Add firewall rules that mitigate spam

postfix.nix

@@ -1,6 +1,12 @@
 { pkgs, config, ... }:
 
 {
+  networking.firewall.extraCommands = let user = config.services.postfix.user;
+  in ''
+    iptables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited
+    ip6tables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited
+  '';
+
   services.postfix = {
     enable = true;
     enableSubmission = true;