[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix

{ lib, pkgs, config, myconfig,  ... }:
{
  config.services.backup.profiles.mail.excludeFile = ''
    + /var/lib/postfix
    '';
  config.secrets.keys = [
    {
      dest = "postfix/mysql_alias_maps";
      user = config.services.postfix.user;
      group = config.services.postfix.group;
      permissions = "0440";
      text = ''
        # We need to specify that option to trigger ssl connection
        tls_ciphers = TLSv1.2
        user = ${myconfig.env.mail.postfix.mysql.user}
        password = ${myconfig.env.mail.postfix.mysql.password}
        hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
        dbname = ${myconfig.env.mail.postfix.mysql.database}
        query = SELECT DISTINCT destination
          FROM forwardings_merge
          WHERE
            ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
            AND active = 1
            AND '%s' NOT IN
            (
              SELECT source
              FROM forwardings_blacklisted
              WHERE source = '%s'
            ) UNION
            SELECT 'devnull@immae.eu'
            FROM forwardings_blacklisted
            WHERE source = '%s'
        '';
    }
    {
      dest = "postfix/mysql_mailbox_maps";
      user = config.services.postfix.user;
      group = config.services.postfix.group;
      permissions = "0440";
      text = ''
        # We need to specify that option to trigger ssl connection
        tls_ciphers = TLSv1.2
        user = ${myconfig.env.mail.postfix.mysql.user}
        password = ${myconfig.env.mail.postfix.mysql.password}
        hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
        dbname = ${myconfig.env.mail.postfix.mysql.database}
        result_format = /%d/%u
        query = SELECT DISTINCT '%s'
          FROM mailboxes
          WHERE active = 1
          AND (
            (domain = '%d' AND user = '%u' AND regex = 0)
            OR (
              regex = 1
              AND '%d' REGEXP CONCAT('^',domain,'$')
              AND '%u' REGEXP CONCAT('^',user,'$')
            )
          )
          LIMIT 1
      '';
    }
    {
      dest = "postfix/mysql_sender_login_maps";
      user = config.services.postfix.user;
      group = config.services.postfix.group;
      permissions = "0440";
      text = ''
        # We need to specify that option to trigger ssl connection
        tls_ciphers = TLSv1.2
        user = ${myconfig.env.mail.postfix.mysql.user}
        password = ${myconfig.env.mail.postfix.mysql.password}
        hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
        dbname = ${myconfig.env.mail.postfix.mysql.database}
        query = SELECT DISTINCT destination
          FROM forwardings_merge
          WHERE
            ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
            AND active = 1
          UNION SELECT '%s' AS destination
        '';
    }
  ];

  config.networking.firewall.allowedTCPPorts = [ 25 465 587 ];

  config.nixpkgs.overlays = [ (self: super: {
    postfix = super.postfix.override { withMySQL = true; };
  }) ];
  config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
  config.services.filesWatcher.postfix = {
    restart = true;
    paths = [
      config.secrets.fullPaths."postfix/mysql_alias_maps"
      config.secrets.fullPaths."postfix/mysql_mailbox_maps"
      config.secrets.fullPaths."postfix/mysql_sender_login_maps"
    ];
  };
  config.services.postfix = {
    mapFiles = let
      recipient_maps = let
        name = n: i: "relay_${n}_${toString i}";
        pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
          if m.type == "hash"
          then pkgs.writeText (name n i) m.content
          else null
        );
        pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
      in lib.attrsets.filterAttrs (k: v: v != null) (
        lib.attrsets.listToAttrs (lib.flatten (
          lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
        ))
      );
      relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
        lib.attrsets.mapAttrs' (n: v:
          lib.attrsets.nameValuePair "recipient_access_${n}" (
            if lib.attrsets.hasAttr "relay_restrictions" v
            then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
            else null
          )
        ) myconfig.env.mail.postfix.backup_domains
      );
    in
      recipient_maps // relay_restrictions;
    config = {
      ### postfix module overrides
      readme_directory = "${pkgs.postfix}/share/postfix/doc";
      smtp_tls_CAfile = lib.mkForce "";
      smtp_tls_cert_file = lib.mkForce "";
      smtp_tls_key_file = lib.mkForce "";

      message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
      alias_database = "\$alias_maps";

      ### Virtual mailboxes config
      virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
      virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
       ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
          (zone: map
            (e: if e.receive
            then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
            else null
            )
            (zone.withEmail or [])
          )
          myconfig.env.dns.masterZones
        )));
      virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
      dovecot_destination_recipient_limit = "1";
      virtual_transport = "dovecot";

