From bba070a1fee9be0a359edfef53a755671c3d70f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Thu, 17 Apr 2025 02:54:47 +0200
Subject: [PATCH] Remove policy-spf

Rspamd can do the same as policy-spf, only better, with more settings, is well integrated and better maintained.
Other projects are going the same route [1].

[1]: https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/
---
 default.nix             | 17 ++++-------------
 mail-server/debug.nix   |  4 ----
 mail-server/postfix.nix | 12 +-----------
 3 files changed, 5 insertions(+), 28 deletions(-)
 delete mode 100644 mail-server/debug.nix

diff --git a/default.nix b/default.nix
index 17fd16d..1828c5f 100644
--- a/default.nix
+++ b/default.nix
@@ -1022,18 +1022,6 @@ in
       '';
     };
 
-    policydSPFExtraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      example = ''
-        skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
-      '';
-      description = ''
-        Extra configuration options for policyd-spf. This can be use to among
-        other things skip spf checking for some IP addresses.
-      '';
-    };
-
     monitoring = {
       enable = mkEnableOption "monitoring via monit";
 
@@ -1303,7 +1291,6 @@ in
     '')
     ./mail-server/assertions.nix
     ./mail-server/borgbackup.nix
-    ./mail-server/debug.nix
     ./mail-server/rsnapshot.nix
     ./mail-server/clamav.nix
     ./mail-server/monit.nix
@@ -1317,5 +1304,9 @@ in
     ./mail-server/rspamd.nix
     ./mail-server/nginx.nix
     ./mail-server/kresd.nix
+    (lib.mkRemovedOptionModule [ "mailserver" "policydSPFExtraConfig" ] ''
+      SPF checking has been migrated to Rspamd, which makes this config redundant. Please look into the rspamd config to migrate your settings.
+      It may be that they are redundant and are already configured in rspamd like for skip_addresses.
+    '')
   ];
 }
diff --git a/mail-server/debug.nix b/mail-server/debug.nix
deleted file mode 100644
index 8107515..0000000
--- a/mail-server/debug.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ config, lib, ... }:
-{
-  mailserver.policydSPFExtraConfig = lib.mkIf config.mailserver.debug "debugLevel = 4";
-}
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 6ba6ec6..c0bd2fb 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -255,19 +255,16 @@ in
           "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
         ];
 
-        policy-spf_time_limit = "3600s";
-
         # reject selected senders
         smtpd_sender_restrictions = [
           "check_sender_access ${mappedFile "reject_senders"}"
         ];
 
-        # quota and spf checking
+        # quota checking
         smtpd_recipient_restrictions = [
           "check_recipient_access ${mappedFile "denied_recipients"}"
           "check_recipient_access ${mappedFile "reject_recipients"}"
           "check_policy_service inet:localhost:12340"
-          "check_policy_service unix:private/policy-spf"
         ];
 
         # TLS settings, inspired by https://github.com/jeaye/nix-files
@@ -321,13 +318,6 @@ in
           # D => Delivered-To, O => X-Original-To, R => Return-Path
           args = [ "flags=O" ];
         };
-        "policy-spf" = {
-          type = "unix";
-          privileged = true;
-          chroot = false;
-          command = "spawn";
-          args = [ "user=nobody" "argv=${pkgs.spf-engine}/bin/policyd-spf" "${policyd-spf}"];
-        };
         "submission-header-cleanup" = {
           type = "unix";
           private = false;