]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/postfix.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use attrs for secrets instead of lists
[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix
1 { lib, pkgs, config, nodes, ... }:
2 {
3 config = lib.mkIf config.myServices.mail.enable {
4 services.duplyBackup.profiles.mail.excludeFile = ''
5 + /var/lib/postfix
6 '';
7 secrets.keys = {
8 "postfix/mysql_alias_maps" = {
9 user = config.services.postfix.user;
10 group = config.services.postfix.group;
11 permissions = "0440";
12 text = ''
13 # We need to specify that option to trigger ssl connection
14 tls_ciphers = TLSv1.2
15 user = ${config.myEnv.mail.postfix.mysql.user}
16 password = ${config.myEnv.mail.postfix.mysql.password}
17 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
18 dbname = ${config.myEnv.mail.postfix.mysql.database}
19 query = SELECT DISTINCT destination
20 FROM forwardings
21 WHERE
22 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
23 AND active = 1
24 AND '%s' NOT IN
25 (
26 SELECT source
27 FROM forwardings_blacklisted
28 WHERE source = '%s'
29 ) UNION
30 SELECT 'devnull@immae.eu'
31 FROM forwardings_blacklisted
32 WHERE source = '%s'
33 '';
34 };
35 "postfix/ldap_mailboxes" = {
36 user = config.services.postfix.user;
37 group = config.services.postfix.group;
38 permissions = "0440";
39 text = ''
40 server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636
41 search_base = ${config.myEnv.mail.dovecot.ldap.base}
42 query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter}
43 bind_dn = ${config.myEnv.mail.dovecot.ldap.dn}
44 bind_pw = ${config.myEnv.mail.dovecot.ldap.password}
45 result_attribute = immaePostfixAddress
46 result_format = dummy
47 version = 3
48 '';
49 };
50 "postfix/mysql_sender_login_maps" = {
51 user = config.services.postfix.user;
52 group = config.services.postfix.group;
53 permissions = "0440";
54 text = ''
55 # We need to specify that option to trigger ssl connection
56 tls_ciphers = TLSv1.2
57 user = ${config.myEnv.mail.postfix.mysql.user}
58 password = ${config.myEnv.mail.postfix.mysql.password}
59 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
60 dbname = ${config.myEnv.mail.postfix.mysql.database}
61 query = SELECT DISTINCT destination
62 FROM forwardings
63 WHERE
64 (
65 (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
66 OR
67 (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d'))
68 )
69 AND active = 1
70 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
71 '';
72 };
73 "postfix/mysql_sender_relays_maps" = {
74 user = config.services.postfix.user;
75 group = config.services.postfix.group;
76 permissions = "0440";
77 text = ''
78 # We need to specify that option to trigger ssl connection
79 tls_ciphers = TLSv1.2
80 user = ${config.myEnv.mail.postfix.mysql.user}
81 password = ${config.myEnv.mail.postfix.mysql.password}
82 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
83 dbname = ${config.myEnv.mail.postfix.mysql.database}
84 # INSERT INTO sender_relays
85 # (`from`, owner, relay, login, password, regex, active)
86 # VALUES
87 # ( 'sender@otherhost.org'
88 # , 'me@mail.immae.eu'
89 # , '[otherhost.org]:587'
90 # , 'otherhostlogin'
91 # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
92 # , '0'
93 # , '1');
94
95 query = SELECT DISTINCT `owner`
96 FROM sender_relays
97 WHERE
98 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
99 AND active = 1
100 '';
101 };
102 "postfix/mysql_sender_relays_hosts" = {
103 user = config.services.postfix.user;
104 group = config.services.postfix.group;
105 permissions = "0440";
106 text = ''
107 # We need to specify that option to trigger ssl connection
108 tls_ciphers = TLSv1.2
109 user = ${config.myEnv.mail.postfix.mysql.user}
110 password = ${config.myEnv.mail.postfix.mysql.password}
111 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
112 dbname = ${config.myEnv.mail.postfix.mysql.database}
113
114 query = SELECT DISTINCT relay
115 FROM sender_relays
116 WHERE
117 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
