hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
- FROM forwardings_merge
+ FROM forwardings
WHERE
((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
AND active = 1
'';
}
{
- dest = "postfix/mysql_mailbox_maps";
+ dest = "postfix/ldap_mailboxes";
user = config.services.postfix.user;
group = config.services.postfix.group;
permissions = "0440";
text = ''
- # We need to specify that option to trigger ssl connection
- tls_ciphers = TLSv1.2
- user = ${config.myEnv.mail.postfix.mysql.user}
- password = ${config.myEnv.mail.postfix.mysql.password}
- hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
- dbname = ${config.myEnv.mail.postfix.mysql.database}
- result_format = /%d/%u
- query = SELECT DISTINCT '%s'
- FROM mailboxes
- WHERE active = 1
- AND (
- (domain = '%d' AND user = '%u' AND regex = 0)
- OR (
- regex = 1
- AND '%d' REGEXP CONCAT('^',domain,'$')
- AND '%u' REGEXP CONCAT('^',user,'$')
- )
- )
- LIMIT 1
+ server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636
+ search_base = ${config.myEnv.mail.dovecot.ldap.base}
+ query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter}
+ bind_dn = ${config.myEnv.mail.dovecot.ldap.dn}
+ bind_pw = ${config.myEnv.mail.dovecot.ldap.password}
+ result_attribute = immaePostfixAddress
+ result_format = dummy
+ version = 3
'';
}
{
hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
- FROM forwardings_merge
+ FROM forwardings
WHERE
- ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
+ (
+ (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
+ OR
+ (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d'))
+ )
AND active = 1
- UNION SELECT '%s' AS destination
+ UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
'';
}
{
networking.firewall.allowedTCPPorts = [ 25 465 587 ];
- nixpkgs.overlays = [ (self: super: {
- postfix = super.postfix.override { withMySQL = true; };
- }) ];
users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
services.filesWatcher.postfix = {
restart = true;
paths = [
config.secrets.fullPaths."postfix/mysql_alias_maps"
- config.secrets.fullPaths."postfix/mysql_mailbox_maps"
+ config.secrets.fullPaths."postfix/ldap_mailboxes"
config.secrets.fullPaths."postfix/mysql_sender_login_maps"
config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
];
);
};
sasl_access = {
- host_sender_login = pkgs.writeText "host-sender-login"
- (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList
- (n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers)));
- host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
- (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
+ host_sender_login = with lib.attrsets; let
+ addresses = zipAttrs (lib.flatten (mapAttrsToList
+ (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
+ joined = builtins.concatStringsSep ",";
+ in pkgs.writeText "host-sender-login"
+ (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
};
in
recipient_maps // relay_restrictions // virtual_map // sasl_access;
alias_database = "\$alias_maps";
### Virtual mailboxes config
- virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}";
+ virtual_alias_maps = [
+ "hash:/etc/postfix/virtual"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
+ "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
+ ];
virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
- ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
+ ++ lib.remove null (lib.flatten (map
(zone: map
(e: if e.receive
then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
(zone.withEmail or [])
)
config.myEnv.dns.masterZones
- )));
- virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+ ));
+ virtual_mailbox_maps = [
+ "ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}"
+ ];
dovecot_destination_recipient_limit = "1";
virtual_transport = "dovecot";
"unix:${config.myServices.mail.milters.sockets.openarc}"
"unix:${config.myServices.mail.milters.sockets.opendmarc}"
];
+
+ smtp_use_tls = true;
+ smtpd_use_tls = true;
+ smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
+
+ maximal_queue_lifetime = "6w";
+ bounce_queue_lifetime = "6w";
};
enable = true;
enableSmtp = true;
];
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
milter_macro_daemon_name = "ORIGINATING";
- smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
+ smtpd_milters = builtins.concatStringsSep "," [
+ # FIXME: put it back when opensmtpd is upgraded and able to
+ # rewrite the from header
+ #"unix:/run/milter_verify_from/verify_from.sock"
+ "unix:${config.myServices.mail.milters.sockets.opendkim}"
+ ];
};
- # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
- # prioritized MX, which provokes "mail for localhost.immae.eu loops
- # back to myself" errors. This transport entry forces to push
- # e-mails to its right destination.
- transport = ''
- localhost.immae.eu smtp:[immae.eu]:25
- '';
destination = ["localhost"];
# This needs to reverse DNS
hostname = config.hostEnv.fqdn;
setSendmail = true;
- sslCert = "/var/lib/acme/mail/fullchain.pem";
- sslKey = "/var/lib/acme/mail/key.pem";
recipientDelimiter = "+";
masterConfig = {
submissions = {
${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
'';
in [
- "flags=DRhu" "user=vhost:vhost"
+ "flags=ODRhu" "user=vhost:vhost"
"argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
];
};
};
};
- security.acme2.certs."mail" = {
+ security.acme.certs."mail" = {
+ postRun = ''
+ systemctl restart postfix.service
+ '';
+ extraDomains = {
+ "smtp.immae.eu" = null;
+ };
+ };
+ security.acme.certs."mail-rsa" = {
postRun = ''
systemctl restart postfix.service
'';