[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix

{ lib, pkgs, config, myconfig,  ... }:
{
  config = lib.mkIf config.myServices.mail.enable {
    services.backup.profiles.mail.excludeFile = ''
      + /var/lib/postfix
      '';
    secrets.keys = [
      {
        dest = "postfix/mysql_alias_maps";
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          # We need to specify that option to trigger ssl connection
          tls_ciphers = TLSv1.2
          user = ${myconfig.env.mail.postfix.mysql.user}
          password = ${myconfig.env.mail.postfix.mysql.password}
          hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
          dbname = ${myconfig.env.mail.postfix.mysql.database}
          query = SELECT DISTINCT destination
            FROM forwardings_merge
            WHERE
              ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
              AND active = 1
              AND '%s' NOT IN
              (
                SELECT source
                FROM forwardings_blacklisted
                WHERE source = '%s'
              ) UNION
              SELECT 'devnull@immae.eu'
              FROM forwardings_blacklisted
              WHERE source = '%s'
          '';
      }
      {
        dest = "postfix/mysql_mailbox_maps";
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          # We need to specify that option to trigger ssl connection
          tls_ciphers = TLSv1.2
          user = ${myconfig.env.mail.postfix.mysql.user}
          password = ${myconfig.env.mail.postfix.mysql.password}
          hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
          dbname = ${myconfig.env.mail.postfix.mysql.database}
          result_format = /%d/%u
          query = SELECT DISTINCT '%s'
            FROM mailboxes
            WHERE active = 1
            AND (
              (domain = '%d' AND user = '%u' AND regex = 0)
              OR (
                regex = 1
                AND '%d' REGEXP CONCAT('^',domain,'$')
                AND '%u' REGEXP CONCAT('^',user,'$')
              )
            )
            LIMIT 1
        '';
      }
      {
        dest = "postfix/mysql_sender_login_maps";
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          # We need to specify that option to trigger ssl connection
          tls_ciphers = TLSv1.2
          user = ${myconfig.env.mail.postfix.mysql.user}
          password = ${myconfig.env.mail.postfix.mysql.password}
          hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
          dbname = ${myconfig.env.mail.postfix.mysql.database}
          query = SELECT DISTINCT destination
            FROM forwardings_merge
            WHERE
              ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
              AND active = 1
            UNION SELECT '%s' AS destination
          '';
      }
    ];

    networking.firewall.allowedTCPPorts = [ 25 465 587 ];

    nixpkgs.overlays = [ (self: super: {
      postfix = super.postfix.override { withMySQL = true; };
    }) ];
    users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
    services.filesWatcher.postfix = {
      restart = true;
      paths = [
        config.secrets.fullPaths."postfix/mysql_alias_maps"
        config.secrets.fullPaths."postfix/mysql_mailbox_maps"
        config.secrets.fullPaths."postfix/mysql_sender_login_maps"
      ];
    };
    services.postfix = {
      mapFiles = let
        recipient_maps = let
          name = n: i: "relay_${n}_${toString i}";
          pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
            if m.type == "hash"
            then pkgs.writeText (name n i) m.content
            else null
          );
          pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
        in lib.attrsets.filterAttrs (k: v: v != null) (
          lib.attrsets.listToAttrs (lib.flatten (
            lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
          ))
        );
        relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
          lib.attrsets.mapAttrs' (n: v:
            lib.attrsets.nameValuePair "recipient_access_${n}" (
              if lib.attrsets.hasAttr "relay_restrictions" v
              then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
              else null
            )
          ) myconfig.env.mail.postfix.backup_domains
        );
      in
        recipient_maps // relay_restrictions;
      config = {
        ### postfix module overrides
        readme_directory = "${pkgs.postfix}/share/postfix/doc";
        smtp_tls_CAfile = lib.mkForce "";
        smtp_tls_cert_file = lib.mkForce "";
        smtp_tls_key_file = lib.mkForce "";

        message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
        alias_database = "\$alias_maps";

        ### Virtual mailboxes config
        virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
        virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
        ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
            (zone: map
              (e: if e.receive
              then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
              else null
              )
              (zone.withEmail or [])
            )
            myconfig.env.dns.masterZones
          )));
        virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
        dovecot_destination_recipient_limit = "1";
        virtual_transport = "dovecot";

