[perso/Immae/Config/Nix.git] / systems / backup-2 / mail / relay.nix

{ lib, pkgs, config, name, nodes, ... }:
let
  getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) (lib.filterAttrs (n: v: v.receive) p.emailPolicies);
  bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones;
  receiving_domains = lib.flatten (builtins.attrValues bydomain);
in
{
  options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services";
  config = lib.mkIf config.myServices.mailBackup.enable {
    myServices.mail.milters.enable = true;
    security.acme.certs."mail" = {
      postRun = ''
        systemctl restart postfix.service
        '';
      domain = config.hostEnv.fqdn;
      extraDomainNames = let
        zonesWithMx = builtins.attrNames (lib.filterAttrs (n: v: v.hasEmail) nodes.eldiron.config.myServices.dns.zones);
        mxs = map (n: "${config.myEnv.servers."${name}".mx.subdomain}.${n}") zonesWithMx;
      in mxs;
    };
    secrets.keys = {
      "postfix/mysql_alias_maps" = {
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          # We need to specify that option to trigger ssl connection
          tls_ciphers = TLSv1.2
          user = ${config.myEnv.mail.postfix.mysql.user}
          password = ${config.myEnv.mail.postfix.mysql.password}
          hosts = ${config.myEnv.mail.postfix.mysql.remoteHost}
          dbname = ${config.myEnv.mail.postfix.mysql.database}
          query = SELECT DISTINCT 1
            FROM forwardings
            WHERE
              ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
              AND active = 1
              AND '%s' NOT IN
              (
                SELECT source
                FROM forwardings_blacklisted
                WHERE source = '%s'
              ) UNION
              SELECT 'devnull@immae.eu'
              FROM forwardings_blacklisted
              WHERE source = '%s'
          '';
      };
      "postfix/ldap_mailboxes" = {
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636
          search_base = ${config.myEnv.mail.dovecot.ldap.base}
          query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter}
          bind_dn = ${config.myEnv.mail.dovecot.ldap.dn}
          bind_pw = ${config.myEnv.mail.dovecot.ldap.password}
          result_attribute = immaePostfixAddress
          result_format = dummy
          version = 3
        '';
      };
      "postfix/sympa_mailbox_maps" = {
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          hosts = ${config.myEnv.mail.sympa.postgresql.host}
          user = ${config.myEnv.mail.sympa.postgresql.user}
          password = ${config.myEnv.mail.sympa.postgresql.password}
          dbname = ${config.myEnv.mail.sympa.postgresql.database}
          query = SELECT DISTINCT 1 FROM list_table WHERE '%s' IN (
              CONCAT(name_list, '@', robot_list),
              CONCAT(name_list, '-request@', robot_list),
              CONCAT(name_list, '-editor@', robot_list),
              CONCAT(name_list, '-unsubscribe@', robot_list),
              CONCAT(name_list, '-owner@', robot_list),
              CONCAT('sympa-request@', robot_list),
              CONCAT('sympa-owner@', robot_list),
              CONCAT('sympa@', robot_list),
              CONCAT('listmaster@', robot_list),
              CONCAT('bounce@', robot_list),
              CONCAT('abuse-feedback-report@', robot_list)
            )
        '';
      };
      "postfix/ldap_ejabberd_users_immae_fr" = {
        user = config.services.postfix.user;
        group = config.services.postfix.group;
        permissions = "0440";
        text = ''
          server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
          search_base = ${config.myEnv.jabber.ldap.base}
          query_filter = ${config.myEnv.jabber.postfix_user_filter}
          domain = immae.fr
          bind_dn = ${config.myEnv.jabber.ldap.dn}
          bind_pw = ${config.myEnv.jabber.ldap.password}
          result_attribute = immaeXmppUid
          result_format = ejabberd@localhost
          version = 3
          '';
      };
    };

    networking.firewall.allowedTCPPorts = [ 25 ];

