Optimize new fw rules and tweak postfix

Signed-off-by: Egor Savkin <es@m-labs.hk>

nixbld-etc-nixos/configuration.nix

@@ -94,6 +94,10 @@ in
       allowedUDPPorts = [ 53 67 500 4500 ];
       trustedInterfaces = [ netifLan ];
       logRefusedConnections = false;
+      extraCommands = ''
+        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
     };
     useDHCP = false;
     interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
@@ -1257,8 +1261,26 @@ in
     enablePop3 = true;
     enablePop3Ssl = true;
     certificateScheme = "acme-nginx";
-    policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
   } // (import /etc/nixos/secret/email_settings.nix);
+  services.postfix = {
+    mapFiles.sender_transport = pkgs.writeText "sender_transport" ''
+        @m-labs-intl.com intltunnel:
+        * :
+    '';
+    config = {
+      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
+    };
+    masterConfig."intltunnel" = {
+      type = "unix";
+      command = "smtp";
+      args = [
+        "-o" "inet_interfaces=10.47.3.1"
+        "-o" "smtp_helo_name=mail.m-labs-intl.com"
+        "-o" "inet_protocols=ipv4"
+       ];
+    };
+  };
+
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";

nixbld-etc-nixos/named/m-labs-intl.com

@@ -23,7 +23,6 @@ ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2
 
 mail					A		5.78.86.156
-mail					AAAA	2a01:4ff:1f0:83de::1
 mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"