        ### Relay domains
        relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
        relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
          lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
        ) myconfig.env.mail.postfix.backup_domains);
        smtpd_relay_restrictions = [
          "permit_mynetworks"
          "permit_sasl_authenticated"
          "defer_unauth_destination"
        ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
          if lib.attrsets.hasAttr "relay_restrictions" v
          then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
          else []
        ) myconfig.env.mail.postfix.backup_domains);

        ### Additional smtpd configuration
        smtpd_tls_received_header = "yes";
        smtpd_tls_loglevel = "1";

        ### Email sending configuration
        smtp_tls_security_level = "may";
        smtp_tls_loglevel = "1";

        ### Force ip bind for smtp
        smtp_bind_address  = myconfig.env.servers.eldiron.ips.main.ip4;
        smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;

        # #Unneeded if postfix can only send e-mail from "self" domains
        # #smtp_sasl_auth_enable = "yes";
        # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
        # #smtp_sasl_security_options = "noanonymous";
        # #smtp_sender_dependent_authentication = "yes";
        # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";

        ### opendkim, opendmarc, openarc milters
        non_smtpd_milters = [
          "unix:${config.myServices.mail.milters.sockets.opendkim}"
          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
          "unix:${config.myServices.mail.milters.sockets.openarc}"
        ];
        smtpd_milters = [
          "unix:${config.myServices.mail.milters.sockets.opendkim}"
          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
          "unix:${config.myServices.mail.milters.sockets.openarc}"
        ];
      };
      enable = true;
      enableSmtp = true;
      enableSubmission = true;
      submissionOptions = {
        smtpd_tls_security_level = "encrypt";
        smtpd_sasl_auth_enable = "yes";
        smtpd_tls_auth_only = "yes";
        smtpd_sasl_tls_security_options = "noanonymous";
        smtpd_sasl_type = "dovecot";
        smtpd_sasl_path = "private/auth";
        smtpd_reject_unlisted_recipient = "no";
        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
        # Refuse to send e-mails with a From that is not handled
        smtpd_sender_restrictions =
          "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
        smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
        smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
        milter_macro_daemon_name = "ORIGINATING";
        smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
      };
      # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
      # prioritized MX, which provokes "mail for localhost.immae.eu loops
      # back to myself" errors. This transport entry forces to push
      # e-mails to its right destination.
      transport = ''
        localhost.immae.eu   smtp:[immae.eu]:25
        '';
      destination = ["localhost"];
      # This needs to reverse DNS
      hostname = "eldiron.immae.eu";
      setSendmail = true;
      sslCert = "/var/lib/acme/mail/fullchain.pem";
      sslKey = "/var/lib/acme/mail/key.pem";
      recipientDelimiter = "+";
      masterConfig = {
        submissions = {
          type = "inet";
          private = false;
          command = "smtpd";
          args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
            mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
          in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
          );
        };
        dovecot = {
          type = "unix";
          privileged = true;
          chroot = false;
          command = "pipe";
          args = let
            # rspamd could be used as a milter, but then it cannot apply
            # its checks "per user" (milter is not yet dispatched to
            # users), so we wrap dovecot-lda inside rspamc per recipient
            # here.
            dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
          in [
            "flags=DRhu" "user=vhost:vhost"
            "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
          ];
        };
      };
    };
    security.acme.certs."mail" = {
      postRun = ''
        systemctl restart postfix.service
        '';
      extraDomains = {
        "smtp.immae.eu" = null;
      };
    };
  };
}
Commit	Line	Data
a929614f IB	1	{ lib, pkgs, config, myconfig, ... }:
a929614f IB	2	{
8415083e IB	3	config = lib.mkIf config.myServices.mail.enable {