    users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
    services.filesWatcher.postfix = {
      restart = true;
      paths = [
        config.secrets.fullPaths."postfix/mysql_alias_maps"
        config.secrets.fullPaths."postfix/sympa_mailbox_maps"
        config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
        config.secrets.fullPaths."postfix/ldap_mailboxes"
      ];
    };
    services.postfix = {
      mapFiles = let
        virtual_map = {
          virtual = let
            cfg = config.myEnv.monitoring.email_check.eldiron;
            address = "${cfg.mail_address}@${cfg.mail_domain}";
            aliases = config.myEnv.mail.postfix.common_aliases;
          in pkgs.writeText "postfix-virtual" (
            builtins.concatStringsSep "\n" (
              [ "${address} 1"
              ] ++
              map (a: "${a} 1") config.myEnv.mail.postfix.other_aliases ++
              lib.lists.flatten (map (domain: map (alias: "${alias}@${domain} 1") aliases) receiving_domains)
            )
          );
        };
      in
        virtual_map;
      config = {
        ### postfix module overrides
        readme_directory = "${pkgs.postfix}/share/postfix/doc";
        smtp_tls_CAfile = lib.mkForce "";
        smtp_tls_cert_file = lib.mkForce "";
        smtp_tls_key_file = lib.mkForce "";

        message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
        mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
        alias_database = "\$alias_maps";

        ### Relay domains
        relay_domains = receiving_domains;
        relay_recipient_maps = let
          virtual_alias_maps = [
            "hash:/etc/postfix/virtual"
            "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
            "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
          ];
          virtual_mailbox_maps = [
            "ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}"
            "pgsql:${config.secrets.fullPaths."postfix/sympa_mailbox_maps"}"
          ];
        in
          virtual_alias_maps ++ virtual_mailbox_maps;
        smtpd_relay_restrictions = [
          "defer_unauth_destination"
        ];

        ### Additional smtpd configuration
        smtpd_tls_received_header = "yes";
        smtpd_tls_loglevel = "1";

        ### Email sending configuration
        smtp_tls_security_level = "may";
        smtp_tls_loglevel = "1";

        ### Force ip bind for smtp
        smtp_bind_address  = builtins.head config.myEnv.servers."${name}".ips.main.ip4;
        smtp_bind_address6 = builtins.head config.myEnv.servers."${name}".ips.main.ip6;