      ### Relay domains
      relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
      relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
        lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
      ) myconfig.env.mail.postfix.backup_domains);
      smtpd_relay_restrictions = [
        "permit_mynetworks"
        "permit_sasl_authenticated"
        "defer_unauth_destination"
      ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
        if lib.attrsets.hasAttr "relay_restrictions" v
        then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
        else []
      ) myconfig.env.mail.postfix.backup_domains);

      ### Additional smtpd configuration
      smtpd_tls_received_header = "yes";
      smtpd_tls_loglevel = "1";

      ### Email sending configuration
      smtp_tls_security_level = "may";
      smtp_tls_loglevel = "1";

      ### Force ip bind for smtp
      smtp_bind_address  = myconfig.env.servers.eldiron.ips.main.ip4;
      smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;

      # #Unneeded if postfix can only send e-mail from "self" domains
      # #smtp_sasl_auth_enable = "yes";
      # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
      # #smtp_sasl_security_options = "noanonymous";
      # #smtp_sender_dependent_authentication = "yes";
      # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";

      ### opendkim, opendmarc, openarc milters
      non_smtpd_milters = [
        "unix:${config.myServices.mail.milters.sockets.opendkim}"
        "unix:${config.myServices.mail.milters.sockets.opendmarc}"
        "unix:${config.myServices.mail.milters.sockets.openarc}"
      ];
      smtpd_milters = [
        "unix:${config.myServices.mail.milters.sockets.opendkim}"
        "unix:${config.myServices.mail.milters.sockets.opendmarc}"
        "unix:${config.myServices.mail.milters.sockets.openarc}"
      ];
    };
    enable = true;
    enableSmtp = true;
    enableSubmission = true;
    submissionOptions = {
      smtpd_tls_security_level = "encrypt";
      smtpd_sasl_auth_enable = "yes";
      smtpd_tls_auth_only = "yes";
      smtpd_sasl_tls_security_options = "noanonymous";
      smtpd_sasl_type = "dovecot";
      smtpd_sasl_path = "private/auth";
      smtpd_reject_unlisted_recipient = "no";
      smtpd_client_restrictions = "permit_sasl_authenticated,reject";
      # Refuse to send e-mails with a From that is not handled
      smtpd_sender_restrictions =
        "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
      smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
      smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
      milter_macro_daemon_name = "ORIGINATING";
      smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
    };
    # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
    # prioritized MX, which provokes "mail for localhost.immae.eu loops
    # back to myself" errors. This transport entry forces to push
    # e-mails to its right destination.
    transport = ''
      localhost.immae.eu   smtp:[immae.eu]:25
      '';
    destination = ["localhost"];
    # This needs to reverse DNS
    hostname = "eldiron.immae.eu";
    setSendmail = true;
    sslCert = "/var/lib/acme/mail/fullchain.pem";
    sslKey = "/var/lib/acme/mail/key.pem";
    recipientDelimiter = "+";
    masterConfig = {
      submissions = {
        type = "inet";
        private = false;
        command = "smtpd";
        args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
          mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
        in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
        );
      };
      dovecot = {
        type = "unix";
        privileged = true;
        chroot = false;
        command = "pipe";
        args = let
          # rspamd could be used as a milter, but then it cannot apply
          # its checks "per user" (milter is not yet dispatched to
          # users), so we wrap dovecot-lda inside rspamc per recipient
          # here.
          dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
        in [
          "flags=DRhu" "user=vhost:vhost"
          "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
        ];
      };
    };
  };
  config.security.acme.certs."mail" = {
    postRun = ''
      systemctl restart postfix.service
      '';
    extraDomains = {
      "smtp.immae.eu" = null;
    };
  };
}
Commit	Line	Data
a929614f IB	1	{ lib, pkgs, config, myconfig, ... }:
a929614f IB	2	{
6a8252b1 IB	3	config.services.backup.profiles.mail.excludeFile = ''
	4	+ /var/lib/postfix
	5	'';
