Remove policy-spf

Rspamd can do the same as policy-spf, only better, with more settings, is well integrated and better maintained. Other projects are going the same route [1]. [1]: https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/
2025-04-28 10:30:50 +05:00 · 2025-04-17 02:54:47 +02:00 · 2025-04-17 02:54:47 +02:00 · bba070a1fe
commit bba070a1fe
parent 745c6ee861
3 changed files with 5 additions and 28 deletions
--- a/default.nix
+++ b/default.nix
@ -1022,18 +1022,6 @@ in
      '';
    };

-    policydSPFExtraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      example = ''
-        skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
-      '';
-      description = ''
-        Extra configuration options for policyd-spf. This can be use to among
-        other things skip spf checking for some IP addresses.
-      '';
-    };
-
    monitoring = {
      enable = mkEnableOption "monitoring via monit";

@ -1303,7 +1291,6 @@ in
    '')
    ./mail-server/assertions.nix
    ./mail-server/borgbackup.nix
-    ./mail-server/debug.nix
    ./mail-server/rsnapshot.nix
    ./mail-server/clamav.nix
    ./mail-server/monit.nix
@ -1317,5 +1304,9 @@ in
    ./mail-server/rspamd.nix
    ./mail-server/nginx.nix
    ./mail-server/kresd.nix
+    (lib.mkRemovedOptionModule [ "mailserver" "policydSPFExtraConfig" ] ''
+      SPF checking has been migrated to Rspamd, which makes this config redundant. Please look into the rspamd config to migrate your settings.
+      It may be that they are redundant and are already configured in rspamd like for skip_addresses.
+    '')
  ];
 }
--- a/mail-server/debug.nix
+++ b/mail-server/debug.nix
@ -1,4 +0,0 @@
-{ config, lib, ... }:
-{
-  mailserver.policydSPFExtraConfig = lib.mkIf config.mailserver.debug "debugLevel = 4";
-}
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -255,19 +255,16 @@ in
          "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
        ];

-        policy-spf_time_limit = "3600s";
-
        # reject selected senders
        smtpd_sender_restrictions = [
          "check_sender_access ${mappedFile "reject_senders"}"
        ];

-        # quota and spf checking
+        # quota checking
        smtpd_recipient_restrictions = [
          "check_recipient_access ${mappedFile "denied_recipients"}"
          "check_recipient_access ${mappedFile "reject_recipients"}"
          "check_policy_service inet:localhost:12340"
-          "check_policy_service unix:private/policy-spf"
        ];

        # TLS settings, inspired by https://github.com/jeaye/nix-files
@ -321,13 +318,6 @@ in
          # D => Delivered-To, O => X-Original-To, R => Return-Path
          args = [ "flags=O" ];
        };
-        "policy-spf" = {
-          type = "unix";
-          privileged = true;
-          chroot = false;
-          command = "spawn";
-          args = [ "user=nobody" "argv=${pkgs.spf-engine}/bin/policyd-spf" "${policyd-spf}"];
-        };
        "submission-header-cleanup" = {
          type = "unix";
          private = false;