        smtpd_milters = [
          "unix:${config.myServices.mail.milters.sockets.opendkim}"
          "unix:${config.myServices.mail.milters.sockets.openarc}"
          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
        ];
      };
      enable = true;
      enableSmtp = true;
      enableSubmission = false;
      destination = ["localhost"];
      # This needs to reverse DNS
      hostname = config.hostEnv.fqdn;
      setSendmail = false;
      sslCert = "/var/lib/acme/mail/fullchain.pem";
      sslKey = "/var/lib/acme/mail/key.pem";
      recipientDelimiter = "+";
    };
  };
}
Commit	Line	Data
1a64deeb IB	1	{ lib, pkgs, config, name, nodes, ... }:
	2	let
	3	getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) (lib.filterAttrs (n: v: v.receive) p.emailPolicies);
	4	bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones;
	5	receiving_domains = lib.flatten (builtins.attrValues bydomain);
	6	in
619e4f46	7	{
1a64deeb	8	options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services";
619e4f46	9	config = lib.mkIf config.myServices.mailBackup.enable {
1a64deeb IB	10	myServices.mail.milters.enable = true;
1a64deeb IB	11	security.acme.certs."mail" = {
619e4f46 IB	12	postRun = ''
	13	systemctl restart postfix.service
	14	'';
	15	domain = config.hostEnv.fqdn;
1a64deeb IB	16	extraDomainNames = let
	17	zonesWithMx = builtins.attrNames (lib.filterAttrs (n: v: v.hasEmail) nodes.eldiron.config.myServices.dns.zones);
	18	mxs = map (n: "${config.myEnv.servers."${name}".mx.subdomain}.${n}") zonesWithMx;
	19	in mxs;
619e4f46	20	};
4c4652aa IB	21	secrets.keys = {
4c4652aa IB	22	"postfix/mysql_alias_maps" = {
619e4f46 IB	23	user = config.services.postfix.user;
	24	group = config.services.postfix.group;
	25	permissions = "0440";
	26	text = ''
	27	# We need to specify that option to trigger ssl connection
	28	tls_ciphers = TLSv1.2
	29	user = ${config.myEnv.mail.postfix.mysql.user}
	30	password = ${config.myEnv.mail.postfix.mysql.password}
	31	hosts = ${config.myEnv.mail.postfix.mysql.remoteHost}
	32	dbname = ${config.myEnv.mail.postfix.mysql.database}
	33	query = SELECT DISTINCT 1
418a4ed7	34	FROM forwardings
619e4f46 IB	35	WHERE
	36	((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
	37	AND active = 1
	38	AND '%s' NOT IN
	39	(
	40	SELECT source
	41	FROM forwardings_blacklisted
	42	WHERE source = '%s'
	43	) UNION
	44	SELECT 'devnull@immae.eu'
	45	FROM forwardings_blacklisted
	46	WHERE source = '%s'
	47	'';
4c4652aa IB	48	};
4c4652aa IB	49	"postfix/ldap_mailboxes" = {
619e4f46 IB	50	user = config.services.postfix.user;
	51	group = config.services.postfix.group;
	52	permissions = "0440";
	53	text = ''
22b4bd78 IB	54	server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636
	55	search_base = ${config.myEnv.mail.dovecot.ldap.base}
	56	query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter}
	57	bind_dn = ${config.myEnv.mail.dovecot.ldap.dn}
	58	bind_pw = ${config.myEnv.mail.dovecot.ldap.password}
	59	result_attribute = immaePostfixAddress
	60	result_format = dummy
	61	version = 3
619e4f46	62	'';
4c4652aa IB	63	};
4c4652aa IB	64	"postfix/sympa_mailbox_maps" = {
4e07970c IB	65	user = config.services.postfix.user;
	66	group = config.services.postfix.group;
	67	permissions = "0440";
	68	text = ''
	69	hosts = ${config.myEnv.mail.sympa.postgresql.host}
	70	user = ${config.myEnv.mail.sympa.postgresql.user}
	71	password = ${config.myEnv.mail.sympa.postgresql.password}
	72	dbname = ${config.myEnv.mail.sympa.postgresql.database}
22b4bd78 IB	73	query = SELECT DISTINCT 1 FROM list_table WHERE '%s' IN (
	74	CONCAT(name_list, '@', robot_list),
	75	CONCAT(name_list, '-request@', robot_list),
	76	CONCAT(name_list, '-editor@', robot_list),
	77	CONCAT(name_list, '-unsubscribe@', robot_list),
	78	CONCAT(name_list, '-owner@', robot_list),
	79	CONCAT('sympa-request@', robot_list),
	80	CONCAT('sympa-owner@', robot_list),
	81	CONCAT('sympa@', robot_list),
	82	CONCAT('listmaster@', robot_list),
	83	CONCAT('bounce@', robot_list),
	84	CONCAT('abuse-feedback-report@', robot_list)
