From 445f03c8a7d438e3cb165cf9a24a79af31f300b5 Mon Sep 17 00:00:00 2001
From: Gonne <gonne@mathebau.de>
Date: Fri, 28 Feb 2025 11:11:58 +0100
Subject: [PATCH 1/2] Delete directive proxy_interface

This directive is supposed to prevent mail delivery loops that would be caused by portforwarding to itself.
Behind this ip address, however, there is our general mail vm and not immediately the mailinglist setup.
---
 nixos/modules/mailman.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix
index f4ecd0e..1c8eaba 100644
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@@ -32,7 +32,6 @@ in {
         config = {
           transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
           local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
-          proxy_interfaces = "130.83.2.184";
           smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
         };
         relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)

From 1de36855841c170c843330e00c49ec52c38f888b Mon Sep 17 00:00:00 2001
From: Gonne <gonne@mathebau.de>
Date: Fri, 28 Feb 2025 11:13:59 +0100
Subject: [PATCH 2/2] Allow unpacking stalwart's webadmin interface

---
 nixos/modules/mail.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix
index 4d7f950..76eadb1 100644
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@@ -148,6 +148,7 @@ in {
             # In order to accept mail that we only forward
             # without having to generate an account.
             # Invalid addresses are filtered by DFN beforehand.
+            # See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
             catch-all = true;
             relay = [
               {
@@ -267,6 +268,7 @@ in {
         "stalwart-mail" = {
           restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
           serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
+          serviceConfig.ProtectSystem = lib.mkForce "full"; # "strict" does not allow writing to /tmp which we need for unpacking the webadmin interface. "full" is less strict.
         };
         "virt-aliases-generator" = {
           description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";