From 0b0be3f0018f80f8345b60672eca6bcf37ec2b5c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 7 Jun 2025 10:21:02 +0200 Subject: ... --- hosts/surtr/dns/zones/li.yggdrasil.soa | 4 +++- .../ccert-policy-server/ccert_policy_server/__main__.py | 15 ++++++++++++--- hosts/surtr/postgresql/default.nix | 11 +++++++++++ 3 files changed, 26 insertions(+), 4 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ebb298b4..500194ae 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2025052400 ; serial + 2025060700 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -115,6 +115,8 @@ vidhar IN TXT "v=spf1 redirect=yggdrasil.li" mailout IN A 188.68.51.254 mailout IN AAAA 2a03:4000:6:d004:: +mailout IN A 202.61.241.61 +mailout IN AAAA 2a03:4000:52:ada:: mailout IN MX 0 ymir.yggdrasil.li mailout IN TXT "v=spf1 redirect=yggdrasil.li" diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index 7117eb63..cf89ca27 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py @@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler): allowed = False user = None + relay_eligible = False if self.args['sasl_username']: user = self.args['sasl_username'] if self.args['ccert_subject']: user = self.args['ccert_subject'] + relay_eligible = True if user: with self.server.db_pool.connection() as conn: @@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler): with conn.cursor() as cur: cur.row_factory = namedtuple_row - cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) - if (row := cur.fetchone()) is not None: - allowed = row.exists + + if relay_eligible: + cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'domain': domain}) + if (row := cur.fetchone()) is not None: + allowed = row.exists + + if not allowed: + cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) + if (row := cur.fetchone()) is not None: + allowed = row.exists action = '550 5.7.0 Sender address not authorized for current user' if allowed: diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index 0ae29058..dedd4c7c 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix @@ -297,6 +297,17 @@ in { COMMIT; + + BEGIN; + SELECT _v.register_patch('013-internal', ARRAY['000-base'], null); + + CREATE TABLE relay_access ( + id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(), + mailbox uuid REFERENCES mailbox(id), + domain citext NOT NULL CONSTRAINT domain_non_empty CHECK (domain <> '''), + ); + + COMMIT; ''} psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" '' -- cgit v1.2.3