From 7ae06caef8f60e5c519607c83d327311765e28fd Mon Sep 17 00:00:00 2001
From: Jimbo <jimjam4real@gmail.com>
Date: Wed, 18 Sep 2024 13:49:57 -0400
Subject: [PATCH] Properly force the VPN SMTP thing

---
 nixos/server/firewall.nix   | 3 +++
 nixos/server/mailserver.nix | 6 ++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix
index 7ea651c..18aad42 100644
--- a/nixos/server/firewall.nix
+++ b/nixos/server/firewall.nix
@@ -5,6 +5,7 @@
   # Configure firewall
   networking = let
     ips = import ../modules/ips.nix;
+    mailPorts = "{ 25, 143, 465, 587, 993, 4190 }";
   in {
     firewall = {
       allowPing = false;
@@ -13,6 +14,7 @@
       extraInputRules = ''
         ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
         ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
+        ip saddr ${ips.wgSpan}.3 tcp dport ${mailPorts} accept comment "Accept mail"
       '';
     };
   
@@ -45,6 +47,7 @@
               type nat hook postrouting priority 100; policy accept;
               oifname "${ips.netInt}" masquerade
 	      iifname "${ips.netInt}" oifname "${ips.wgInt}" masquerade comment "Traffic from public to WireGuard"
+	      tcp dport ${mailPorts} oifname != "${ips.wgInt}" drop comment "Send mail"
             }
           '';
         };
diff --git a/nixos/server/mailserver.nix b/nixos/server/mailserver.nix
index 295e79d..d6ca3ba 100644
--- a/nixos/server/mailserver.nix
+++ b/nixos/server/mailserver.nix
@@ -2,7 +2,7 @@
   # Mail server
   mailserver = rec {
     enable = true;
-    enableManageSieve = true;
+    openFirewall = false;
     domains = [ "${outputs.secrets.jimDomain}" ];
     fqdn = "mx.${outputs.secrets.jimDomain}";
     certificateScheme = "acme-nginx";
@@ -25,15 +25,13 @@
       };    
       "jimbo@${outputs.secrets.jimDomain}" = {
         hashedPasswordFile = pkgs.writeText "jimbo" outputs.secrets.jimboMailHash;
-        aliases = [ "canada@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
+        aliases = [ "james@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
       };
       "lunamoonlight@${outputs.secrets.jimDomain}" = {
         hashedPasswordFile = pkgs.writeText "luna" outputs.secrets.lunaMailHash;
-        aliases = [ "us@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
       };
       "freecorn1854@${outputs.secrets.jimDomain}" = {
         hashedPasswordFile = pkgs.writeText "freecorn" outputs.secrets.freecornMailHash;
-        aliases = [ "canada@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
       };
       "tinyattack09@${outputs.secrets.jimDomain}" = {
         hashedPasswordFile = pkgs.writeText "tiny" outputs.secrets.tinyMailHash;