]>
Commit | Line | Data |
---|---|---|
a929614f IB |
1 | { lib, pkgs, config, myconfig, ... }: |
2 | { | |
3 | config.secrets.keys = [ | |
4 | { | |
5 | dest = "postfix/mysql_alias_maps"; | |
6 | user = config.services.postfix.user; | |
7 | group = config.services.postfix.group; | |
8 | permissions = "0440"; | |
9 | text = '' | |
10 | # We need to specify that option to trigger ssl connection | |
11 | tls_ciphers = TLSv1.2 | |
12 | user = ${myconfig.env.mail.postfix.mysql.user} | |
13 | password = ${myconfig.env.mail.postfix.mysql.password} | |
14 | hosts = unix:${myconfig.env.mail.postfix.mysql.socket} | |
15 | dbname = ${myconfig.env.mail.postfix.mysql.database} | |
16 | query = SELECT DISTINCT destination | |
17 | FROM forwardings_merge | |
18 | WHERE | |
19 | ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) | |
20 | AND active = 1 | |
21 | AND '%s' NOT IN | |
22 | ( | |
23 | SELECT source | |
24 | FROM forwardings_blacklisted | |
25 | WHERE source = '%s' | |
26 | ) UNION | |
27 | SELECT 'devnull@immae.eu' | |
28 | FROM forwardings_blacklisted | |
29 | WHERE source = '%s' | |
30 | ''; | |
31 | } | |
32 | { | |
33 | dest = "postfix/mysql_mailbox_maps"; | |
34 | user = config.services.postfix.user; | |
35 | group = config.services.postfix.group; | |
36 | permissions = "0440"; | |
37 | text = '' | |
38 | # We need to specify that option to trigger ssl connection | |
39 | tls_ciphers = TLSv1.2 | |
40 | user = ${myconfig.env.mail.postfix.mysql.user} | |
41 | password = ${myconfig.env.mail.postfix.mysql.password} | |
42 | hosts = unix:${myconfig.env.mail.postfix.mysql.socket} | |
43 | dbname = ${myconfig.env.mail.postfix.mysql.database} | |
44 | result_format = /%d/%u | |
45 | query = SELECT DISTINCT '%s' | |
46 | FROM mailboxes | |
47 | WHERE active = 1 | |
48 | AND ( | |
49 | (domain = '%d' AND user = '%u' AND regex = 0) | |
50 | OR ( | |
51 | regex = 1 | |
52 | AND '%d' REGEXP CONCAT('^',domain,'$') | |
53 | AND '%u' REGEXP CONCAT('^',user,'$') | |
54 | ) | |
55 | ) | |
56 | LIMIT 1 | |
57 | ''; | |
58 | } | |
59 | { | |
60 | dest = "postfix/mysql_sender_login_maps"; | |
61 | user = config.services.postfix.user; | |
62 | group = config.services.postfix.group; | |
63 | permissions = "0440"; | |
64 | text = '' | |
65 | # We need to specify that option to trigger ssl connection | |
66 | tls_ciphers = TLSv1.2 | |
67 | user = ${myconfig.env.mail.postfix.mysql.user} | |
68 | password = ${myconfig.env.mail.postfix.mysql.password} | |
69 | hosts = unix:${myconfig.env.mail.postfix.mysql.socket} | |
70 | dbname = ${myconfig.env.mail.postfix.mysql.database} | |
71 | query = SELECT DISTINCT destination | |
72 | FROM forwardings_merge | |
73 | WHERE | |
74 | ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) | |
75 | AND active = 1 | |
76 | ''; | |
77 | } | |
78 | ]; | |
79 | ||
ca4630ca | 80 | config.networking.firewall.allowedTCPPorts = [ 25 465 587 ]; |
a929614f IB |
81 | |
82 | config.nixpkgs.overlays = [ (self: super: { | |
83 | postfix = super.postfix.override { withMySQL = true; }; | |
84 | }) ]; | |
85 | config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; | |
86 | config.services.filesWatcher.postfix = { | |
87 | restart = true; | |
88 | paths = [ | |
89 | config.secrets.fullPaths."postfix/mysql_alias_maps" | |
90 | config.secrets.fullPaths."postfix/mysql_mailbox_maps" | |
91 | config.secrets.fullPaths."postfix/mysql_sender_login_maps" | |
92 | ]; | |
93 | }; | |
94 | config.services.postfix = { | |
95 | mapFiles = let | |
04b2ab97 IB |
96 | recipient_maps = let |
97 | name = n: i: "relay_${n}_${toString i}"; | |
98 | pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( | |
99 | if m.type == "hash" | |
100 | then pkgs.writeText (name n i) m.content | |
101 | else null | |
102 | ); | |
103 | pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; | |
104 | in lib.attrsets.filterAttrs (k: v: v != null) ( | |
a929614f IB |
105 | lib.attrsets.listToAttrs (lib.flatten ( |
106 | lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains | |
107 | )) | |
108 | ); | |
04b2ab97 IB |
109 | relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) ( |
110 | lib.attrsets.mapAttrs' (n: v: | |
111 | lib.attrsets.nameValuePair "recipient_access_${n}" ( | |
112 | if lib.attrsets.hasAttr "relay_restrictions" v | |
113 | then pkgs.writeText "recipient_access_${n}" v.relay_restrictions | |
114 | else null | |
115 | ) | |
116 | ) myconfig.env.mail.postfix.backup_domains | |
117 | ); | |
118 | in | |
119 | recipient_maps // relay_restrictions; | |
a929614f IB |
120 | config = { |
121 | ### postfix module overrides | |
122 | readme_directory = "${pkgs.postfix}/share/postfix/doc"; | |
123 | smtp_tls_CAfile = lib.mkForce ""; | |
124 | smtp_tls_cert_file = lib.mkForce ""; | |
125 | smtp_tls_key_file = lib.mkForce ""; | |
126 | ||
127 | message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited" | |
128 | alias_database = "\$alias_maps"; | |
129 | ||
130 | ### Virtual mailboxes config | |
131 | virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"; | |
132 | virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains | |
133 | ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map | |
134 | (zone: map | |
135 | (e: if e.receive | |
136 | then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}" | |