118 AND active = 1
119 '';
120 };
121 "postfix/mysql_sender_relays_creds" = {
122 user = config.services.postfix.user;
123 group = config.services.postfix.group;
124 permissions = "0440";
125 text = ''
126 # We need to specify that option to trigger ssl connection
127 tls_ciphers = TLSv1.2
128 user = ${config.myEnv.mail.postfix.mysql.user}
129 password = ${config.myEnv.mail.postfix.mysql.password}
130 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
131 dbname = ${config.myEnv.mail.postfix.mysql.database}
132
133 query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
134 FROM sender_relays
135 WHERE
136 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
137 AND active = 1
138 '';
139 };
140 "postfix/ldap_ejabberd_users_immae_fr" = {
141 user = config.services.postfix.user;
142 group = config.services.postfix.group;
143 permissions = "0440";
144 text = ''
145 server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
146 search_base = ${config.myEnv.jabber.ldap.base}
147 query_filter = ${config.myEnv.jabber.postfix_user_filter}
148 domain = immae.fr
149 bind_dn = ${config.myEnv.jabber.ldap.dn}
150 bind_pw = ${config.myEnv.jabber.ldap.password}
151 result_attribute = immaeXmppUid
152 result_format = ejabberd@localhost
153 version = 3
154 '';
155 };
156 } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
157 user = "postfixscripts";
158 group = "root";
159 permissions = "0400";
160 text = builtins.toJSON v.env;
161 }) config.myEnv.mail.scripts;
162
163 networking.firewall.allowedTCPPorts = [ 25 465 587 ];
164
165 users.users.postfixscripts = {
166 group = "keys";
167 uid = config.ids.uids.postfixscripts;
168 description = "Postfix scripts user";
169 };
170 users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
171 services.filesWatcher.postfix = {
172 restart = true;
173 paths = [
174 config.secrets.fullPaths."postfix/mysql_alias_maps"
175 config.secrets.fullPaths."postfix/ldap_mailboxes"
176 config.secrets.fullPaths."postfix/mysql_sender_login_maps"
177 config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
178 ];
179 };
180 services.postfix = {
181 extraAliases = let
182 toScript = name: script: pkgs.writeScript name ''
183 #! ${pkgs.stdenv.shell}
184 mail=$(${pkgs.coreutils}/bin/cat -)
185 output=$(echo "$mail" | ${script} 2>&1)
186 ret=$?
187
188 if [ "$ret" != "0" ]; then
189 echo "$mail" \
190 | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
191 | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
192
193 messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
194 repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
195
196 ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
197 $repeat
198 To: scripts_error+${name}@mail.immae.eu
199 Subject: Log from script error
200 Content-Type: text/plain; charset="UTF-8"
201 Content-Transfer-Encoding: 8bit
202 References:$messageId
203 MIME-Version: 1.0
204 X-Return-Code: $ret
205
206 Error code: $ret
207 Output of message:
208 --------------
209 $output
210 --------------
211 EOF
212 fi
213 '';
214 scripts = lib.attrsets.mapAttrs (n: v:
215 toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; })
216 ) config.myEnv.mail.scripts // {
217 testmail = pkgs.writeScript "testmail" ''
218 #! ${pkgs.stdenv.shell}
219 ${pkgs.coreutils}/bin/touch \
220 "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')"
221 '';
222 };
223 in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
224 mapFiles = let
225 recipient_maps = let
226 name = n: i: "relay_${n}_${toString i}";
227 pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
228 if m.type == "hash"
229 then pkgs.writeText (name n i) m.content
230 else null
231 );
232 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
233 in lib.attrsets.filterAttrs (k: v: v != null) (
234 lib.attrsets.listToAttrs (lib.flatten (
235 lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
236 ))
237 );
238 relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
239 lib.attrsets.mapAttrs' (n: v:
