diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix index 37cf340..9330b39 100644 --- a/nixos/modules/mail.nix +++ b/nixos/modules/mail.nix @@ -156,21 +156,6 @@ in { }; session = { - rcpt = { - # In order to accept mail that we only forward - # without having to generate an account. - # Invalid addresses are filtered by DFN beforehand. - # See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses - catch-all = true; - relay = [ - { - "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP - "then" = true; - } - {"else" = false;} - ]; - }; - ehlo.require = [ { "if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly @@ -185,6 +170,22 @@ in { } {"else" = true;} ]; + + rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + # See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP + "then" = true; + } + {"else" = false;} + ]; + }; + data.script = "'redirects'"; }; # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module @@ -229,7 +230,6 @@ in { out-messages = 50; }; }; - session.data.script = "'redirects'"; # See https://stalw.art/docs/smtp/authentication/dkim/sign # We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.