block all email ports

postfix.nix

@@ -1,13 +1,28 @@
 { pkgs, config, ... }:
 
 {
-  networking.firewall.extraCommands = let user = config.services.postfix.user;
-  in ''
-    iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited
-    ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited
+  # Prevent outgoing connections to email ports from users other than postfix
+  # unless the destination is localhost
+  networking.firewall.extraCommands = let
+    user = config.services.postfix.user;
+    makeRules = port:
+      let p = builtins.toString port;
+      in ''
+        iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport ${p} -j REJECT --reject-with icmp-admin-prohibited
+        ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport ${p} -j REJECT --reject-with icmp6-adm-prohibited
 
-    iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT
-    ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT
+        iptables -I OUTPUT -m tcp -p tcp --dport ${p} -d 127.0.0.1 -j ACCEPT
+        ip6tables -I OUTPUT -m tcp -p tcp --dport ${p} -d ::1 -j ACCEPT
+      '';
+  in builtins.concatStringsSep "\n"
+  (builtins.map makeRules [ 25 587 465 2525 ]);
+  # The following is necessary to prevent the above rules from being added at every nixos-rebuild switch.
+  # See link for more info
+  # https://github.com/NixOS/nixpkgs/issues/201614
+  # Flush the firewall rules
+  networking.firewall.extraStopCommands = ''
+    iptables -F
+    ip6tables -F
   '';
 
   services.postfix = {