From 1a2d7a4bf5a1f5bfd551d8c3e4a6e4de36522b09 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Mon, 25 Aug 2025 03:13:30 +0200
Subject: [PATCH] rspamd: restrict addresses we disable checks for to localhost

By default this includes private network subnets, but those should really
use authentication instead, if they want to skip checks.

Closes: #326
---
 mail-server/rspamd.nix |  7 +++++++
 tests/lib/config.nix   | 20 ++++++++++++--------
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 5c0f315..ab46750 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -132,6 +132,13 @@ in
           '';
         };
       };
+      overrides = {
+        "options.inc" = {
+          text = ''
+            local_addrs = [::1/128, 127.0.0.0/8]
+          '';
+        };
+      };
 
       workers.rspamd_proxy = {
         type = "rspamd_proxy";
diff --git a/tests/lib/config.nix b/tests/lib/config.nix
index f13f15a..199e1b8 100644
--- a/tests/lib/config.nix
+++ b/tests/lib/config.nix
@@ -10,12 +10,16 @@
   # Enable second CPU core
   virtualisation.cores = lib.mkDefault 2;
 
-  # Don't make tests block on DNS requests that will never succeed
-  services.rspamd.locals."options.inc".text = ''
-    dns {
-      nameservers = ["127.0.0.1"];
-      timeout = 0.0s;
-      retransmits = 0;
-    }
-  '';
+  services.rspamd = {
+    # Don't make tests block on DNS requests that will never succeed
+    locals."options.inc".text = ''
+      dns {
+        nameservers = ["127.0.0.1"];
+        timeout = 0.0s;
+        retransmits = 0;
+      }
+    '';
+    # Relax `local_addrs` definition to default for tests, so mail doesn't get flagged as spam
+    overrides."options.inc".enable = false;
+  };
 }