fix: add more fishing protection to mail server

2026-02-18 09:12:15 +01:00 · 2026-02-18 09:12:15 +01:00 · 0cd882602e
commit 0cd882602e
parent 479b52edf9
2 changed files with 21 additions and 0 deletions
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@ -180,6 +180,7 @@ in
      smtpd_helo_restrictions = "
                            permit_mynetworks,
                            permit_sasl_authenticated,
+                            check_helo_access regexp:/var/lib/postfix/conf/helo_access,
                            reject_unauth_pipelining,
                            reject_non_fqdn_hostname,
                            reject_invalid_hostname,
--- a/hosts/mail/modules/rspamd.nix
+++ b/hosts/mail/modules/rspamd.nix
@ -52,6 +52,13 @@ let
        }
      }
    }
+    dmarc {
+      actions {
+        reject = "reject";
+        quarantine = "add header";
+        softfail = "no action";
+      }
+    }
  '';

  sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
@ -63,6 +70,19 @@ in
      .include(priority=1,duplicate=merge) "${localConfig}"
    '';

+    locals."groups.conf".text = ''
+      symbols {
+        "R_SPF_DNSFAIL" {
+          weight = 2.0;
+          description = "SPF DNS failure";
+        }
+        "DMARC_DNSFAIL" {
+          weight = 2.0;
+          description = "DMARC DNS failure";
+        }
+      }
+    '';
+
    postfix.enable = true;
    workers.controller = {
      extraConfig = ''