+ virtual_map = {
+ virtual = let
+ cfg = config.myEnv.monitoring.email_check.eldiron;
+ address = "${cfg.mail_address}@${cfg.mail_domain}";
+ in pkgs.writeText "postfix-virtual" (
+ builtins.concatStringsSep "\n" (
+ ["${address} testmail@localhost"] ++
+ lib.attrsets.mapAttrsToList (
+ n: v: lib.optionalString v.external ''
+ script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
+ ''
+ ) config.myEnv.mail.scripts
+ )
+ );
+ };
+ sasl_access = {
+ host_sender_login = with lib.attrsets; let
+ addresses = zipAttrs (lib.flatten (mapAttrsToList
+ (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
+ joined = builtins.concatStringsSep ",";
+ in pkgs.writeText "host-sender-login"
+ (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
+ host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
+ (builtins.concatStringsSep "\n" (["immae-eu@immae.eu dummy"] ++ lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
+ };
+ in
+ recipient_maps // relay_restrictions // virtual_map // sasl_access;
+ config = {
+ ### postfix module overrides
+ readme_directory = "${pkgs.postfix}/share/postfix/doc";
+ smtp_tls_CAfile = lib.mkForce "";
+ smtp_tls_cert_file = lib.mkForce "";
+ smtp_tls_key_file = lib.mkForce "";
+
+ message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
+ mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
+ alias_database = "\$alias_maps";
+
+ ### Virtual mailboxes config
+ virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}";
+ virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
+ ++ lib.remove null (lib.flatten (map
+ (zone: map
+ (e: if e.receive
+ then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
+ else null
+ )
+ (zone.withEmail or [])
+ )
+ config.myEnv.dns.masterZones
+ ));
+ virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+ dovecot_destination_recipient_limit = "1";
+ virtual_transport = "dovecot";
+
+ ### Relay domains
+ relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
+ relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
+ lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
+ ) config.myEnv.mail.postfix.backup_domains);
+ smtpd_relay_restrictions = [
+ "defer_unauth_destination"
+ ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
+ if lib.attrsets.hasAttr "relay_restrictions" v
+ then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
+ else []
+ ) config.myEnv.mail.postfix.backup_domains);
+
+ ### Additional smtpd configuration
+ smtpd_tls_received_header = "yes";
+ smtpd_tls_loglevel = "1";
+
+ ### Email sending configuration
+ smtp_tls_security_level = "may";
+ smtp_tls_loglevel = "1";
+
+ ### Force ip bind for smtp
+ smtp_bind_address = config.hostEnv.ips.main.ip4;
+ smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
+
+ # Use some relays when authorized senders are not myself
+ smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
+ smtp_sasl_auth_enable = "yes";
+ smtp_sasl_password_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
+ smtp_sasl_security_options = "noanonymous";
+ smtp_sender_dependent_authentication = "yes";
+ sender_dependent_relayhost_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
+
+ ### opendkim, opendmarc, openarc milters
+ non_smtpd_milters = [
+ "unix:${config.myServices.mail.milters.sockets.opendkim}"
+ ];
+ smtpd_milters = [
+ "unix:${config.myServices.mail.milters.sockets.opendkim}"
+ "unix:${config.myServices.mail.milters.sockets.openarc}"
+ "unix:${config.myServices.mail.milters.sockets.opendmarc}"
+ ];