modules/private/mail/opensmtpd.nix

   1 { lib, pkgs, config, name, ... }:
   2 {
   3   config = lib.mkIf config.myServices.mailRelay.enable {
   4     secrets.keys = [
   5       {
   6         dest = "opensmtpd/creds";
   7         user = "smtpd";
   8         group = "smtpd";
   9         permissions = "0400";
  10         text = ''
  11           eldiron    ${name}:${config.hostEnv.ldap.password}
  12           '';
  13       }
  14     ];
  15     users.users.smtpd.extraGroups = [ "keys" ];
  16     services.opensmtpd = {
  17       enable = true;
  18       serverConfiguration = let
  19         filter-rewrite-from = pkgs.runCommand "filter-rewrite-from.py" {
  20           buildInputs = [ pkgs.python3 ];
  21         } ''
  22           cp ${./filter-rewrite-from.py} $out
  23           patchShebangs $out
  24         '';
  25       in ''
  26         table creds \
  27           "${config.secrets.fullPaths."opensmtpd/creds"}"
  28         # FIXME: filtering requires 6.6, uncomment following lines when
  29         # upgrading
  30         # filter "fixfrom" \
  31         #   proc-exec "${filter-rewrite-from} ${name}@immae.eu"
  32         # listen on socket filter "fixfrom"
  33         action "relay-rewrite-from" relay \
  34           helo ${config.hostEnv.fqdn} \
  35           host smtp+tls://eldiron@eldiron.immae.eu:587 \
  36           auth <creds> \
  37           mail-from ${name}@immae.eu
  38         action "relay" relay \
  39           helo ${config.hostEnv.fqdn} \
  40           host smtp+tls://eldiron@eldiron.immae.eu:587 \
  41           auth <creds>
  42         match for any !mail-from "@immae.eu" action "relay-rewrite-from"
  43         match for any mail-from "@immae.eu" action "relay"
  44         '';
  45     };
  46     environment.systemPackages = [ config.services.opensmtpd.package ];
  47     services.mail.sendmailSetuidWrapper = {
  48       program = "sendmail";
  49       source = "${config.services.opensmtpd.package}/bin/smtpctl";
  50       setuid = false;
  51       setgid = false;
  52     };
  53     security.wrappers.mailq = {
  54       program = "mailq";
  55       source = "${config.services.opensmtpd.package}/bin/smtpctl";
  56       setuid = false;
  57       setgid = false;
  58     };
  59   };
  60 }