]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/postfix.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Move postscript scripts sensible values out of the store
[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix
1 { lib, pkgs, config, nodes, ... }:
2 {
3 config = lib.mkIf config.myServices.mail.enable {
4 services.duplyBackup.profiles.mail.excludeFile = ''
5 + /var/lib/postfix
6 '';
7 secrets.keys = [
8 {
9 dest = "postfix/mysql_alias_maps";
10 user = config.services.postfix.user;
11 group = config.services.postfix.group;
12 permissions = "0440";
13 text = ''
14 # We need to specify that option to trigger ssl connection
15 tls_ciphers = TLSv1.2
16 user = ${config.myEnv.mail.postfix.mysql.user}
17 password = ${config.myEnv.mail.postfix.mysql.password}
18 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
19 dbname = ${config.myEnv.mail.postfix.mysql.database}
20 query = SELECT DISTINCT destination
21 FROM forwardings
22 WHERE
23 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
24 AND active = 1
25 AND '%s' NOT IN
26 (
27 SELECT source
28 FROM forwardings_blacklisted
29 WHERE source = '%s'
30 ) UNION
31 SELECT 'devnull@immae.eu'
32 FROM forwardings_blacklisted
33 WHERE source = '%s'
34 '';
35 }
36 {
37 dest = "postfix/ldap_mailboxes";
38 user = config.services.postfix.user;
39 group = config.services.postfix.group;
40 permissions = "0440";
41 text = ''
42 server_host = ldaps://${config.myEnv.mail.dovecot.ldap.host}:636
43 search_base = ${config.myEnv.mail.dovecot.ldap.base}
44 query_filter = ${config.myEnv.mail.dovecot.ldap.postfix_mailbox_filter}
45 bind_dn = ${config.myEnv.mail.dovecot.ldap.dn}
46 bind_pw = ${config.myEnv.mail.dovecot.ldap.password}
47 result_attribute = immaePostfixAddress
48 result_format = dummy
49 version = 3
50 '';
51 }
52 {
53 dest = "postfix/mysql_sender_login_maps";
54 user = config.services.postfix.user;
55 group = config.services.postfix.group;
56 permissions = "0440";
57 text = ''
58 # We need to specify that option to trigger ssl connection
59 tls_ciphers = TLSv1.2
60 user = ${config.myEnv.mail.postfix.mysql.user}
61 password = ${config.myEnv.mail.postfix.mysql.password}
62 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
63 dbname = ${config.myEnv.mail.postfix.mysql.database}
64 query = SELECT DISTINCT destination
65 FROM forwardings
66 WHERE
67 (
68 (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
69 OR
70 (regex = 0 AND source = CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d'))
71 )
72 AND active = 1
73 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
74 '';
75 }
76 {
77 dest = "postfix/mysql_sender_relays_maps";
78 user = config.services.postfix.user;
79 group = config.services.postfix.group;
80 permissions = "0440";
81 text = ''
82 # We need to specify that option to trigger ssl connection
83 tls_ciphers = TLSv1.2
84 user = ${config.myEnv.mail.postfix.mysql.user}
85 password = ${config.myEnv.mail.postfix.mysql.password}
86 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
87 dbname = ${config.myEnv.mail.postfix.mysql.database}
88 # INSERT INTO sender_relays
89 # (`from`, owner, relay, login, password, regex, active)
90 # VALUES
91 # ( 'sender@otherhost.org'
92 # , 'me@mail.immae.eu'
93 # , '[otherhost.org]:587'
