X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fpostfix.nix;h=054b93effc5665f76ab072032aa055093cf4abfb;hb=4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0;hp=4791b418a60d9194c67cf8fa31ebbbaa49d47f60;hpb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 4791b41..054b93e 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -4,9 +4,8 @@ services.duplyBackup.profiles.mail.excludeFile = '' + /var/lib/postfix ''; - secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; + secrets.keys = { + "postfix/mysql_alias_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -18,7 +17,7 @@ hosts = unix:${config.myEnv.mail.postfix.mysql.socket} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination - FROM forwardings_merge + FROM forwardings WHERE ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) AND active = 1 @@ -32,36 +31,23 @@ FROM forwardings_blacklisted WHERE source = '%s' ''; - } - { - dest = "postfix/mysql_mailbox_maps"; + }; + "postfix/ldap_mailboxes" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; text = '' - # We need to specify that option to trigger ssl connection - tls_ciphers = TLSv1.2 - user = ${config.myEnv.mail.postfix.mysql.user} - password = ${config.myEnv.mail.postfix.mysql.password} - hosts = unix:${config.myEnv.mail.postfix.mysql.socket} - dbname = ${config.myEnv.mail.postfix.mysql.database} - result_format = /%d/%u - query = SELECT DISTINCT '%s' - FROM mailboxes - WHERE active = 1 - AND ( - (domain = '%d' AND user = '%u' AND regex = 0) - OR ( - regex = 1 - AND '%d' REGEXP CONCAT('^',domain,'$') - AND '%u' REGEXP CONCAT('^',user,'$') - ) - ) - LIMIT 1 + server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636 + search_base = ${config.myEnv.mail.dovecot.ldap.base} + query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter} + bind_dn = ${config.myEnv.mail.dovecot.ldap.dn} + bind_pw = ${config.myEnv.mail.dovecot.ldap.password} + result_attribute = immaePostfixAddress + result_format = dummy + version = 3 ''; - } - { - dest = "postfix/mysql_sender_login_maps"; + }; + "postfix/mysql_sender_login_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -73,15 +59,18 @@ hosts = unix:${config.myEnv.mail.postfix.mysql.socket} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination - FROM forwardings_merge + FROM forwardings WHERE - ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) + ( + (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') ) + OR + (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d')) + ) AND active = 1 - UNION SELECT '%s' AS destination + UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination ''; - } - { - dest = "postfix/mysql_sender_relays_maps"; + }; + "postfix/mysql_sender_relays_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -109,9 +98,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_hosts"; + }; + "postfix/mysql_sender_relays_hosts" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -129,9 +117,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_creds"; + }; + "postfix/mysql_sender_relays_creds" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -149,9 +136,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/ldap_ejabberd_users_immae_fr"; + }; + "postfix/ldap_ejabberd_users_immae_fr" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -166,20 +152,27 @@ result_format = ejabberd@localhost version = 3 ''; - } - ]; + }; + } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" { + user = "postfixscripts"; + group = "root"; + permissions = "0400"; + text = builtins.toJSON v.env; + }) config.myEnv.mail.scripts; networking.firewall.allowedTCPPorts = [ 25 465 587 ]; - nixpkgs.overlays = [ (self: super: { - postfix = super.postfix.override { withMySQL = true; }; - }) ]; + users.users.postfixscripts = { + group = "keys"; + uid = config.ids.uids.postfixscripts; + description = "Postfix scripts user"; + }; users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; services.filesWatcher.postfix = { restart = true; paths = [ config.secrets.fullPaths."postfix/mysql_alias_maps" - config.secrets.fullPaths."postfix/mysql_mailbox_maps" + config.secrets.fullPaths."postfix/ldap_mailboxes" config.secrets.fullPaths."postfix/mysql_sender_login_maps" config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr" ]; @@ -219,7 +212,7 @@ fi ''; scripts = lib.attrsets.mapAttrs (n: v: - toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; }) + toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; }) ) config.myEnv.mail.scripts // { testmail = pkgs.writeScript "testmail" '' #! ${pkgs.stdenv.shell} @@ -273,8 +266,6 @@ joined = builtins.concatStringsSep ","; in pkgs.writeText "host-sender-login" (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses)); - host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox" - (builtins.concatStringsSep "\n" (["immae-eu@immae.eu dummy"] ++ lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes)); }; in recipient_maps // relay_restrictions // virtual_map // sasl_access; @@ -289,8 +280,15 @@ mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts alias_database = "\$alias_maps"; + ### Aliases scripts user + default_privs = "postfixscripts"; + ### Virtual mailboxes config - virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"; + virtual_alias_maps = [ + "hash:/etc/postfix/virtual" + "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}" + "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}" + ]; virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains ++ lib.remove null (lib.flatten (map (zone: map @@ -302,7 +300,9 @@ ) config.myEnv.dns.masterZones )); - virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; + virtual_mailbox_maps = [ + "ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}" + ]; dovecot_destination_recipient_limit = "1"; virtual_transport = "dovecot"; @@ -350,6 +350,13 @@ "unix:${config.myServices.mail.milters.sockets.openarc}" "unix:${config.myServices.mail.milters.sockets.opendmarc}" ]; + + smtp_use_tls = true; + smtpd_use_tls = true; + smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ]; + + maximal_queue_lifetime = "6w"; + bounce_queue_lifetime = "6w"; }; enable = true; enableSmtp = true; @@ -388,8 +395,6 @@ # This needs to reverse DNS hostname = config.hostEnv.fqdn; setSendmail = true; - sslCert = "/var/lib/acme/mail/fullchain.pem"; - sslKey = "/var/lib/acme/mail/key.pem"; recipientDelimiter = "+"; masterConfig = { submissions = { @@ -422,7 +427,7 @@ ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user" ''; in [ - "flags=DRhu" "user=vhost:vhost" + "flags=ODRhu" "user=vhost:vhost" "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}" ]; }; @@ -436,6 +441,14 @@ "smtp.immae.eu" = null; }; }; + security.acme.certs."mail-rsa" = { + postRun = '' + systemctl restart postfix.service + ''; + extraDomains = { + "smtp.immae.eu" = null; + }; + }; system.activationScripts.testmail = { deps = [ "users" ]; text = let @@ -447,14 +460,15 @@ in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); in '' - install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email + install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email for f in ${mails_to_receive}; do if [ ! -f /var/lib/naemon/checks/email/$f ]; then - install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f + install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f touch -m -d @0 /var/lib/naemon/checks/email/$f fi done ''; }; + systemd.services.postfix.serviceConfig.Slice = "mail.slice"; }; }