8_enable = false;	269	smtputf8_enable = false;
270		270
271	authorized_submit_users = "inline:{ postfwd= dovecot2= }";	271	authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";
272	authorized_flush_users = "fail:flush_users";	272	authorized_flush_users = "inline:{ root= }";
273	authorized_mailq_users = "fail:mailq_users";	273	authorized_mailq_users = "inline:{ root= }";
274		274
275	postscreen_access_list = "";	275	postscreen_access_list = "";
276	postscreen_denylist_action = "drop";	276	postscreen_denylist_action = "drop";


diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index 0ae29058..e29da0b8 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix
@@ -297,6 +297,23 @@ in {
297		297
298	COMMIT;	298	COMMIT;
299		299
		300	BEGIN;
		301	SELECT _v.register_patch('014-relay', ARRAY['000-base'], null);
		302
		303	CREATE TABLE relay_access (
		304	id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
		305	mailbox uuid REFERENCES mailbox(id),
		306	domain citext NOT NULL CONSTRAINT domain_non_empty CHECK (domain <> ''')
		307	);
		308
		309	COMMIT;
		310
		311	BEGIN;
		312	SELECT _v.register_patch('015-relay-unique', ARRAY['000-base', '014-relay'], null);
		313
		314	CREATE UNIQUE INDEX relay_unique ON relay_access (mailbox, domain);
		315
		316	COMMIT;
300	''}	317	''}
301		318
302	psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''	319	psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''