X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fpostfix.nix;h=ae98a8a8c82e0d5d0ba2f20b4eae4cc442a0ee93;hb=5315b439af1f72c3282549508ae58d86d66e38ec;hp=0c95df57eb68e826aff10f2dd8d0f4af85de2191;hpb=22b4bd78a10b49272cfd345d379703cae4ab5d3d;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 0c95df5..ae98a8a 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -1,12 +1,8 @@ { lib, pkgs, config, nodes, ... }: { config = lib.mkIf config.myServices.mail.enable { - services.duplyBackup.profiles.mail.excludeFile = '' - + /var/lib/postfix - ''; - secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; + secrets.keys = { + "postfix/mysql_alias_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -32,9 +28,8 @@ FROM forwardings_blacklisted WHERE source = '%s' ''; - } - { - dest = "postfix/ldap_mailboxes"; + }; + "postfix/ldap_mailboxes" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -48,9 +43,8 @@ result_format = dummy version = 3 ''; - } - { - dest = "postfix/mysql_sender_login_maps"; + }; + "postfix/mysql_sender_login_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -72,9 +66,8 @@ AND active = 1 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination ''; - } - { - dest = "postfix/mysql_sender_relays_maps"; + }; + "postfix/mysql_sender_relays_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -102,9 +95,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_hosts"; + }; + "postfix/mysql_sender_relays_hosts" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -122,9 +114,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_creds"; + }; + "postfix/mysql_sender_relays_creds" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -142,9 +133,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/ldap_ejabberd_users_immae_fr"; + }; + "postfix/ldap_ejabberd_users_immae_fr" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -159,11 +149,21 @@ result_format = ejabberd@localhost version = 3 ''; - } - ]; + }; + } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" { + user = "postfixscripts"; + group = "root"; + permissions = "0400"; + text = builtins.toJSON v.env; + }) config.myEnv.mail.scripts; networking.firewall.allowedTCPPorts = [ 25 465 587 ]; + users.users.postfixscripts = { + group = "keys"; + uid = config.ids.uids.postfixscripts; + description = "Postfix scripts user"; + }; users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; services.filesWatcher.postfix = { restart = true; @@ -209,7 +209,7 @@ fi ''; scripts = lib.attrsets.mapAttrs (n: v: - toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; }) + toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; }) ) config.myEnv.mail.scripts // { testmail = pkgs.writeScript "testmail" '' #! ${pkgs.stdenv.shell} @@ -277,6 +277,9 @@ mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts alias_database = "\$alias_maps"; + ### Aliases scripts user + default_privs = "postfixscripts"; + ### Virtual mailboxes config virtual_alias_maps = [ "hash:/etc/postfix/virtual" @@ -421,7 +424,7 @@ ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user" ''; in [ - "flags=DRhu" "user=vhost:vhost" + "flags=ODRhu" "user=vhost:vhost" "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}" ]; }; @@ -454,14 +457,15 @@ in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); in '' - install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email + install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email for f in ${mails_to_receive}; do if [ ! -f /var/lib/naemon/checks/email/$f ]; then - install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f + install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f touch -m -d @0 /var/lib/naemon/checks/email/$f fi done ''; }; + systemd.services.postfix.serviceConfig.Slice = "mail.slice"; }; }