	85	)
4e07970c	86	'';
4c4652aa IB	87	};
4c4652aa IB	88	"postfix/ldap_ejabberd_users_immae_fr" = {
619e4f46 IB	89	user = config.services.postfix.user;
	90	group = config.services.postfix.group;
	91	permissions = "0440";
	92	text = ''
	93	server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
	94	search_base = ${config.myEnv.jabber.ldap.base}
	95	query_filter = ${config.myEnv.jabber.postfix_user_filter}
	96	domain = immae.fr
	97	bind_dn = ${config.myEnv.jabber.ldap.dn}
	98	bind_pw = ${config.myEnv.jabber.ldap.password}
	99	result_attribute = immaeXmppUid
	100	result_format = ejabberd@localhost
	101	version = 3
	102	'';
4c4652aa IB	103	};
4c4652aa IB	104	};
619e4f46 IB	105
	106	networking.firewall.allowedTCPPorts = [ 25 ];
	107
619e4f46 IB	108	users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
	109	services.filesWatcher.postfix = {
	110	restart = true;
	111	paths = [
	112	config.secrets.fullPaths."postfix/mysql_alias_maps"
4e07970c	113	config.secrets.fullPaths."postfix/sympa_mailbox_maps"
619e4f46	114	config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
22b4bd78	115	config.secrets.fullPaths."postfix/ldap_mailboxes"
619e4f46 IB	116	];
	117	};
	118	services.postfix = {
	119	mapFiles = let
619e4f46	120	virtual_map = {
71a2425e IB	121	virtual = let
	122	cfg = config.myEnv.monitoring.email_check.eldiron;
	123	address = "${cfg.mail_address}@${cfg.mail_domain}";
1a64deeb	124	aliases = config.myEnv.mail.postfix.common_aliases;
71a2425e	125	in pkgs.writeText "postfix-virtual" (
619e4f46	126	builtins.concatStringsSep "\n" (
1a64deeb IB	127	[ "${address} 1"
	128	] ++
	129	map (a: "${a} 1") config.myEnv.mail.postfix.other_aliases ++
	130	lib.lists.flatten (map (domain: map (alias: "${alias}@${domain} 1") aliases) receiving_domains)
619e4f46 IB	131	)
	132	);
	133	};
619e4f46	134	in
1a64deeb	135	virtual_map;
619e4f46 IB	136	config = {
	137	### postfix module overrides
	138	readme_directory = "${pkgs.postfix}/share/postfix/doc";
	139	smtp_tls_CAfile = lib.mkForce "";
	140	smtp_tls_cert_file = lib.mkForce "";
	141	smtp_tls_key_file = lib.mkForce "";
	142
	143	message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
	144	mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
	145	alias_database = "\$alias_maps";
	146
	147	### Relay domains
1a64deeb	148	relay_domains = receiving_domains;
619e4f46	149	relay_recipient_maps = let
619e4f46 IB	150	virtual_alias_maps = [
	151	"hash:/etc/postfix/virtual"
	152	"mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
	153	"ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
	154	];
	155	virtual_mailbox_maps = [
22b4bd78	156	"ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}"
4e07970c	157	"pgsql:${config.secrets.fullPaths."postfix/sympa_mailbox_maps"}"
619e4f46 IB	158	];
619e4f46 IB	159	in
1a64deeb	160	virtual_alias_maps ++ virtual_mailbox_maps;
619e4f46 IB	161	smtpd_relay_restrictions = [
619e4f46 IB	162	"defer_unauth_destination"
1a64deeb	163	];
619e4f46 IB	164
	165	### Additional smtpd configuration
	166	smtpd_tls_received_header = "yes";
	167	smtpd_tls_loglevel = "1";
	168
	169	### Email sending configuration
	170	smtp_tls_security_level = "may";
	171	smtp_tls_loglevel = "1";
	172
	173	### Force ip bind for smtp
1a64deeb	174	smtp_bind_address = builtins.head config.myEnv.servers."${name}".ips.main.ip4;
619e4f46 IB	175	smtp_bind_address6 = builtins.head config.myEnv.servers."${name}".ips.main.ip6;
	176
	177	smtpd_milters = [
	178	"unix:${config.myServices.mail.milters.sockets.opendkim}"
	179	"unix:${config.myServices.mail.milters.sockets.openarc}"
	180	"unix:${config.myServices.mail.milters.sockets.opendmarc}"
	181	];
	182	};
	183	enable = true;
	184	enableSmtp = true;
	185	enableSubmission = false;
619e4f46 IB	186	destination = ["localhost"];
	187	# This needs to reverse DNS
	188	hostname = config.hostEnv.fqdn;
	189	setSendmail = false;
	190	sslCert = "/var/lib/acme/mail/fullchain.pem";
	191	sslKey = "/var/lib/acme/mail/key.pem";
	192	recipientDelimiter = "+";
	193	};
	194	};
	195	}
	196