1 { lib, pkgs, config, myconfig, ... }:
3 config.secrets.keys = [
5 dest = "postfix/mysql_alias_maps";
6 user = config.services.postfix.user;
7 group = config.services.postfix.group;
10 # We need to specify that option to trigger ssl connection
12 user = ${myconfig.env.mail.postfix.mysql.user}
13 password = ${myconfig.env.mail.postfix.mysql.password}
14 hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
15 dbname = ${myconfig.env.mail.postfix.mysql.database}
16 query = SELECT DISTINCT destination
17 FROM forwardings_merge
19 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
24 FROM forwardings_blacklisted
27 SELECT 'devnull@immae.eu'
28 FROM forwardings_blacklisted
33 dest = "postfix/mysql_mailbox_maps";
34 user = config.services.postfix.user;
35 group = config.services.postfix.group;
38 # We need to specify that option to trigger ssl connection
40 user = ${myconfig.env.mail.postfix.mysql.user}
41 password = ${myconfig.env.mail.postfix.mysql.password}
42 hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
43 dbname = ${myconfig.env.mail.postfix.mysql.database}
44 result_format = /%d/%u
45 query = SELECT DISTINCT '%s'
49 (domain = '%d' AND user = '%u' AND regex = 0)
52 AND '%d' REGEXP CONCAT('^',domain,'$')
53 AND '%u' REGEXP CONCAT('^',user,'$')
60 dest = "postfix/mysql_sender_login_maps";
61 user = config.services.postfix.user;
62 group = config.services.postfix.group;
65 # We need to specify that option to trigger ssl connection
67 user = ${myconfig.env.mail.postfix.mysql.user}
68 password = ${myconfig.env.mail.postfix.mysql.password}
69 hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
70 dbname = ${myconfig.env.mail.postfix.mysql.database}
71 query = SELECT DISTINCT destination
72 FROM forwardings_merge
74 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
76 UNION SELECT '%s' AS destination
81 config.networking.firewall.allowedTCPPorts = [ 25 465 587 ];
83 config.nixpkgs.overlays = [ (self: super: {
84 postfix = super.postfix.override { withMySQL = true; };
86 config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
87 config.services.filesWatcher.postfix = {
90 config.secrets.fullPaths."postfix/mysql_alias_maps"
91 config.secrets.fullPaths."postfix/mysql_mailbox_maps"
92 config.secrets.fullPaths."postfix/mysql_sender_login_maps"
95 config.services.postfix = {
98 name = n: i: "relay_${n}_${toString i}";
99 pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
101 then pkgs.writeText (name n i) m.content
104 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
105 in lib.attrsets.filterAttrs (k: v: v != null) (
106 lib.attrsets.listToAttrs (lib.flatten (
107 lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
110 relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
111 lib.attrsets.mapAttrs' (n: v:
112 lib.attrsets.nameValuePair "recipient_access_${n}" (
113 if lib.attrsets.hasAttr "relay_restrictions" v
114 then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
117 ) myconfig.env.mail.postfix.backup_domains
120 recipient_maps // relay_restrictions;
122 ### postfix module overrides
123 readme_directory = "${pkgs.postfix}/share/postfix/doc";
124 smtp_tls_CAfile = lib.mkForce "";
125 smtp_tls_cert_file = lib.mkForce "";
126 smtp_tls_key_file = lib.mkForce "";
128 message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
129 alias_database = "\$alias_maps";
131 ### Virtual mailboxes config
132 virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
133 virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
134 ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
137 then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
140 (zone.withEmail or [])
142 myconfig.env.dns.masterZones
144 virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
145 dovecot_destination_recipient_limit = "1";
146 virtual_transport = "dovecot";
149 relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
150 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
151 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
152 ) myconfig.env.mail.postfix.backup_domains);
153 smtpd_relay_restrictions = [
155 "permit_sasl_authenticated"
156 "defer_unauth_destination"
157 ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
158 if lib.attrsets.hasAttr "relay_restrictions" v
159 then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
161 ) myconfig.env.mail.postfix.backup_domains);
163 ### Additional smtpd configuration
164 smtpd_tls_received_header = "yes";
165 smtpd_tls_loglevel = "1";
167 ### Email sending configuration
168 smtp_tls_security_level = "may";
169 smtp_tls_loglevel = "1";
171 ### Force ip bind for smtp
172 smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4;
173 smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
175 # #Unneeded if postfix can only send e-mail from "self" domains
176 # #smtp_sasl_auth_enable = "yes";
177 # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
178 # #smtp_sasl_security_options = "noanonymous";
179 # #smtp_sender_dependent_authentication = "yes";
180 # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
182 ### opendkim, opendmarc, openarc milters
183 non_smtpd_milters = [
184 "unix:${config.myServices.mail.milters.sockets.opendkim}"
185 "unix:${config.myServices.mail.milters.sockets.opendmarc}"
186 "unix:${config.myServices.mail.milters.sockets.openarc}"
189 "unix:${config.myServices.mail.milters.sockets.opendkim}"
190 "unix:${config.myServices.mail.milters.sockets.opendmarc}"
191 "unix:${config.myServices.mail.milters.sockets.openarc}"
196 enableSubmission = true;
197 submissionOptions = {
198 smtpd_tls_security_level = "encrypt";
199 smtpd_sasl_auth_enable = "yes";
200 smtpd_tls_auth_only = "yes";
201 smtpd_sasl_tls_security_options = "noanonymous";
202 smtpd_sasl_type = "dovecot";
203 smtpd_sasl_path = "private/auth";
204 smtpd_reject_unlisted_recipient = "no";
205 smtpd_client_restrictions = "permit_sasl_authenticated,reject";
206 # Refuse to send e-mails with a From that is not handled
207 smtpd_sender_restrictions =
208 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
209 smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
210 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
211 milter_macro_daemon_name = "ORIGINATING";
212 smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
214 # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
215 # prioritized MX, which provokes "mail for localhost.immae.eu loops
216 # back to myself" errors. This transport entry forces to push
217 # e-mails to its right destination.
219 localhost.immae.eu smtp:[immae.eu]:25
221 destination = ["localhost"];
222 # This needs to reverse DNS
223 hostname = "eldiron.immae.eu";
225 sslCert = "/var/lib/acme/mail/fullchain.pem";
226 sslKey = "/var/lib/acme/mail/key.pem";
227 recipientDelimiter = "+";
233 args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
234 mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
235 in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
244 # rspamd could be used as a milter, but then it cannot apply
245 # its checks "per user" (milter is not yet dispatched to
246 # users), so we wrap dovecot-lda inside rspamc per recipient
248 dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
250 "flags=DRhu" "user=vhost:vhost"
251 "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
256 config.security.acme.certs."mail" = {
258 systemctl restart postfix.service
261 "smtp.immae.eu" = null;