]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/postfix.nix
Retry dovecot submission on failure
[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix
1 { lib, pkgs, config, nodes, ... }:
2 {
3 config = lib.mkIf config.myServices.mail.enable {
4 secrets.keys = {
5 "postfix/mysql_alias_maps" = {
6 user = config.services.postfix.user;
7 group = config.services.postfix.group;
8 permissions = "0440";
9 text = ''
10 # We need to specify that option to trigger ssl connection
11 tls_ciphers = TLSv1.2
12 user = ${config.myEnv.mail.postfix.mysql.user}
13 password = ${config.myEnv.mail.postfix.mysql.password}
14 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
15 dbname = ${config.myEnv.mail.postfix.mysql.database}
16 query = SELECT DISTINCT destination
17 FROM forwardings
18 WHERE
19 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
20 AND active = 1
21 AND '%s' NOT IN
22 (
23 SELECT source
24 FROM forwardings_blacklisted
25 WHERE source = '%s'
26 ) UNION
27 SELECT 'devnull@immae.eu'
28 FROM forwardings_blacklisted
29 WHERE source = '%s'
30 '';
31 };
32 "postfix/ldap_mailboxes" = {
33 user = config.services.postfix.user;
34 group = config.services.postfix.group;
35 permissions = "0440";
36 text = ''
37 server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636
38 search_base = ${config.myEnv.mail.dovecot.ldap.base}
39 query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter}
40 bind_dn = ${config.myEnv.mail.dovecot.ldap.dn}
41 bind_pw = ${config.myEnv.mail.dovecot.ldap.password}
42 result_attribute = immaePostfixAddress
43 result_format = dummy
44 version = 3
45 '';
46 };
47 "postfix/mysql_sender_login_maps" = {
48 user = config.services.postfix.user;
49 group = config.services.postfix.group;
50 permissions = "0440";
51 text = ''
52 # We need to specify that option to trigger ssl connection
53 tls_ciphers = TLSv1.2
54 user = ${config.myEnv.mail.postfix.mysql.user}
55 password = ${config.myEnv.mail.postfix.mysql.password}
56 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
57 dbname = ${config.myEnv.mail.postfix.mysql.database}
58 query = SELECT DISTINCT destination
59 FROM forwardings
60 WHERE
61 (
62 (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
63 OR
64 (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d'))
65 )
66 AND active = 1
67 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
68 '';
69 };
70 "postfix/mysql_sender_relays_maps" = {
71 user = config.services.postfix.user;
72 group = config.services.postfix.group;
73 permissions = "0440";
74 text = ''
75 # We need to specify that option to trigger ssl connection
76 tls_ciphers = TLSv1.2
77 user = ${config.myEnv.mail.postfix.mysql.user}
78 password = ${config.myEnv.mail.postfix.mysql.password}
79 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
80 dbname = ${config.myEnv.mail.postfix.mysql.database}
81 # INSERT INTO sender_relays
82 # (`from`, owner, relay, login, password, regex, active)
83 # VALUES
84 # ( 'sender@otherhost.org'
85 # , 'me@mail.immae.eu'
86 # , '[otherhost.org]:587'
87 # , 'otherhostlogin'
88 # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
89 # , '0'
90 # , '1');
91
92 query = SELECT DISTINCT `owner`
93 FROM sender_relays
94 WHERE
95 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
96 AND active = 1
97 '';
98 };
99 "postfix/mysql_sender_relays_hosts" = {
100 user = config.services.postfix.user;
101 group = config.services.postfix.group;
102 permissions = "0440";
103 text = ''
104 # We need to specify that option to trigger ssl connection
105 tls_ciphers = TLSv1.2
106 user = ${config.myEnv.mail.postfix.mysql.user}
107 password = ${config.myEnv.mail.postfix.mysql.password}
108 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
109 dbname = ${config.myEnv.mail.postfix.mysql.database}
110
111 query = SELECT DISTINCT relay
112 FROM sender_relays
113 WHERE
114 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
115 AND active = 1
116 '';
117 };
118 "postfix/mysql_sender_relays_creds" = {
119 user = config.services.postfix.user;
120 group = config.services.postfix.group;