a929614f IB	6	config.secrets.keys = [
	7	{
	8	dest = "postfix/mysql_alias_maps";
	9	user = config.services.postfix.user;
	10	group = config.services.postfix.group;
	11	permissions = "0440";
	12	text = ''
	13	# We need to specify that option to trigger ssl connection
	14	tls_ciphers = TLSv1.2
	15	user = ${myconfig.env.mail.postfix.mysql.user}
	16	password = ${myconfig.env.mail.postfix.mysql.password}
	17	hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
	18	dbname = ${myconfig.env.mail.postfix.mysql.database}
	19	query = SELECT DISTINCT destination
	20	FROM forwardings_merge
	21	WHERE
	22	((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
	23	AND active = 1
	24	AND '%s' NOT IN
	25	(
	26	SELECT source
	27	FROM forwardings_blacklisted
	28	WHERE source = '%s'
	29	) UNION
	30	SELECT 'devnull@immae.eu'
	31	FROM forwardings_blacklisted
	32	WHERE source = '%s'
	33	'';
	34	}
	35	{
	36	dest = "postfix/mysql_mailbox_maps";
	37	user = config.services.postfix.user;
	38	group = config.services.postfix.group;
	39	permissions = "0440";
	40	text = ''
	41	# We need to specify that option to trigger ssl connection
	42	tls_ciphers = TLSv1.2
	43	user = ${myconfig.env.mail.postfix.mysql.user}
	44	password = ${myconfig.env.mail.postfix.mysql.password}
	45	hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
	46	dbname = ${myconfig.env.mail.postfix.mysql.database}
	47	result_format = /%d/%u
	48	query = SELECT DISTINCT '%s'
	49	FROM mailboxes
	50	WHERE active = 1
	51	AND (
	52	(domain = '%d' AND user = '%u' AND regex = 0)
	53	OR (
	54	regex = 1
	55	AND '%d' REGEXP CONCAT('^',domain,'$')
	56	AND '%u' REGEXP CONCAT('^',user,'$')
	57	)
	58	)
	59	LIMIT 1
	60	'';
	61	}
	62	{
	63	dest = "postfix/mysql_sender_login_maps";
	64	user = config.services.postfix.user;
	65	group = config.services.postfix.group;
	66	permissions = "0440";
	67	text = ''
	68	# We need to specify that option to trigger ssl connection
	69	tls_ciphers = TLSv1.2
70	user = ${myconfig.env.mail.postfix.mysql.user}
71	password = ${myconfig.env.mail.postfix.mysql.password}
72	hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
73	dbname = ${myconfig.env.mail.postfix.mysql.database}
74	query = SELECT DISTINCT destination
75	FROM forwardings_merge
76	WHERE
77	((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
78	AND active = 1
812c9713	79	UNION SELECT '%s' AS destination
a929614f IB	80	'';
	81	}
	82	];
	83
ca4630ca	84	config.networking.firewall.allowedTCPPorts = [ 25 465 587 ];
a929614f IB	85
	86	config.nixpkgs.overlays = [ (self: super: {
	87	postfix = super.postfix.override { withMySQL = true; };
	88	}) ];
	89	config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
	90	config.services.filesWatcher.postfix = {
	91	restart = true;
	92	paths = [
	93	config.secrets.fullPaths."postfix/mysql_alias_maps"
	94	config.secrets.fullPaths."postfix/mysql_mailbox_maps"
	95	config.secrets.fullPaths."postfix/mysql_sender_login_maps"
	96	];
	97	};
	98	config.services.postfix = {
	99	mapFiles = let
04b2ab97 IB	100	recipient_maps = let
	101	name = n: i: "relay_${n}_${toString i}";
	102	pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
	103	if m.type == "hash"
	104	then pkgs.writeText (name n i) m.content
	105	else null
	106	);
	107	pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
	108	in lib.attrsets.filterAttrs (k: v: v != null) (
a929614f IB	109	lib.attrsets.listToAttrs (lib.flatten (
	110	lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
	111	))
	112	);
04b2ab97 IB	113	relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
	114	lib.attrsets.mapAttrs' (n: v:
	115	lib.attrsets.nameValuePair "recipient_access_${n}" (
	116	if lib.attrsets.hasAttr "relay_restrictions" v
	117	then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
	118	else null
	119	)
	120	) myconfig.env.mail.postfix.backup_domains
	121	);
	122	in
	123	recipient_maps // relay_restrictions;
a929614f IB	124	config = {
	125	### postfix module overrides
	126	readme_directory = "${pkgs.postfix}/share/postfix/doc";
	127	smtp_tls_CAfile = lib.mkForce "";
	128	smtp_tls_cert_file = lib.mkForce "";
	129	smtp_tls_key_file = lib.mkForce "";
	130
	131	message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
	132	alias_database = "\$alias_maps";
	133
	134	### Virtual mailboxes config
	135	virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
	136	virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
	137	++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
	138	(zone: map
	139	(e: if e.receive
	140	then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
	141	else null
	142	)