	4	services.backup.profiles.mail.excludeFile = ''
	5	+ /var/lib/postfix
	6	'';
	7	secrets.keys = [
	8	{
	9	dest = "postfix/mysql_alias_maps";
	10	user = config.services.postfix.user;
	11	group = config.services.postfix.group;
	12	permissions = "0440";
	13	text = ''
	14	# We need to specify that option to trigger ssl connection
	15	tls_ciphers = TLSv1.2
	16	user = ${myconfig.env.mail.postfix.mysql.user}
	17	password = ${myconfig.env.mail.postfix.mysql.password}
	18	hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
	19	dbname = ${myconfig.env.mail.postfix.mysql.database}
	20	query = SELECT DISTINCT destination
	21	FROM forwardings_merge
	22	WHERE
	23	((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
	24	AND active = 1
	25	AND '%s' NOT IN
	26	(
	27	SELECT source
	28	FROM forwardings_blacklisted
	29	WHERE source = '%s'
	30	) UNION
	31	SELECT 'devnull@immae.eu'
a929614f IB	32	FROM forwardings_blacklisted
a929614f IB	33	WHERE source = '%s'
8415083e IB	34	'';
	35	}
	36	{
	37	dest = "postfix/mysql_mailbox_maps";
	38	user = config.services.postfix.user;
	39	group = config.services.postfix.group;
	40	permissions = "0440";
	41	text = ''
	42	# We need to specify that option to trigger ssl connection
	43	tls_ciphers = TLSv1.2
	44	user = ${myconfig.env.mail.postfix.mysql.user}
	45	password = ${myconfig.env.mail.postfix.mysql.password}
	46	hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
	47	dbname = ${myconfig.env.mail.postfix.mysql.database}
	48	result_format = /%d/%u
	49	query = SELECT DISTINCT '%s'
	50	FROM mailboxes
	51	WHERE active = 1
	52	AND (
	53	(domain = '%d' AND user = '%u' AND regex = 0)
	54	OR (
	55	regex = 1
	56	AND '%d' REGEXP CONCAT('^',domain,'$')
	57	AND '%u' REGEXP CONCAT('^',user,'$')
	58	)
a929614f	59	)
8415083e	60	LIMIT 1
a929614f	61	'';
8415083e IB	62	}
	63	{
	64	dest = "postfix/mysql_sender_login_maps";
	65	user = config.services.postfix.user;
	66	group = config.services.postfix.group;
	67	permissions = "0440";
	68	text = ''
	69	# We need to specify that option to trigger ssl connection
	70	tls_ciphers = TLSv1.2
	71	user = ${myconfig.env.mail.postfix.mysql.user}
	72	password = ${myconfig.env.mail.postfix.mysql.password}
	73	hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
	74	dbname = ${myconfig.env.mail.postfix.mysql.database}
	75	query = SELECT DISTINCT destination
	76	FROM forwardings_merge
	77	WHERE
	78	((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
	79	AND active = 1
	80	UNION SELECT '%s' AS destination
	81	'';
	82	}
	83	];
a929614f	84
8415083e	85	networking.firewall.allowedTCPPorts = [ 25 465 587 ];
a929614f	86
8415083e IB	87	nixpkgs.overlays = [ (self: super: {
	88	postfix = super.postfix.override { withMySQL = true; };
	89	}) ];
	90	users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
	91	services.filesWatcher.postfix = {
	92	restart = true;
	93	paths = [
	94	config.secrets.fullPaths."postfix/mysql_alias_maps"
	95	config.secrets.fullPaths."postfix/mysql_mailbox_maps"
	96	config.secrets.fullPaths."postfix/mysql_sender_login_maps"
	97	];
	98	};
	99	services.postfix = {
	100	mapFiles = let
	101	recipient_maps = let
	102	name = n: i: "relay_${n}_${toString i}";
	103	pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
	104	if m.type == "hash"
	105	then pkgs.writeText (name n i) m.content
04b2ab97	106	else null
8415083e IB	107	);
	108	pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
	109	in lib.attrsets.filterAttrs (k: v: v != null) (
	110	lib.attrsets.listToAttrs (lib.flatten (
	111	lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
	112	))
	113	);
	114	relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
	115	lib.attrsets.mapAttrs' (n: v:
	116	lib.attrsets.nameValuePair "recipient_access_${n}" (
	117	if lib.attrsets.hasAttr "relay_restrictions" v
	118	then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
	119	else null
	120	)
	121	) myconfig.env.mail.postfix.backup_domains
	122	);
	123	in
	124	recipient_maps // relay_restrictions;
	125	config = {
	126	### postfix module overrides
	127	readme_directory = "${pkgs.postfix}/share/postfix/doc";
	128	smtp_tls_CAfile = lib.mkForce "";
	129	smtp_tls_cert_file = lib.mkForce "";
	130	smtp_tls_key_file = lib.mkForce "";
a929614f	131
8415083e IB	132	message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
8415083e IB	133	alias_database = "\$alias_maps";
a929614f	134
8415083e IB	135	### Virtual mailboxes config
	136	virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
	137	virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
	138	++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
	139	(zone: map
	140	(e: if e.receive
	141	then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
	142	else null
