###################################################
## MANAGED BY SALT in salt/files/nftables/asgard ##
###################################################
chain input_network_os-mail {
jump global_internal
ip6 saddr $net6_os-mail ip6 daddr @self6_mail ip6 nexthdr icmpv6 accept
ip6 saddr $net6_os-mail ip6 daddr != @lan_ipv6 ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } accept
# mx* -> hosts related to relay_domains or hosts which use a local mail server for inbound application
# mail (SMTP)
ip6 saddr @host6_mx ip6 daddr { $host6_pagure, $host6_discourse, $host6_mailman3, $host6_progressoo } tcp dport smtp accept
# mx* -> wild internet (HTTPS/SMTP)
ip6 saddr @host6_mx ip6 daddr != @lan_ipv6_nonat tcp dport { https, smtp } accept
ip saddr @host4_mx ip daddr != $nat64_v4 tcp dport { https, smtp } accept
# mx* -> monitor (scripts calling send_nsca)
ip6 saddr @host6_mx ip6 daddr $host6_monitor tcp dport 5667 accept
#mx* -> Hel (MySQL for membership alias database)
ip6 daddr $host6_hel ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } accept
ip6 saddr @host6_mx ip6 daddr $host6_hel tcp dport 3307 accept
#mx-test -> * (evaluating DCC)
ip6 saddr $host6_mx-test udp dport 6277 log prefix "[DCC out] " accept
log prefix "[Mail Denied] " reject with icmpv6 type admin-prohibited
}
chain output_network_os-mail {
}