	143	(zone.withEmail or [])
	144	)
	145	myconfig.env.dns.masterZones
	146	)));
	147	virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
	148	dovecot_destination_recipient_limit = "1";
	149	virtual_transport = "dovecot";
	150
	151	### Relay domains
	152	relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
	153	relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
	154	lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
	155	) myconfig.env.mail.postfix.backup_domains);
04b2ab97 IB	156	smtpd_relay_restrictions = [
	157	"permit_mynetworks"
	158	"permit_sasl_authenticated"
	159	"defer_unauth_destination"
	160	] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
	161	if lib.attrsets.hasAttr "relay_restrictions" v
	162	then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
	163	else []
	164	) myconfig.env.mail.postfix.backup_domains);
a929614f IB	165
	166	### Additional smtpd configuration
	167	smtpd_tls_received_header = "yes";
	168	smtpd_tls_loglevel = "1";
	169
	170	### Email sending configuration
	171	smtp_tls_security_level = "may";
	172	smtp_tls_loglevel = "1";
	173
	174	### Force ip bind for smtp
	175	smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4;
	176	smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
	177
	178	# #Unneeded if postfix can only send e-mail from "self" domains
	179	# #smtp_sasl_auth_enable = "yes";
	180	# #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
	181	# #smtp_sasl_security_options = "noanonymous";
	182	# #smtp_sender_dependent_authentication = "yes";
	183	# #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
	184
	185	### opendkim, opendmarc, openarc milters
	186	non_smtpd_milters = [
	187	"unix:${config.myServices.mail.milters.sockets.opendkim}"
	188	"unix:${config.myServices.mail.milters.sockets.opendmarc}"
	189	"unix:${config.myServices.mail.milters.sockets.openarc}"
	190	];
	191	smtpd_milters = [
	192	"unix:${config.myServices.mail.milters.sockets.opendkim}"
	193	"unix:${config.myServices.mail.milters.sockets.opendmarc}"
	194	"unix:${config.myServices.mail.milters.sockets.openarc}"
	195	];
	196	};
	197	enable = true;
	198	enableSmtp = true;
	199	enableSubmission = true;
	200	submissionOptions = {
	201	smtpd_tls_security_level = "encrypt";
	202	smtpd_sasl_auth_enable = "yes";
	203	smtpd_tls_auth_only = "yes";
	204	smtpd_sasl_tls_security_options = "noanonymous";
	205	smtpd_sasl_type = "dovecot";
	206	smtpd_sasl_path = "private/auth";
	207	smtpd_reject_unlisted_recipient = "no";
	208	smtpd_client_restrictions = "permit_sasl_authenticated,reject";
	209	# Refuse to send e-mails with a From that is not handled
	210	smtpd_sender_restrictions =
	211	"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
	212	smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
	213	smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
	214	milter_macro_daemon_name = "ORIGINATING";
	215	smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
	216	};
afcc5de0 IB	217	# FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
	218	# prioritized MX, which provokes "mail for localhost.immae.eu loops
	219	# back to myself" errors. This transport entry forces to push
	220	# e-mails to its right destination.
	221	transport = ''
	222	localhost.immae.eu smtp:[immae.eu]:25
	223	'';
a929614f IB	224	destination = ["localhost"];
	225	# This needs to reverse DNS
	226	hostname = "eldiron.immae.eu";
	227	setSendmail = true;
	228	sslCert = "/var/lib/acme/mail/fullchain.pem";
	229	sslKey = "/var/lib/acme/mail/key.pem";
	230	recipientDelimiter = "+";
	231	masterConfig = {
ca4630ca IB	232	submissions = {
	233	type = "inet";
	234	private = false;
	235	command = "smtpd";
	236	args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
	237	mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
	238	in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
	239	);
	240	};
a929614f IB	241	dovecot = {
	242	type = "unix";
	243	privileged = true;
	244	chroot = false;
	245	command = "pipe";
	246	args = let
	247	# rspamd could be used as a milter, but then it cannot apply
	248	# its checks "per user" (milter is not yet dispatched to
	249	# users), so we wrap dovecot-lda inside rspamc per recipient
	250	# here.
	251	dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
	252	in [
	253	"flags=DRhu" "user=vhost:vhost"
	254	"argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
	255	];
	256	};
	257	};
	258	};
	259	config.security.acme.certs."mail" = {
	260	postRun = ''
	261	systemctl restart postfix.service
	262	'';
	263	extraDomains = {
	264	"smtp.immae.eu" = null;
	265	};
	266	};
	267	}