94 # , 'otherhostlogin'
95 # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
96 # , '0'
97 # , '1');
98
99 query = SELECT DISTINCT `owner`
100 FROM sender_relays
101 WHERE
102 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
103 AND active = 1
104 '';
105 }
106 {
107 dest = "postfix/mysql_sender_relays_hosts";
108 user = config.services.postfix.user;
109 group = config.services.postfix.group;
110 permissions = "0440";
111 text = ''
112 # We need to specify that option to trigger ssl connection
113 tls_ciphers = TLSv1.2
114 user = ${config.myEnv.mail.postfix.mysql.user}
115 password = ${config.myEnv.mail.postfix.mysql.password}
116 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
117 dbname = ${config.myEnv.mail.postfix.mysql.database}
118
119 query = SELECT DISTINCT relay
120 FROM sender_relays
121 WHERE
122 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
123 AND active = 1
124 '';
125 }
126 {
127 dest = "postfix/mysql_sender_relays_creds";
128 user = config.services.postfix.user;
129 group = config.services.postfix.group;
130 permissions = "0440";
131 text = ''
132 # We need to specify that option to trigger ssl connection
133 tls_ciphers = TLSv1.2
134 user = ${config.myEnv.mail.postfix.mysql.user}
135 password = ${config.myEnv.mail.postfix.mysql.password}
136 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
137 dbname = ${config.myEnv.mail.postfix.mysql.database}
138
139 query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
140 FROM sender_relays
141 WHERE
142 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
143 AND active = 1
144 '';
145 }
146 {
147 dest = "postfix/ldap_ejabberd_users_immae_fr";
148 user = config.services.postfix.user;
149 group = config.services.postfix.group;
150 permissions = "0440";
151 text = ''
152 server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
153 search_base = ${config.myEnv.jabber.ldap.base}
154 query_filter = ${config.myEnv.jabber.postfix_user_filter}
155 domain = immae.fr
156 bind_dn = ${config.myEnv.jabber.ldap.dn}
157 bind_pw = ${config.myEnv.jabber.ldap.password}
158 result_attribute = immaeXmppUid
159 result_format = ejabberd@localhost
160 version = 3
161 '';
162 }
163 ] ++ (lib.mapAttrsToList (name: v: {
164 dest = "postfix/scripts/${name}-env";
165 user = "postfixscripts";
166 group = "root";
167 permissions = "0400";
168 text = builtins.toJSON v.env;
169 }) config.myEnv.mail.scripts);
170
171 networking.firewall.allowedTCPPorts = [ 25 465 587 ];
172
173 users.users.postfixscripts = {
174 group = "keys";
175 uid = config.ids.uids.postfixscripts;
176 description = "Postfix scripts user";
177 };
178 users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
179 services.filesWatcher.postfix = {
180 restart = true;
181 paths = [
182 config.secrets.fullPaths."postfix/mysql_alias_maps"
183 config.secrets.fullPaths."postfix/ldap_mailboxes"
184 config.secrets.fullPaths."postfix/mysql_sender_login_maps"
185 config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
186 ];
187 };
188 services.postfix = {
189 extraAliases = let
190 toScript = name: script: pkgs.writeScript name ''
191 #! ${pkgs.stdenv.shell}
192 mail=$(${pkgs.coreutils}/bin/cat -)
193 output=$(echo "$mail" | ${script} 2>&1)
194 ret=$?