121 permissions = "0440";
122 text = ''
123 # We need to specify that option to trigger ssl connection
124 tls_ciphers = TLSv1.2
125 user = ${config.myEnv.mail.postfix.mysql.user}
126 password = ${config.myEnv.mail.postfix.mysql.password}
127 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
128 dbname = ${config.myEnv.mail.postfix.mysql.database}
129
130 query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
131 FROM sender_relays
132 WHERE
133 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
134 AND active = 1
135 '';
136 };
137 "postfix/ldap_ejabberd_users_immae_fr" = {
138 user = config.services.postfix.user;
139 group = config.services.postfix.group;
140 permissions = "0440";
141 text = ''
142 server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
143 search_base = ${config.myEnv.jabber.ldap.base}
144 query_filter = ${config.myEnv.jabber.postfix_user_filter}
145 domain = immae.fr
146 bind_dn = ${config.myEnv.jabber.ldap.dn}
147 bind_pw = ${config.myEnv.jabber.ldap.password}
148 result_attribute = immaeXmppUid
149 result_format = ejabberd@localhost
150 version = 3
151 '';
152 };
153 } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
154 user = "postfixscripts";
155 group = "root";
156 permissions = "0400";
157 text = builtins.toJSON v.env;
158 }) config.myEnv.mail.scripts;
159
160 networking.firewall.allowedTCPPorts = [ 25 465 587 ];
161
162 users.users.postfixscripts = {
163 group = "keys";
164 uid = config.ids.uids.postfixscripts;
165 description = "Postfix scripts user";
166 };
167 users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
168 services.filesWatcher.postfix = {
169 restart = true;
170 paths = [
171 config.secrets.fullPaths."postfix/mysql_alias_maps"
172 config.secrets.fullPaths."postfix/ldap_mailboxes"
173 config.secrets.fullPaths."postfix/mysql_sender_login_maps"
174 config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
175 ];
176 };
177 services.postfix = {
178 extraAliases = let
179 toScript = name: script: pkgs.writeScript name ''
180 #! ${pkgs.stdenv.shell}
181 mail=$(${pkgs.coreutils}/bin/cat -)
182 output=$(echo "$mail" | ${script} 2>&1)
183 ret=$?
184
185 if [ "$ret" != "0" ]; then
186 echo "$mail" \
187 | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
188 | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
189
190 messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
191 repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
192
193 ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
194 $repeat
195 To: scripts_error+${name}@mail.immae.eu
196 Subject: Log from script error
197 Content-Type: text/plain; charset="UTF-8"
198 Content-Transfer-Encoding: 8bit
199 References:$messageId
200 MIME-Version: 1.0
201 X-Return-Code: $ret
202
203 Error code: $ret
204 Output of message:
205 --------------
206 $output
207 --------------
208 EOF
209 fi
210 '';
211 scripts = lib.attrsets.mapAttrs (n: v:
212 toScript n (
213 (pkgs.mylibs.flakeCompat
214 (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; })
215 ).outputs.envToScript.x86_64-linux
216 config.secrets.fullPaths."postfix/scripts/${n}-env"
217 )
218 ) config.myEnv.mail.scripts // {
219 testmail = pkgs.writeScript "testmail" ''
220 #! ${pkgs.stdenv.shell}
221 ${pkgs.coreutils}/bin/touch \
222 "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')"
223 '';
224 };
225 in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
226 mapFiles = let
227 recipient_maps = let
228 name = n: i: "relay_${n}_${toString i}";
229 pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
230 if m.type == "hash"
231 then pkgs.writeText (name n i) m.content
232 else null
233 );
234 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
235 in lib.attrsets.filterAttrs (k: v: v != null) (
236 lib.attrsets.listToAttrs (lib.flatten (
237 lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
238 ))
239 );
240 relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
241 lib.attrsets.mapAttrs' (n: v:
242 lib.attrsets.nameValuePair "recipient_access_${n}" (
243 if lib.attrsets.hasAttr "relay_restrictions" v
