From c1d318ba6741c8524f831aab542013f1114d2463 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 23:15:14 -0400 Subject: [PATCH 1/3] fix ipv6 block --- postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix.nix b/postfix.nix index 787aba5..7521826 100644 --- a/postfix.nix +++ b/postfix.nix @@ -7,7 +7,7 @@ ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT - ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT + ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d ::1 -j ACCEPT ''; services.postfix = { From c9e55d49f1e94c26180e7b8d69f4110f668293b1 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 23:15:44 -0400 Subject: [PATCH 2/3] flush rules on firewall teardown --- postfix.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/postfix.nix b/postfix.nix index 7521826..b014f06 100644 --- a/postfix.nix +++ b/postfix.nix @@ -9,6 +9,14 @@ iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d ::1 -j ACCEPT ''; + # The following is necessary to prevent the above rules from being added at every nixos-rebuild switch. + # See link for more info + # https://github.com/NixOS/nixpkgs/issues/201614 + # Flush the firewall rules + networking.firewall.extraStopCommands = '' + iptables -F + ip6tables -F + ''; services.postfix = { enable = true; From 38d2798bc65ac9afb802972a1291c6c4aa0ae6cd Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 23:23:10 -0400 Subject: [PATCH 3/3] block all email ports --- postfix.nix | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/postfix.nix b/postfix.nix index b014f06..62117bd 100644 --- a/postfix.nix +++ b/postfix.nix @@ -1,14 +1,21 @@ { pkgs, config, ... }: { - networking.firewall.extraCommands = let user = config.services.postfix.user; - in '' - iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited - ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited + # Prevent outgoing connections to email ports from users other than postfix + # unless the destination is localhost + networking.firewall.extraCommands = let + user = config.services.postfix.user; + makeRules = port: + let p = builtins.toString port; + in '' + iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport ${p} -j REJECT --reject-with icmp-admin-prohibited + ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport ${p} -j REJECT --reject-with icmp6-adm-prohibited - iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT - ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d ::1 -j ACCEPT - ''; + iptables -I OUTPUT -m tcp -p tcp --dport ${p} -d 127.0.0.1 -j ACCEPT + ip6tables -I OUTPUT -m tcp -p tcp --dport ${p} -d ::1 -j ACCEPT + ''; + in builtins.concatStringsSep "\n" + (builtins.map makeRules [ 25 587 465 2525 ]); # The following is necessary to prevent the above rules from being added at every nixos-rebuild switch. # See link for more info # https://github.com/NixOS/nixpkgs/issues/201614