195
196 if [ "$ret" != "0" ]; then
197 echo "$mail" \
198 | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
199 | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
200
201 messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
202 repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
203
204 ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
205 $repeat
206 To: scripts_error+${name}@mail.immae.eu
207 Subject: Log from script error
208 Content-Type: text/plain; charset="UTF-8"
209 Content-Transfer-Encoding: 8bit
210 References:$messageId
211 MIME-Version: 1.0
212 X-Return-Code: $ret
213
214 Error code: $ret
215 Output of message:
216 --------------
217 $output
218 --------------
219 EOF
220 fi
221 '';
222 scripts = lib.attrsets.mapAttrs (n: v:
223 toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; })
224 ) config.myEnv.mail.scripts // {
225 testmail = pkgs.writeScript "testmail" ''
226 #! ${pkgs.stdenv.shell}
227 ${pkgs.coreutils}/bin/touch \
228 "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')"
229 '';
230 };
231 in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
232 mapFiles = let
233 recipient_maps = let
234 name = n: i: "relay_${n}_${toString i}";
235 pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
236 if m.type == "hash"
237 then pkgs.writeText (name n i) m.content
238 else null
239 );
240 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
241 in lib.attrsets.filterAttrs (k: v: v != null) (
242 lib.attrsets.listToAttrs (lib.flatten (
243 lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
244 ))
245 );
246 relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
247 lib.attrsets.mapAttrs' (n: v:
248 lib.attrsets.nameValuePair "recipient_access_${n}" (
249 if lib.attrsets.hasAttr "relay_restrictions" v
250 then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
251 else null
252 )
253 ) config.myEnv.mail.postfix.backup_domains
254 );
255 virtual_map = {
256 virtual = let
257 cfg = config.myEnv.monitoring.email_check.eldiron;
258 address = "${cfg.mail_address}@${cfg.mail_domain}";
259 in pkgs.writeText "postfix-virtual" (
260 builtins.concatStringsSep "\n" (
261 ["${address} testmail@localhost"] ++
262 lib.attrsets.mapAttrsToList (
263 n: v: lib.optionalString v.external ''
264 script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
265 ''
266 ) config.myEnv.mail.scripts
267 )
268 );
269 };
270 sasl_access = {
271 host_sender_login = with lib.attrsets; let
272 addresses = zipAttrs (lib.flatten (mapAttrsToList
273 (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
274 joined = builtins.concatStringsSep ",";
275 in pkgs.writeText "host-sender-login"
276 (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
277 };
278 in
279 recipient_maps // relay_restrictions // virtual_map // sasl_access;
280 config = {
281 ### postfix module overrides
282 readme_directory = "${pkgs.postfix}/share/postfix/doc";
283 smtp_tls_CAfile = lib.mkForce "";
284 smtp_tls_cert_file = lib.mkForce "";
285 smtp_tls_key_file = lib.mkForce "";
286
287 message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
288 mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
289 alias_database = "\$alias_maps";
290
291 ### Aliases scripts user
292 default_privs = "postfixscripts";
293
294 ### Virtual mailboxes config
295 virtual_alias_maps = [
296 "hash:/etc/postfix/virtual"
297 "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
298 "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
299 ];
300 virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
301 ++ lib.remove null (lib.flatten (map
302 (zone: map
303 (e: if e.receive
304 then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
305 else null
306 )
307 (zone.withEmail or [])
308 )
309 config.myEnv.dns.masterZones
310 ));
311 virtual_mailbox_maps = [
312 "ldap:${config.secrets.fullPaths."postfix/ldap_mailboxes"}"
313 ];
314 dovecot_destination_recipient_limit = "1";
315 virtual_transport = "dovecot";
316
317 ### Relay domains
318 relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
319 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
320 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
321 ) config.myEnv.mail.postfix.backup_domains);
322 smtpd_relay_restrictions = [
323 "defer_unauth_destination"
324 ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
325 if lib.attrsets.hasAttr "relay_restrictions" v
326 then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
327 else []
328 ) config.myEnv.mail.postfix.backup_domains);
329
330 ### Additional smtpd configuration
331 smtpd_tls_received_header = "yes";
332 smtpd_tls_loglevel = "1";
333
334 ### Email sending configuration
335 smtp_tls_security_level = "may";
336 smtp_tls_loglevel = "1";
337
338 ### Force ip bind for smtp
339 smtp_bind_address = config.hostEnv.ips.main.ip4;
340 smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
