+ };
+ "postfix/mysql_sender_login_maps" = {
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+ query = SELECT DISTINCT destination
+ FROM forwardings
+ WHERE
+ (
+ (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
+ OR
+ (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d'))
+ )
+ AND active = 1
+ UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
+ '';
+ };
+ "postfix/mysql_sender_relays_maps" = {
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+ # INSERT INTO sender_relays
+ # (`from`, owner, relay, login, password, regex, active)
+ # VALUES
+ # ( 'sender@otherhost.org'
+ # , 'me@mail.immae.eu'
+ # , '[otherhost.org]:587'
+ # , 'otherhostlogin'
+ # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
+ # , '0'
+ # , '1');
+
+ query = SELECT DISTINCT `owner`
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ };
+ "postfix/mysql_sender_relays_hosts" = {
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+ query = SELECT DISTINCT relay
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ };
+ "postfix/mysql_sender_relays_creds" = {
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+ query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ };
+ "postfix/ldap_ejabberd_users_immae_fr" = {
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
+ search_base = ${config.myEnv.jabber.ldap.base}
+ query_filter = ${config.myEnv.jabber.postfix_user_filter}
+ domain = immae.fr
+ bind_dn = ${config.myEnv.jabber.ldap.dn}
+ bind_pw = ${config.myEnv.jabber.ldap.password}
+ result_attribute = immaeXmppUid
+ result_format = ejabberd@localhost
+ version = 3
+ '';
+ };
+ } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
+ user = "postfixscripts";
+ group = "root";
+ permissions = "0400";
+ text = builtins.toJSON v.env;
+ }) config.myEnv.mail.scripts;
+
+ networking.firewall.allowedTCPPorts = [ 25 465 587 ];
+
+ users.users.postfixscripts = {
+ group = "keys";
+ uid = config.ids.uids.postfixscripts;
+ description = "Postfix scripts user";
+ };
+ users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
+ services.filesWatcher.postfix = {
+ restart = true;
+ paths = [
+ config.secrets.fullPaths."postfix/mysql_alias_maps"
+ config.secrets.fullPaths."postfix/ldap_mailboxes"
+ config.secrets.fullPaths."postfix/mysql_sender_login_maps"
+ config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
+ ];
+ };
+ services.postfix = {
+ extraAliases = let
+ toScript = name: script: pkgs.writeScript name ''
+ #! ${pkgs.stdenv.shell}
+ mail=$(${pkgs.coreutils}/bin/cat -)
+ output=$(echo "$mail" | ${script} 2>&1)
+ ret=$?
+
+ if [ "$ret" != "0" ]; then
+ echo "$mail" \
+ | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
+ | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+
+ messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
+ repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
+
+ ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+ $repeat
+ To: scripts_error+${name}@mail.immae.eu
+ Subject: Log from script error
+ Content-Type: text/plain; charset="UTF-8"
+ Content-Transfer-Encoding: 8bit
+ References:$messageId
+ MIME-Version: 1.0
+ X-Return-Code: $ret
+
+ Error code: $ret
+ Output of message:
+ --------------
+ $output
+ --------------
+ EOF
+ fi
+ '';
+ scripts = lib.attrsets.mapAttrs (n: v:
+ toScript n (
+ (builtins.getFlake "git+${v.src.url}?rev=${v.src.rev}"
+ #(builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; })
+ ).outputs.envToScript.x86_64-linux
+ config.secrets.fullPaths."postfix/scripts/${n}-env"