X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fpostfix.nix;h=46d45c188cbc549f1199897fcc5d670147923ed2;hb=418a4ed7da43fab53c18f99237bc296e37f47d2c;hp=2af184907ee918c27585c0192a074179b59a9cf2;hpb=ef0a9217fba817d7fb71ccd4cca65919dd89ebec;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 2af1849..46d45c1 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -18,7 +18,7 @@ hosts = unix:${config.myEnv.mail.postfix.mysql.socket} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination - FROM forwardings_merge + FROM forwardings WHERE ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) AND active = 1 @@ -73,11 +73,15 @@ hosts = unix:${config.myEnv.mail.postfix.mysql.socket} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination - FROM forwardings_merge + FROM forwardings WHERE - ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) + ( + (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') ) + OR + (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d')) + ) AND active = 1 - UNION SELECT '%s' AS destination + UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination ''; } { @@ -171,9 +175,6 @@ networking.firewall.allowedTCPPorts = [ 25 465 587 ]; - nixpkgs.overlays = [ (self: super: { - postfix = super.postfix.override { withMySQL = true; }; - }) ]; users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; services.filesWatcher.postfix = { restart = true; @@ -274,7 +275,7 @@ in pkgs.writeText "host-sender-login" (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses)); host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox" - (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes)); + (builtins.concatStringsSep "\n" (["immae-eu@immae.eu dummy"] ++ lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes)); }; in recipient_maps // relay_restrictions // virtual_map // sasl_access; @@ -290,9 +291,13 @@ alias_database = "\$alias_maps"; ### Virtual mailboxes config - virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"; + virtual_alias_maps = [ + "hash:/etc/postfix/virtual" + "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}" + "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}" + ]; virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains - ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map + ++ lib.remove null (lib.flatten (map (zone: map (e: if e.receive then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}" @@ -301,8 +306,11 @@ (zone.withEmail or []) ) config.myEnv.dns.masterZones - ))); - virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; + )); + virtual_mailbox_maps = [ + "hash:/etc/postfix/host_dummy_mailboxes" + "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}" + ]; dovecot_destination_recipient_limit = "1"; virtual_transport = "dovecot"; @@ -350,6 +358,13 @@ "unix:${config.myServices.mail.milters.sockets.openarc}" "unix:${config.myServices.mail.milters.sockets.opendmarc}" ]; + + smtp_use_tls = true; + smtpd_use_tls = true; + smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ]; + + maximal_queue_lifetime = "6w"; + bounce_queue_lifetime = "6w"; }; enable = true; enableSmtp = true; @@ -377,21 +392,17 @@ ]; smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; milter_macro_daemon_name = "ORIGINATING"; - smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; + smtpd_milters = builtins.concatStringsSep "," [ + # FIXME: put it back when opensmtpd is upgraded and able to + # rewrite the from header + #"unix:/run/milter_verify_from/verify_from.sock" + "unix:${config.myServices.mail.milters.sockets.opendkim}" + ]; }; - # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as - # prioritized MX, which provokes "mail for localhost.immae.eu loops - # back to myself" errors. This transport entry forces to push - # e-mails to its right destination. - transport = '' - localhost.immae.eu smtp:[immae.eu]:25 - ''; destination = ["localhost"]; # This needs to reverse DNS hostname = config.hostEnv.fqdn; setSendmail = true; - sslCert = "/var/lib/acme/mail/fullchain.pem"; - sslKey = "/var/lib/acme/mail/key.pem"; recipientDelimiter = "+"; masterConfig = { submissions = { @@ -430,7 +441,15 @@ }; }; }; - security.acme2.certs."mail" = { + security.acme.certs."mail" = { + postRun = '' + systemctl restart postfix.service + ''; + extraDomains = { + "smtp.immae.eu" = null; + }; + }; + security.acme.certs."mail-rsa" = { postRun = '' systemctl restart postfix.service '';