341
342 # Use some relays when authorized senders are not myself
343 smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
344 smtp_sasl_auth_enable = "yes";
345 smtp_sasl_password_maps =
346 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
347 smtp_sasl_security_options = "noanonymous";
348 smtp_sender_dependent_authentication = "yes";
349 sender_dependent_relayhost_maps =
350 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
351
352 ### opendkim, opendmarc, openarc milters
353 non_smtpd_milters = [
354 "unix:${config.myServices.mail.milters.sockets.opendkim}"
355 ];
356 smtpd_milters = [
357 "unix:${config.myServices.mail.milters.sockets.opendkim}"
358 "unix:${config.myServices.mail.milters.sockets.openarc}"
359 "unix:${config.myServices.mail.milters.sockets.opendmarc}"
360 ];
361
362 smtp_use_tls = true;
363 smtpd_use_tls = true;
364 smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
365
366 maximal_queue_lifetime = "6w";
367 bounce_queue_lifetime = "6w";
368 };
369 enable = true;
370 enableSmtp = true;
371 enableSubmission = true;
372 submissionOptions = {
373 # Don’t use "long form", only commas (cf
374 # http://www.postfix.org/master.5.html long form is not handled
375 # well by the submission function)
376 smtpd_tls_security_level = "encrypt";
377 smtpd_sasl_auth_enable = "yes";
378 smtpd_tls_auth_only = "yes";
379 smtpd_sasl_tls_security_options = "noanonymous";
380 smtpd_sasl_type = "dovecot";
381 smtpd_sasl_path = "private/auth";
382 smtpd_reject_unlisted_recipient = "no";
383 smtpd_client_restrictions = "permit_sasl_authenticated,reject";
384 smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
385 # Refuse to send e-mails with a From that is not handled
386 smtpd_sender_restrictions =
387 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
388 smtpd_sender_login_maps = builtins.concatStringsSep "," [
389 "hash:/etc/postfix/host_sender_login"
390 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
391 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
392 ];
393 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
394 milter_macro_daemon_name = "ORIGINATING";
395 smtpd_milters = builtins.concatStringsSep "," [
396 # FIXME: put it back when opensmtpd is upgraded and able to
397 # rewrite the from header
398 #"unix:/run/milter_verify_from/verify_from.sock"
399 "unix:${config.myServices.mail.milters.sockets.opendkim}"
400 ];
401 };
402 destination = ["localhost"];
403 # This needs to reverse DNS
404 hostname = config.hostEnv.fqdn;
405 setSendmail = true;
406 recipientDelimiter = "+";
407 masterConfig = {
408 submissions = {
409 type = "inet";
410 private = false;
411 command = "smtpd";
412 args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
413 mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
414 in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
415 );
416 };
417 dovecot = {
418 type = "unix";
419 privileged = true;
420 chroot = false;
421 command = "pipe";
422 args = let
423 # rspamd could be used as a milter, but then it cannot apply
424 # its checks "per user" (milter is not yet dispatched to
425 # users), so we wrap dovecot-lda inside rspamc per recipient
426 # here.
427 rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
428 #! ${pkgs.stdenv.shell}
429 sender="$1"
430 original_recipient="$2"
431 user="$3"
432
433 ${pkgs.coreutils}/bin/cat - | \
434 (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
435 ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
436 '';
437 in [
438 "flags=ODRhu" "user=vhost:vhost"
439 "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
440 ];
441 };
442 };
443 };
444 security.acme.certs."mail" = {
445 postRun = ''
446 systemctl restart postfix.service
447 '';
448 extraDomains = {
449 "smtp.immae.eu" = null;
450 };
451 };
452 security.acme.certs."mail-rsa" = {
453 postRun = ''
454 systemctl restart postfix.service
455 '';
456 extraDomains = {
457 "smtp.immae.eu" = null;
458 };
459 };
460 system.activationScripts.testmail = {
461 deps = [ "users" ];
462 text = let
463 allCfg = config.myEnv.monitoring.email_check;
464 cfg = allCfg.eldiron;
465 reverseTargets = builtins.attrNames (lib.attrsets.filterAttrs (k: v: builtins.elem "eldiron" v.targets) allCfg);
466 to_email = cfg': host':
467 let sep = if lib.strings.hasInfix "+" cfg'.mail_address then "_" else "+";
468 in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
469 mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
470 in ''
471 install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
472 for f in ${mails_to_receive}; do
473 if [ ! -f /var/lib/naemon/checks/email/$f ]; then
474 install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
475 touch -m -d @0 /var/lib/naemon/checks/email/$f
476 fi
477 done
478 '';
479 };
480 systemd.services.postfix.serviceConfig.Slice = "mail.slice";
481 };
482 }
My infrastructure configuration