From e4c6e6e2ee775fbb2aa46281bdf446d252a2d6dc Mon Sep 17 00:00:00 2001
From: Marcel <me@m4rc3l.de>
Date: Sat, 10 Aug 2024 19:05:14 +0200
Subject: [PATCH 1/2] domains: separate into domains and domainsWithoutMailbox

---
 default.nix             | 9 ++++++++-
 mail-server/postfix.nix | 2 +-
 mail-server/rspamd.nix  | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/default.nix b/default.nix
index 3f46610..50f5cf1 100644
--- a/default.nix
+++ b/default.nix
@@ -41,7 +41,14 @@ in
       type = types.listOf types.str;
       example = [ "example.com" ];
       default = [];
-      description = "The domains that this mail server serves.";
+      description = "The domains served by this mail server for delivery into mailboxes and forwards.";
+    };
+
+    domainsWithoutMailbox = mkOption {
+      type = types.listOf types.str;
+      example = [ "lists.example.com" ];
+      default = [];
+      description = "The domains served by this mail server and forwards.";
     };
 
     certificateDomains = mkOption {
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index db3e581..dc928fa 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -94,7 +94,7 @@ let
   reject_recipients_file = builtins.toFile "reject_recipients" (lib.concatStringsSep "\n" (reject_recipients_postfix))  ;
 
   # vhosts_file :: Path
-  vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains);
+  vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" (cfg.domainsWithoutMailbox ++ cfg.domains));
 
   # vaccounts_file :: Path
   # see
diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index fd94c84..06754d6 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -165,7 +165,7 @@ in
           SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
         }
         (lib.optionalAttrs cfg.dkimSigning {
-          ExecStartPre = map createDkimKeypair cfg.domains;
+          ExecStartPre = map createDkimKeypair (cfg.domainsWithoutMailbox ++ cfg.domains);
           ReadWritePaths = [ cfg.dkimKeyDirectory ];
         })
       ];

From 5648001ef3c4ee4a82ecc30c3ec7eea804ce1a52 Mon Sep 17 00:00:00 2001
From: Marcel <me@m4rc3l.de>
Date: Wed, 8 Jan 2025 09:46:39 +0100
Subject: [PATCH 2/2] test/relay: init

Co-authored-by: Michael Lohmann <michael@lohmann.sh>
---
 flake.nix                       |  1 +
 tests/domainsWithoutMailbox.nix | 81 +++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 tests/domainsWithoutMailbox.nix

diff --git a/flake.nix b/flake.nix
index 1581ea3..91bccc7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,6 +36,7 @@
       "internal"
       "ldap"
       "multiple"
+      "domainsWithoutMailbox"
     ];
 
     genTest = testName: release: let
diff --git a/tests/domainsWithoutMailbox.nix b/tests/domainsWithoutMailbox.nix
new file mode 100644
index 0000000..21bb52a
--- /dev/null
+++ b/tests/domainsWithoutMailbox.nix
@@ -0,0 +1,81 @@
+# This tests is used to test features requiring several mail domains.
+
+{ pkgs, ... }:
+
+let
+  hashPassword = password: pkgs.runCommand
+    "password-${password}-hashed"
+    { buildInputs = [ pkgs.mkpasswd ]; inherit password; }
+    ''
+      mkpasswd -sm bcrypt <<<"$password" > $out
+    '';
+
+  password = pkgs.writeText "password" "password";
+
+  domainGenerator = domain: {
+    imports = [ ../default.nix ];
+    virtualisation.memorySize = 1024;
+    mailserver = {
+      enable = true;
+      fqdn = "mail.${domain}";
+      domains = [ domain ];
+      localDnsResolver = false;
+      loginAccounts = {
+        "user@${domain}" = {
+          hashedPasswordFile = hashPassword "password";
+        };
+      };
+      enableImap = true;
+      enableImapSsl = true;
+    };
+    services = {
+      dnsmasq = {
+        enable = true;
+        settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
+      };
+      # disable rspamd graylisting and other stuff hardful top tests
+      rspamd.extraConfig = ''
+        actions {
+          reject = null; # Disable rejects, default is 15
+          add_header = 6; # Add header when reaching this score
+          greylist = null; # Disable greylisting
+        }
+      '';
+    };
+  };
+
+in
+
+{
+  name = "domainsWithoutMailbox";
+  nodes = {
+    domain1 = {
+      imports = [
+        ../default.nix
+        (domainGenerator "domain1.com")
+      ];
+      mailserver.domainsWithoutMailbox = [ "relay.domain1.com" ];
+      # ip of itself
+      services.postfix.networks = [ "[2001:db8:1::1]/128" ];
+    };
+    domain2 = domainGenerator "domain2.com";
+    client = { pkgs, ... }: {
+      environment.systemPackages = [
+        (pkgs.writeScriptBin "mail-check" ''
+          ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
+        '')
+      ];
+    };
+  };
+  testScript = ''
+    start_all()
+
+    domain1.wait_for_unit("multi-user.target")
+    domain2.wait_for_unit("multi-user.target")
+
+    # user@domain1.com sends a mail to user@domain2.com
+    client.succeed(
+        "mail-check send-and-read --smtp-port 25 --smtp-starttls --smtp-host domain1 --from-addr user@relay.domain1.com --imap-host domain2 --to-addr user@domain2.com --dst-password-file ${password} --ignore-dkim-spf"
+    )
+  '';
+}