- enable = true;
- enableSmtp = true;
- enableSubmission = true;
- submissionOptions = {
- smtpd_tls_security_level = "encrypt";
- smtpd_sasl_auth_enable = "yes";
- smtpd_tls_auth_only = "yes";
- smtpd_sasl_tls_security_options = "noanonymous";
- smtpd_sasl_type = "dovecot";
- smtpd_sasl_path = "private/auth";
- smtpd_reject_unlisted_recipient = "no";
- smtpd_client_restrictions = "permit_sasl_authenticated,reject";
- # Refuse to send e-mails with a From that is not handled
- smtpd_sender_restrictions =
- "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
- smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
- smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
- milter_macro_daemon_name = "ORIGINATING";
- smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
- };
- # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
- # prioritized MX, which provokes "mail for localhost.immae.eu loops
- # back to myself" errors. This transport entry forces to push
- # e-mails to its right destination.
- transport = ''
- localhost.immae.eu smtp:[immae.eu]:25
- '';
- destination = ["localhost"];
- # This needs to reverse DNS
- hostname = "eldiron.immae.eu";
- setSendmail = true;
- sslCert = "/var/lib/acme/mail/fullchain.pem";
- sslKey = "/var/lib/acme/mail/key.pem";
- recipientDelimiter = "+";
- masterConfig = {
- dovecot = {
- type = "unix";
- privileged = true;
- chroot = false;
- command = "pipe";
- args = let
- # rspamd could be used as a milter, but then it cannot apply
- # its checks "per user" (milter is not yet dispatched to
- # users), so we wrap dovecot-lda inside rspamc per recipient
- # here.
- dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
- in [
- "flags=DRhu" "user=vhost:vhost"
- "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
+ services.postfix = {
+ extraAliases = let
+ toScript = name: script: pkgs.writeScript name ''
+ #! ${pkgs.stdenv.shell}
+ mail=$(${pkgs.coreutils}/bin/cat -)
+ output=$(echo "$mail" | ${script} 2>&1)
+ ret=$?
+
+ if [ "$ret" != "0" ]; then
+ echo "$mail" \
+ | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
+ | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+
+ messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
+ repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
+
+ ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+ $repeat
+ To: scripts_error+${name}@mail.immae.eu
+ Subject: Log from script error
+ Content-Type: text/plain; charset="UTF-8"
+ Content-Transfer-Encoding: 8bit
+ References:$messageId
+ MIME-Version: 1.0
+ X-Return-Code: $ret
+
+ Error code: $ret
+ Output of message:
+ --------------
+ $output
+ --------------
+ EOF
+ fi
+ '';
+ scripts = lib.attrsets.mapAttrs (n: v:
+ toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+ ) config.myEnv.mail.scripts // {
+ testmail = pkgs.writeScript "testmail" ''
+ #! ${pkgs.stdenv.shell}
+ ${pkgs.coreutils}/bin/touch \
+ "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')"
+ '';
+ };
+ in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
+ mapFiles = let
+ recipient_maps = let
+ name = n: i: "relay_${n}_${toString i}";
+ pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
+ if m.type == "hash"
+ then pkgs.writeText (name n i) m.content
+ else null
+ );
+ pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
+ in lib.attrsets.filterAttrs (k: v: v != null) (
+ lib.attrsets.listToAttrs (lib.flatten (
+ lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
+ ))
+ );
+ relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
+ lib.attrsets.mapAttrs' (n: v:
+ lib.attrsets.nameValuePair "recipient_access_${n}" (
+ if lib.attrsets.hasAttr "relay_restrictions" v
+ then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
+ else null
+ )
+ ) config.myEnv.mail.postfix.backup_domains
+ );
+ virtual_map = {
+ virtual = let
+ cfg = config.myEnv.monitoring.email_check.eldiron;
+ address = "${cfg.mail_address}@${cfg.mail_domain}";
+ in pkgs.writeText "postfix-virtual" (
+ builtins.concatStringsSep "\n" (
+ ["${address} testmail@localhost"] ++
+ lib.attrsets.mapAttrsToList (
+ n: v: lib.optionalString v.external ''
+ script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
+ ''
+ ) config.myEnv.mail.scripts
+ )
+ );
+ };
+ sasl_access = {
+ host_sender_login = with lib.attrsets; let
+ addresses = zipAttrs (lib.flatten (mapAttrsToList