244 then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
245 else null
246 )
247 ) config.myEnv.mail.postfix.backup_domains
248 );
249 virtual_map = {
250 virtual = let
251 cfg = config.myEnv.monitoring.email_check.eldiron;
252 address = "${cfg.mail_address}@${cfg.mail_domain}";
253 in pkgs.writeText "postfix-virtual" (
254 builtins.concatStringsSep "\n" (
255 ["${address} testmail@localhost"] ++
256 lib.attrsets.mapAttrsToList (
257 n: v: lib.optionalString v.external ''
258 script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
259 ''
260 ) config.myEnv.mail.scripts
261 )
262 );
263 };
264 sasl_access = {
265 host_sender_login = with lib.attrsets; let
266 addresses = zipAttrs (lib.flatten (mapAttrsToList
267 (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
268 joined = builtins.concatStringsSep ",";
269 in pkgs.writeText "host-sender-login"
270 (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
271 };
272 in
273 recipient_maps // relay_restrictions // virtual_map // sasl_access;
274 config = {
275 ### postfix module overrides
276 readme_directory = "${pkgs.postfix}/share/postfix/doc";
277 smtp_tls_CAfile = lib.mkForce "";
278 smtp_tls_cert_file = lib.mkForce "";
279 smtp_tls_key_file = lib.mkForce "";
280
281 message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
282 mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
283 alias_database = "\$alias_maps";
284
285 ### Aliases scripts user
286 default_privs = "postfixscripts";
287
288 ### Virtual mailboxes config
289 virtual_alias_maps = [
290 "hash:/etc/postfix/virtual"
291 "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
292 "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
293 ];
294 virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
295 ++ lib.remove null (lib.flatten (map
296 (zone: map
297 (e: if e.receive
298 then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
299 else null
300 )
301 (zone.withEmail or [])
302 )
303 config.myEnv.dns.masterZones
304 ));
305 virtual_mailbox_maps = [
306 "ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}"
307 ];
308 dovecot_destination_recipient_limit = "1";
309 virtual_transport = "dovecot";
310
311 ### Relay domains
312 relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
313 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
314 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
315 ) config.myEnv.mail.postfix.backup_domains);
316 smtpd_relay_restrictions = [
317 "defer_unauth_destination"
318 ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
319 if lib.attrsets.hasAttr "relay_restrictions" v
320 then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
321 else []
322 ) config.myEnv.mail.postfix.backup_domains);
323
324 ### Additional smtpd configuration
325 smtpd_tls_received_header = "yes";
326 smtpd_tls_loglevel = "1";
327
328 ### Email sending configuration
329 smtp_tls_security_level = "may";
330 smtp_tls_loglevel = "1";
331
332 ### Force ip bind for smtp
333 smtp_bind_address = builtins.head config.hostEnv.ips.main.ip4;
334 smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
335
336 # Use some relays when authorized senders are not myself
337 smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
338 smtp_sasl_auth_enable = "yes";
339 smtp_sasl_password_maps =
340 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
341 smtp_sasl_security_options = "noanonymous";
342 smtp_sender_dependent_authentication = "yes";
343 sender_dependent_relayhost_maps =
344 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
345
346 ### opendkim, opendmarc, openarc milters
347 non_smtpd_milters = [
348 "unix:${config.myServices.mail.milters.sockets.opendkim}"
349 ];
350 smtpd_milters = [
351 "unix:${config.myServices.mail.milters.sockets.opendkim}"
352 "unix:${config.myServices.mail.milters.sockets.openarc}"
353 "unix:${config.myServices.mail.milters.sockets.opendmarc}"
354 ];
355
356 smtp_use_tls = true;
357 smtpd_use_tls = true;
358 smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
359
360 maximal_queue_lifetime = "6w";