	143	)
	144	(zone.withEmail or [])
a929614f	145	)
8415083e IB	146	myconfig.env.dns.masterZones
	147	)));
	148	virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
	149	dovecot_destination_recipient_limit = "1";
	150	virtual_transport = "dovecot";
a929614f	151
8415083e IB	152	### Relay domains
	153	relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
	154	relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
	155	lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
	156	) myconfig.env.mail.postfix.backup_domains);
	157	smtpd_relay_restrictions = [
	158	"permit_mynetworks"
	159	"permit_sasl_authenticated"
	160	"defer_unauth_destination"
	161	] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
	162	if lib.attrsets.hasAttr "relay_restrictions" v
	163	then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
	164	else []
	165	) myconfig.env.mail.postfix.backup_domains);
a929614f	166
8415083e IB	167	### Additional smtpd configuration
	168	smtpd_tls_received_header = "yes";
	169	smtpd_tls_loglevel = "1";
a929614f	170
8415083e IB	171	### Email sending configuration
	172	smtp_tls_security_level = "may";
	173	smtp_tls_loglevel = "1";
a929614f	174
8415083e IB	175	### Force ip bind for smtp
	176	smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4;
	177	smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
a929614f	178
8415083e IB	179	# #Unneeded if postfix can only send e-mail from "self" domains
	180	# #smtp_sasl_auth_enable = "yes";
	181	# #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
	182	# #smtp_sasl_security_options = "noanonymous";
	183	# #smtp_sender_dependent_authentication = "yes";
	184	# #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
a929614f	185
8415083e IB	186	### opendkim, opendmarc, openarc milters
	187	non_smtpd_milters = [
	188	"unix:${config.myServices.mail.milters.sockets.opendkim}"
	189	"unix:${config.myServices.mail.milters.sockets.opendmarc}"
	190	"unix:${config.myServices.mail.milters.sockets.openarc}"
	191	];
	192	smtpd_milters = [
	193	"unix:${config.myServices.mail.milters.sockets.opendkim}"
	194	"unix:${config.myServices.mail.milters.sockets.opendmarc}"
	195	"unix:${config.myServices.mail.milters.sockets.openarc}"
a929614f IB	196	];
a929614f IB	197	};
8415083e IB	198	enable = true;
	199	enableSmtp = true;
	200	enableSubmission = true;
	201	submissionOptions = {
	202	smtpd_tls_security_level = "encrypt";
	203	smtpd_sasl_auth_enable = "yes";
	204	smtpd_tls_auth_only = "yes";
	205	smtpd_sasl_tls_security_options = "noanonymous";
	206	smtpd_sasl_type = "dovecot";
	207	smtpd_sasl_path = "private/auth";
	208	smtpd_reject_unlisted_recipient = "no";
	209	smtpd_client_restrictions = "permit_sasl_authenticated,reject";
	210	# Refuse to send e-mails with a From that is not handled
	211	smtpd_sender_restrictions =
	212	"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
	213	smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
	214	smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
	215	milter_macro_daemon_name = "ORIGINATING";
	216	smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
	217	};
	218	# FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
	219	# prioritized MX, which provokes "mail for localhost.immae.eu loops
	220	# back to myself" errors. This transport entry forces to push
	221	# e-mails to its right destination.
	222	transport = ''
	223	localhost.immae.eu smtp:[immae.eu]:25
	224	'';
	225	destination = ["localhost"];
	226	# This needs to reverse DNS
	227	hostname = "eldiron.immae.eu";
	228	setSendmail = true;
	229	sslCert = "/var/lib/acme/mail/fullchain.pem";
	230	sslKey = "/var/lib/acme/mail/key.pem";
	231	recipientDelimiter = "+";
	232	masterConfig = {
	233	submissions = {
	234	type = "inet";
	235	private = false;
	236	command = "smtpd";
	237	args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
	238	mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
	239	in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
	240	);
	241	};
	242	dovecot = {
	243	type = "unix";
	244	privileged = true;
	245	chroot = false;
	246	command = "pipe";
	247	args = let
	248	# rspamd could be used as a milter, but then it cannot apply
	249	# its checks "per user" (milter is not yet dispatched to
	250	# users), so we wrap dovecot-lda inside rspamc per recipient
	251	# here.
	252	dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
	253	in [
	254	"flags=DRhu" "user=vhost:vhost"
	255	"argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
	256	];
	257	};
	258	};
a929614f	259	};
8415083e IB	260	security.acme.certs."mail" = {
	261	postRun = ''
	262	systemctl restart postfix.service
	263	'';
	264	extraDomains = {
	265	"smtp.immae.eu" = null;
	266	};
a929614f IB	267	};
	268	};
	269	}