137 | else null | |
138 | ) | |
139 | (zone.withEmail or []) | |
140 | ) | |
141 | myconfig.env.dns.masterZones | |
142 | ))); | |
143 | virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; | |
144 | dovecot_destination_recipient_limit = "1"; | |
145 | virtual_transport = "dovecot"; | |
146 | ||
147 | ### Relay domains | |
148 | relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains); | |
149 | relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: | |
150 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps | |
151 | ) myconfig.env.mail.postfix.backup_domains); | |
04b2ab97 IB |
152 | smtpd_relay_restrictions = [ |
153 | "permit_mynetworks" | |
154 | "permit_sasl_authenticated" | |
155 | "defer_unauth_destination" | |
156 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: | |
157 | if lib.attrsets.hasAttr "relay_restrictions" v | |
158 | then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ] | |
159 | else [] | |
160 | ) myconfig.env.mail.postfix.backup_domains); | |
a929614f IB |
161 | |
162 | ### Additional smtpd configuration | |
163 | smtpd_tls_received_header = "yes"; | |
164 | smtpd_tls_loglevel = "1"; | |
165 | ||
166 | ### Email sending configuration | |
167 | smtp_tls_security_level = "may"; | |
168 | smtp_tls_loglevel = "1"; | |
169 | ||
170 | ### Force ip bind for smtp | |
171 | smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4; | |
172 | smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6; | |
173 | ||
174 | # #Unneeded if postfix can only send e-mail from "self" domains | |
175 | # #smtp_sasl_auth_enable = "yes"; | |
176 | # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; | |
177 | # #smtp_sasl_security_options = "noanonymous"; | |
178 | # #smtp_sender_dependent_authentication = "yes"; | |
179 | # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; | |
180 | ||
181 | ### opendkim, opendmarc, openarc milters | |
182 | non_smtpd_milters = [ | |
183 | "unix:${config.myServices.mail.milters.sockets.opendkim}" | |
184 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | |
185 | "unix:${config.myServices.mail.milters.sockets.openarc}" | |
186 | ]; | |
187 | smtpd_milters = [ | |
188 | "unix:${config.myServices.mail.milters.sockets.opendkim}" | |
189 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | |
190 | "unix:${config.myServices.mail.milters.sockets.openarc}" | |
191 | ]; | |
192 | }; | |
193 | enable = true; | |
194 | enableSmtp = true; | |
195 | enableSubmission = true; | |
196 | submissionOptions = { | |
197 | smtpd_tls_security_level = "encrypt"; | |
198 | smtpd_sasl_auth_enable = "yes"; | |
199 | smtpd_tls_auth_only = "yes"; | |
200 | smtpd_sasl_tls_security_options = "noanonymous"; | |
201 | smtpd_sasl_type = "dovecot"; | |
202 | smtpd_sasl_path = "private/auth"; | |
203 | smtpd_reject_unlisted_recipient = "no"; | |
204 | smtpd_client_restrictions = "permit_sasl_authenticated,reject"; | |
205 | # Refuse to send e-mails with a From that is not handled | |
206 | smtpd_sender_restrictions = | |
207 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; | |
208 | smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; | |
209 | smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; | |
210 | milter_macro_daemon_name = "ORIGINATING"; | |
211 | smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; | |
212 | }; | |
afcc5de0 IB |
213 | # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as |
214 | # prioritized MX, which provokes "mail for localhost.immae.eu loops | |
215 | # back to myself" errors. This transport entry forces to push | |
216 | # e-mails to its right destination. | |
217 | transport = '' | |
218 | localhost.immae.eu smtp:[immae.eu]:25 | |
219 | ''; | |
a929614f IB |
220 | destination = ["localhost"]; |
221 | # This needs to reverse DNS | |
222 | hostname = "eldiron.immae.eu"; | |
223 | setSendmail = true; | |
224 | sslCert = "/var/lib/acme/mail/fullchain.pem"; | |
225 | sslKey = "/var/lib/acme/mail/key.pem"; | |
226 | recipientDelimiter = "+"; | |
227 | masterConfig = { | |
ca4630ca IB |
228 | submissions = { |
229 | type = "inet"; | |
230 | private = false; | |
231 | command = "smtpd"; | |
232 | args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let | |
233 | mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ]; | |
234 | in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions) | |
235 | ); | |
236 | }; | |
a929614f IB |
237 | dovecot = { |
238 | type = "unix"; | |
239 | privileged = true; | |
240 | chroot = false; | |
241 | command = "pipe"; | |
242 | args = let | |
243 | # rspamd could be used as a milter, but then it cannot apply | |
244 | # its checks "per user" (milter is not yet dispatched to | |
245 | # users), so we wrap dovecot-lda inside rspamc per recipient | |
246 | # here. | |
247 | dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}"; | |
248 | in [ | |
249 | "flags=DRhu" "user=vhost:vhost" | |
250 | "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}" | |
251 | ]; | |
252 | }; | |
253 | }; | |
254 | }; | |
255 | config.security.acme.certs."mail" = { | |
256 | postRun = '' | |
257 | systemctl restart postfix.service | |
258 | ''; | |
259 | extraDomains = { | |
260 | "smtp.immae.eu" = null; | |
261 | }; | |
262 | }; | |
263 | } |