'';
scripts = lib.attrsets.mapAttrs (n: v:
toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
- ) config.myEnv.mail.scripts;
+ ) config.myEnv.mail.scripts // {
+ testmail = pkgs.writeScript "testmail" ''
+ #! ${pkgs.stdenv.shell}
+ ${pkgs.coreutils}/bin/touch \
+ "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')"
+ '';
+ };
in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
mapFiles = let
recipient_maps = let
) config.myEnv.mail.postfix.backup_domains
);
virtual_map = {
- virtual = pkgs.writeText "postfix-virtual" (
+ virtual = let
+ cfg = config.myEnv.monitoring.email_check.eldiron;
+ address = "${cfg.mail_address}@${cfg.mail_domain}";
+ in pkgs.writeText "postfix-virtual" (
builtins.concatStringsSep "\n" (
+ ["${address} testmail@localhost"] ++
lib.attrsets.mapAttrsToList (
n: v: lib.optionalString v.external ''
script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
) config.myEnv.mail.postfix.backup_domains);
smtpd_relay_restrictions = [
- "permit_mynetworks"
- "permit_sasl_authenticated"
"defer_unauth_destination"
] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
if lib.attrsets.hasAttr "relay_restrictions" v
smtp_tls_loglevel = "1";
### Force ip bind for smtp
- smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;
- smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
+ smtp_bind_address = config.hostEnv.ips.main.ip4;
+ smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
# Use some relays when authorized senders are not myself
smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
### opendkim, opendmarc, openarc milters
non_smtpd_milters = [
"unix:${config.myServices.mail.milters.sockets.opendkim}"
- "unix:${config.myServices.mail.milters.sockets.opendmarc}"
- "unix:${config.myServices.mail.milters.sockets.openarc}"
];
smtpd_milters = [
"unix:${config.myServices.mail.milters.sockets.opendkim}"
- "unix:${config.myServices.mail.milters.sockets.opendmarc}"
"unix:${config.myServices.mail.milters.sockets.openarc}"
+ "unix:${config.myServices.mail.milters.sockets.opendmarc}"
];
};
enable = true;
smtpd_sasl_path = "private/auth";
smtpd_reject_unlisted_recipient = "no";
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+ smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
# Refuse to send e-mails with a From that is not handled
smtpd_sender_restrictions =
"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
'';
destination = ["localhost"];
# This needs to reverse DNS
- hostname = "eldiron.immae.eu";
+ hostname = config.hostEnv.fqdn;
setSendmail = true;
sslCert = "/var/lib/acme/mail/fullchain.pem";
sslKey = "/var/lib/acme/mail/key.pem";
};
};
};
- security.acme.certs."mail" = {
+ security.acme2.certs."mail" = {
postRun = ''
systemctl restart postfix.service
'';
"smtp.immae.eu" = null;
};
};
+ system.activationScripts.testmail = {
+ deps = [ "users" ];
+ text = let
+ allCfg = config.myEnv.monitoring.email_check;
+ cfg = allCfg.eldiron;
+ reverseTargets = builtins.attrNames (lib.attrsets.filterAttrs (k: v: builtins.elem "eldiron" v.targets) allCfg);
+ to_email = cfg': host':
+ let sep = if lib.strings.hasInfix "+" cfg'.mail_address then "_" else "+";
+ in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
+ mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
+ in ''
+ install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email
+ for f in ${mails_to_receive}; do
+ if [ ! -f /var/lib/naemon/checks/email/$f ]; then
+ install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f
+ touch -m -d @0 /var/lib/naemon/checks/email/$f
+ fi
+ done
+ '';
+ };
};
}