361 bounce_queue_lifetime = "6w";
362 };
363 enable = true;
364 enableSmtp = true;
365 enableSubmission = true;
366 submissionOptions = {
367 # Don’t use "long form", only commas (cf
368 # http://www.postfix.org/master.5.html long form is not handled
369 # well by the submission function)
370 smtpd_tls_security_level = "encrypt";
371 smtpd_sasl_auth_enable = "yes";
372 smtpd_tls_auth_only = "yes";
373 smtpd_sasl_tls_security_options = "noanonymous";
374 smtpd_sasl_type = "dovecot";
375 smtpd_sasl_path = "private/auth";
376 smtpd_reject_unlisted_recipient = "no";
377 smtpd_client_restrictions = "permit_sasl_authenticated,reject";
378 smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
379 # Refuse to send e-mails with a From that is not handled
380 smtpd_sender_restrictions =
381 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
382 smtpd_sender_login_maps = builtins.concatStringsSep "," [
383 "hash:/etc/postfix/host_sender_login"
384 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
385 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
386 ];
387 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
388 milter_macro_daemon_name = "ORIGINATING";
389 smtpd_milters = builtins.concatStringsSep "," [
390 # FIXME: put it back when opensmtpd is upgraded and able to
391 # rewrite the from header
392 #"unix:/run/milter_verify_from/verify_from.sock"
393 "unix:${config.myServices.mail.milters.sockets.opendkim}"
394 ];
395 };
396 destination = ["localhost"];
397 # This needs to reverse DNS
398 hostname = config.hostEnv.fqdn;
399 setSendmail = true;
400 recipientDelimiter = "+";
401 masterConfig = {
402 submissions = {
403 type = "inet";
404 private = false;
405 command = "smtpd";
406 args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
407 mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
408 in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
409 );
410 };
411 dovecot = {
412 type = "unix";
413 privileged = true;
414 chroot = false;
415 command = "pipe";
416 args = let
417 # rspamd could be used as a milter, but then it cannot apply
418 # its checks "per user" (milter is not yet dispatched to
419 # users), so we wrap dovecot-lda inside rspamc per recipient
420 # here.
421 rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
422 #! ${pkgs.stdenv.shell}
423 set -o pipefail
424 sender="$1"
425 original_recipient="$2"
426 user="$3"
427
428 ${pkgs.coreutils}/bin/cat - | \
429 ${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime | \
430 ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
431 if echo ''${PIPESTATUS[@]} | ${pkgs.gnugrep}/bin/grep -qE '^[0 ]+$'; then
432 exit 0
433 else
434 # src/global/sys_exits.h to retry
435 exit 75
436 fi
437 '';
438 in [
439 "flags=ODRhu" "user=vhost:vhost"
440 "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
441 ];
442 };
443 };
444 };
445 security.acme.certs."mail" = {
446 postRun = ''
447 systemctl restart postfix.service
448 '';
449 extraDomainNames = [ "smtp.immae.eu" ];
450 };
451 security.acme.certs."mail-rsa" = {
452 postRun = ''
453 systemctl restart postfix.service
454 '';
455 extraDomainNames = [ "smtp.immae.eu" ];
456 };
457 system.activationScripts.testmail = {
458 deps = [ "users" ];
459 text = let
460 allCfg = config.myEnv.monitoring.email_check;
461 cfg = allCfg.eldiron;
462 reverseTargets = builtins.attrNames (lib.attrsets.filterAttrs (k: v: builtins.elem "eldiron" v.targets) allCfg);
463 to_email = cfg': host':
464 let sep = if lib.strings.hasInfix "+" cfg'.mail_address then "_" else "+";
465 in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
466 mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
467 in ''
468 install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
469 for f in ${mails_to_receive}; do
470 if [ ! -f /var/lib/naemon/checks/email/$f ]; then
471 install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
472 touch -m -d @0 /var/lib/naemon/checks/email/$f
473 fi
474 done
475 '';
476 };
477 systemd.services.postfix.serviceConfig.Slice = "mail.slice";
478 };
479 }