From 6074fd428ca87e6964416e299a6d341acd1f97dc Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Wed, 16 Apr 2025 16:57:40 -0600
Subject: sys/mta: improve postfix hardening

---
 sys/mta/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/mta/default.nix b/sys/mta/default.nix
index 64e08f3..7a10146 100644
--- a/sys/mta/default.nix
+++ b/sys/mta/default.nix
@@ -161,6 +161,10 @@ in
           # Nota: smtpd_tls_dh1024_param_file fue deprecado en 3.9
 
           tls_append_default_CA = false; # Crítico
+
+          # https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+          smtpd_helo_required = true;
+          disable_vrfy_command = true;
         } // optionalAttrs isPrimary {
           virtual_alias_maps = mkAfter [ "pcre:/etc/postfix/virtual_rules" ];
           virtual_mailbox_domains = attrNames virtualDomains;
-- 
cgit v1.2.3