From a436ce952a30b49ba2da98c12cbdfbd5feba6c3f Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 16 Dec 2022 20:58:41 +0100
Subject: ...

---
 hosts/surtr/email/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'hosts/surtr')

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 42b50c88..80611c3c 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -233,7 +233,11 @@ in {
             "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}"
             "-o" "unverified_sender_reject_code=550"
             "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
-            "-o" "smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_tls_all_clientcerts,reject"
+            "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" ''
+            hosts = postgresql:///email
+            dbname = email
+            query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
+          ''},permit_tls_all_clientcerts,reject}''
             "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
             "-o" ''smtpd_milters=${config.services.opendkim.socket}''
           ];
-- 
cgit v1.2.3