240 lib.attrsets.nameValuePair "recipient_access_${n}" (
241 if lib.attrsets.hasAttr "relay_restrictions" v
242 then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
243 else null
244 )
245 ) config.myEnv.mail.postfix.backup_domains
246 );
247 virtual_map = {
248 virtual = let
249 cfg = config.myEnv.monitoring.email_check.eldiron;
250 address = "${cfg.mail_address}@${cfg.mail_domain}";
251 in pkgs.writeText "postfix-virtual" (
252 builtins.concatStringsSep "\n" (
253 ["${address} testmail@localhost"] ++
254 lib.attrsets.mapAttrsToList (
255 n: v: lib.optionalString v.external ''
256 script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
257 ''
258 ) config.myEnv.mail.scripts
259 )
260 );
261 };
262 sasl_access = {
263 host_sender_login = with lib.attrsets; let
264 addresses = zipAttrs (lib.flatten (mapAttrsToList
265 (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
266 joined = builtins.concatStringsSep ",";
267 in pkgs.writeText "host-sender-login"
268 (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
269 };
270 in
271 recipient_maps // relay_restrictions // virtual_map // sasl_access;
272 config = {
273 ### postfix module overrides
274 readme_directory = "${pkgs.postfix}/share/postfix/doc";
275 smtp_tls_CAfile = lib.mkForce "";
276 smtp_tls_cert_file = lib.mkForce "";
277 smtp_tls_key_file = lib.mkForce "";
278
279 message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
280 mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
281 alias_database = "\$alias_maps";
282
283 ### Aliases scripts user
284 default_privs = "postfixscripts";
285
286 ### Virtual mailboxes config
287 virtual_alias_maps = [
288 "hash:/etc/postfix/virtual"
289 "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
290 "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
291 ];
292 virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
293 ++ lib.remove null (lib.flatten (map
294 (zone: map
295 (e: if e.receive
296 then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
297 else null
298 )
299 (zone.withEmail or [])
300 )
301 config.myEnv.dns.masterZones
302 ));
303 virtual_mailbox_maps = [
304 "ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}"
305 ];
306 dovecot_destination_recipient_limit = "1";
307 virtual_transport = "dovecot";
308
309 ### Relay domains
310 relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
311 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
312 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
313 ) config.myEnv.mail.postfix.backup_domains);
314 smtpd_relay_restrictions = [
315 "defer_unauth_destination"
316 ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
317 if lib.attrsets.hasAttr "relay_restrictions" v
318 then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
319 else []
320 ) config.myEnv.mail.postfix.backup_domains);
321
322 ### Additional smtpd configuration
323 smtpd_tls_received_header = "yes";
324 smtpd_tls_loglevel = "1";
325
326 ### Email sending configuration
327 smtp_tls_security_level = "may";
328 smtp_tls_loglevel = "1";
329
330 ### Force ip bind for smtp
331 smtp_bind_address = config.hostEnv.ips.main.ip4;
332 smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
333
334 # Use some relays when authorized senders are not myself
335 smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
336 smtp_sasl_auth_enable = "yes";
337 smtp_sasl_password_maps =
338 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
339 smtp_sasl_security_options = "noanonymous";
340 smtp_sender_dependent_authentication = "yes";
341 sender_dependent_relayhost_maps =
342 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
343
344 ### opendkim, opendmarc, openarc milters
345 non_smtpd_milters = [
346 "unix:${config.myServices.mail.milters.sockets.opendkim}"
347 ];
348 smtpd_milters = [
349 "unix:${config.myServices.mail.milters.sockets.opendkim}"
350 "unix:${config.myServices.mail.milters.sockets.openarc}"
351 "unix:${config.myServices.mail.milters.sockets.opendmarc}"
352 ];
353
354 smtp_use_tls = true;
355 smtpd_use_tls = true;