+ (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
+ joined = builtins.concatStringsSep ",";
+ in pkgs.writeText "host-sender-login"
+ (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
+ host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
+ (builtins.concatStringsSep "\n" (["immae-eu@immae.eu dummy"] ++ lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
+ };
+ in
+ recipient_maps // relay_restrictions // virtual_map // sasl_access;
+ config = {
+ ### postfix module overrides
+ readme_directory = "${pkgs.postfix}/share/postfix/doc";
+ smtp_tls_CAfile = lib.mkForce "";
+ smtp_tls_cert_file = lib.mkForce "";
+ smtp_tls_key_file = lib.mkForce "";
+
+ message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
+ mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
+ alias_database = "\$alias_maps";
+
+ ### Virtual mailboxes config
+ virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}";
+ virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
+ ++ lib.remove null (lib.flatten (map
+ (zone: map
+ (e: if e.receive
+ then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
+ else null
+ )
+ (zone.withEmail or [])
+ )
+ config.myEnv.dns.masterZones
+ ));
+ virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+ dovecot_destination_recipient_limit = "1";
+ virtual_transport = "dovecot";
+
+ ### Relay domains
+ relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
+ relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
+ lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
+ ) config.myEnv.mail.postfix.backup_domains);
+ smtpd_relay_restrictions = [
+ "defer_unauth_destination"
+ ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
+ if lib.attrsets.hasAttr "relay_restrictions" v
+ then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
+ else []
+ ) config.myEnv.mail.postfix.backup_domains);
+
+ ### Additional smtpd configuration
+ smtpd_tls_received_header = "yes";
+ smtpd_tls_loglevel = "1";
+
+ ### Email sending configuration
+ smtp_tls_security_level = "may";
+ smtp_tls_loglevel = "1";
+
+ ### Force ip bind for smtp
+ smtp_bind_address = config.hostEnv.ips.main.ip4;
+ smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
+
+ # Use some relays when authorized senders are not myself
+ smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
+ smtp_sasl_auth_enable = "yes";
+ smtp_sasl_password_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
+ smtp_sasl_security_options = "noanonymous";
+ smtp_sender_dependent_authentication = "yes";
+ sender_dependent_relayhost_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
+
+ ### opendkim, opendmarc, openarc milters
+ non_smtpd_milters = [
+ "unix:${config.myServices.mail.milters.sockets.opendkim}"
+ ];
+ smtpd_milters = [
+ "unix:${config.myServices.mail.milters.sockets.opendkim}"
+ "unix:${config.myServices.mail.milters.sockets.openarc}"
+ "unix:${config.myServices.mail.milters.sockets.opendmarc}"
+ ];
+
+ smtp_use_tls = true;
+ smtpd_use_tls = true;
+ smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
+
+ maximal_queue_lifetime = "6w";
+ bounce_queue_lifetime = "6w";
+ };
+ enable = true;
+ enableSmtp = true;
+ enableSubmission = true;
+ submissionOptions = {
+ # Don’t use "long form", only commas (cf
+ # http://www.postfix.org/master.5.html long form is not handled
+ # well by the submission function)
+ smtpd_tls_security_level = "encrypt";
+ smtpd_sasl_auth_enable = "yes";
+ smtpd_tls_auth_only = "yes";
+ smtpd_sasl_tls_security_options = "noanonymous";
+ smtpd_sasl_type = "dovecot";
+ smtpd_sasl_path = "private/auth";
+ smtpd_reject_unlisted_recipient = "no";
+ smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+ smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
+ # Refuse to send e-mails with a From that is not handled
+ smtpd_sender_restrictions =
+ "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
+ smtpd_sender_login_maps = builtins.concatStringsSep "," [
+ "hash:/etc/postfix/host_sender_login"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
+ ];
+ smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
+ milter_macro_daemon_name = "ORIGINATING";
+ smtpd_milters = builtins.concatStringsSep "," [
+ # FIXME: put it back when opensmtpd is upgraded and able to
+ # rewrite the from header
+ #"unix:/run/milter_verify_from/verify_from.sock"
+ "unix:${config.myServices.mail.milters.sockets.opendkim}"