From 0cd882602e1a263547a9c8a146f75e137b8da124 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 18 Feb 2026 09:12:15 +0100
Subject: [PATCH 1/4] fix: add more fishing protection to mail server

---
 hosts/mail/modules/postfix.nix |  1 +
 hosts/mail/modules/rspamd.nix  | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index bc9d8ee..1b53a7b 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -180,6 +180,7 @@ in
       smtpd_helo_restrictions = "
                             permit_mynetworks,
                             permit_sasl_authenticated,
+                            check_helo_access regexp:/var/lib/postfix/conf/helo_access,
                             reject_unauth_pipelining,
                             reject_non_fqdn_hostname,
                             reject_invalid_hostname,
diff --git a/hosts/mail/modules/rspamd.nix b/hosts/mail/modules/rspamd.nix
index becc93b..f4253ab 100644
--- a/hosts/mail/modules/rspamd.nix
+++ b/hosts/mail/modules/rspamd.nix
@@ -52,6 +52,13 @@ let
         }
       }
     }
+    dmarc {
+      actions {
+        reject = "reject";
+        quarantine = "add header";
+        softfail = "no action";
+      }
+    }
   '';
 
   sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
@@ -63,6 +70,19 @@ in
       .include(priority=1,duplicate=merge) "${localConfig}"
     '';
 
+    locals."groups.conf".text = ''
+      symbols {
+        "R_SPF_DNSFAIL" {
+          weight = 2.0;
+          description = "SPF DNS failure";
+        }
+        "DMARC_DNSFAIL" {
+          weight = 2.0;
+          description = "DMARC DNS failure";
+        }
+      }
+    '';
+
     postfix.enable = true;
     workers.controller = {
       extraConfig = ''

From 133d031386b4552db36d5365388f4e8cea2752ff Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 18 Feb 2026 09:12:23 +0100
Subject: [PATCH 2/4] feat: add header for fueltide

---
 hosts/web-arm/sites/fueltide.io.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/hosts/web-arm/sites/fueltide.io.nix b/hosts/web-arm/sites/fueltide.io.nix
index 138952b..eee28ae 100644
--- a/hosts/web-arm/sites/fueltide.io.nix
+++ b/hosts/web-arm/sites/fueltide.io.nix
@@ -21,6 +21,11 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
+    extraConfig = ''
+      add_header Cross-Origin-Embedder-Policy "credentialless" always;
+      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
+    '';
+
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;
@@ -41,6 +46,11 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
+    extraConfig = ''
+      add_header Cross-Origin-Embedder-Policy "credentialless" always;
+      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
+    '';
+
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;
@@ -61,6 +71,11 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
+    extraConfig = ''
+      add_header Cross-Origin-Embedder-Policy "credentialless" always;
+      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
+    '';
+
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;

From 6072d13dc02278a64a11943abdca40014c5a6c0d Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 18 Feb 2026 14:15:48 +0100
Subject: [PATCH 3/4] feat: add mailSendOnly possibility

---
 hosts/mail/modules/dovecot.nix  |  2 +-
 hosts/mail/modules/openldap.nix | 10 ++++++++--
 hosts/mail/modules/postfix.nix  |  6 +++---
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix
index 3c23a36..91939cf 100644
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@@ -14,7 +14,7 @@ let
     auth_bind = no
     ldap_version = 3
     base = ou=users,dc=%Dd
-    user_filter = (&(objectClass=mailAccount)(mail=%u))
+    user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
     user_attrs = \
       quota=quota_rule=*:bytes=%$, \
       =home=/var/vmail/%d/%n/, \
diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index 26bf1c5..bb76d7a 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -376,6 +376,12 @@ in
               SUBSTR caseIgnoreIA5SubstringsMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
           ''
+          ''
+            (1.3.6.1.4.1.12461.1.1.9 NAME 'mailSendOnly'
+              DESC 'If TRUE, account can only send mail, not receive'
+              EQUALITY caseIgnoreIA5Match
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
+          ''
         ];
         olcObjectClasses = [
           ''
@@ -383,14 +389,14 @@ in
               SUP top AUXILIARY
               DESC 'Mail account objects'
               MUST ( mail $ userPassword )
-              MAY (  cn $ description $ quota))
+              MAY ( cn $ description $ quota $ mailSendOnly))
           ''
           ''
             (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
               SUP top STRUCTURAL
               DESC 'Mail aliasing/forwarding entry'
               MUST ( mail $ maildrop )
-              MAY ( cn $ description ))
+              MAY ( cn $ description $ mailSendOnly ))
           ''
           ''
             (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index 1b53a7b..30ee17c 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -31,7 +31,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = sub
-    query_filter      = (&(uid=%u)(objectClass=mailAccount))
+    query_filter      = (&(uid=%u)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
     result_attribute  = mail
     debuglevel        = 0
   '';
@@ -59,7 +59,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = sub
-    query_filter      = (&(objectClass=mailAccount)(uid=%u))
+    query_filter      = (&(objectClass=mailAccount)(uid=%u)(!(mailSendOnly=TRUE)))
     result_attribute  = mail
     debuglevel        = 0
   '';
@@ -73,7 +73,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = one
-    query_filter      = (&(objectClass=mailAlias)(mail=%s))
+    query_filter      = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
     result_attribute  = maildrop
     debuglevel        = 0
   '';

From fe0c455bc6996426a3dc27fdbb681c507f3e0a47 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 18 Feb 2026 15:07:28 +0100
Subject: [PATCH 4/4] fix: postfix allow send from mailSendOnly

---
 hosts/mail/modules/postfix.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index 30ee17c..8511430 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -59,7 +59,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = sub
-    query_filter      = (&(objectClass=mailAccount)(uid=%u)(!(mailSendOnly=TRUE)))
+    query_filter      = (&(objectClass=mailAccount)(uid=%u))
     result_attribute  = mail
     debuglevel        = 0
   '';