356 smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
357
358 maximal_queue_lifetime = "6w";
359 bounce_queue_lifetime = "6w";
360 };
361 enable = true;
362 enableSmtp = true;
363 enableSubmission = true;
364 submissionOptions = {
365 # Don’t use "long form", only commas (cf
366 # http://www.postfix.org/master.5.html long form is not handled
367 # well by the submission function)
368 smtpd_tls_security_level = "encrypt";
369 smtpd_sasl_auth_enable = "yes";
370 smtpd_tls_auth_only = "yes";
371 smtpd_sasl_tls_security_options = "noanonymous";
372 smtpd_sasl_type = "dovecot";
373 smtpd_sasl_path = "private/auth";
374 smtpd_reject_unlisted_recipient = "no";
375 smtpd_client_restrictions = "permit_sasl_authenticated,reject";
376 smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
377 # Refuse to send e-mails with a From that is not handled
378 smtpd_sender_restrictions =
379 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
380 smtpd_sender_login_maps = builtins.concatStringsSep "," [
381 "hash:/etc/postfix/host_sender_login"
382 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
383 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
384 ];
385 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
386 milter_macro_daemon_name = "ORIGINATING";
387 smtpd_milters = builtins.concatStringsSep "," [
388 # FIXME: put it back when opensmtpd is upgraded and able to
389 # rewrite the from header
390 #"unix:/run/milter_verify_from/verify_from.sock"
391 "unix:${config.myServices.mail.milters.sockets.opendkim}"
392 ];
393 };
394 destination = ["localhost"];
395 # This needs to reverse DNS
396 hostname = config.hostEnv.fqdn;
397 setSendmail = true;
398 recipientDelimiter = "+";
399 masterConfig = {
400 submissions = {
401 type = "inet";
402 private = false;
403 command = "smtpd";
404 args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
405 mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
406 in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
407 );
408 };
409 dovecot = {
410 type = "unix";
411 privileged = true;
412 chroot = false;
413 command = "pipe";
414 args = let
415 # rspamd could be used as a milter, but then it cannot apply
416 # its checks "per user" (milter is not yet dispatched to
417 # users), so we wrap dovecot-lda inside rspamc per recipient
418 # here.
419 rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
420 #! ${pkgs.stdenv.shell}
421 sender="$1"
422 original_recipient="$2"
423 user="$3"
424
425 ${pkgs.coreutils}/bin/cat - | \
426 (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
427 ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
428 '';
429 in [
430 "flags=ODRhu" "user=vhost:vhost"
431 "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
432 ];
433 };
434 };
435 };
436 security.acme.certs."mail" = {
437 postRun = ''
438 systemctl restart postfix.service
439 '';
440 extraDomains = {
441 "smtp.immae.eu" = null;
442 };
443 };
444 security.acme.certs."mail-rsa" = {
445 postRun = ''
446 systemctl restart postfix.service
447 '';
448 extraDomains = {
449 "smtp.immae.eu" = null;
450 };
451 };
452 system.activationScripts.testmail = {
453 deps = [ "users" ];
454 text = let
455 allCfg = config.myEnv.monitoring.email_check;
456 cfg = allCfg.eldiron;
457 reverseTargets = builtins.attrNames (lib.attrsets.filterAttrs (k: v: builtins.elem "eldiron" v.targets) allCfg);
458 to_email = cfg': host':
459 let sep = if lib.strings.hasInfix "+" cfg'.mail_address then "_" else "+";
460 in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
461 mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
462 in ''
463 install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
464 for f in ${mails_to_receive}; do
465 if [ ! -f /var/lib/naemon/checks/email/$f ]; then
466 install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
467 touch -m -d @0 /var/lib/naemon/checks/email/$f
468 fi
469 done
470 '';
471 };
472 systemd.services.postfix.serviceConfig.Slice = "mail.slice";
473 };
474 }
My infrastructure configuration