]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/postfix.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix printer not supporting elliptic curve keys
[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix
1 { lib, pkgs, config, nodes, ... }:
2 {
3 config = lib.mkIf config.myServices.mail.enable {
4 services.duplyBackup.profiles.mail.excludeFile = ''
5 + /var/lib/postfix
6 '';
7 secrets.keys = [
8 {
9 dest = "postfix/mysql_alias_maps";
10 user = config.services.postfix.user;
11 group = config.services.postfix.group;
12 permissions = "0440";
13 text = ''
14 # We need to specify that option to trigger ssl connection
15 tls_ciphers = TLSv1.2
16 user = ${config.myEnv.mail.postfix.mysql.user}
17 password = ${config.myEnv.mail.postfix.mysql.password}
18 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
19 dbname = ${config.myEnv.mail.postfix.mysql.database}
20 query = SELECT DISTINCT destination
21 FROM forwardings_merge
22 WHERE
23 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
24 AND active = 1
25 AND '%s' NOT IN
26 (
27 SELECT source
28 FROM forwardings_blacklisted
29 WHERE source = '%s'
30 ) UNION
31 SELECT 'devnull@immae.eu'
32 FROM forwardings_blacklisted
33 WHERE source = '%s'
34 '';
35 }
36 {
37 dest = "postfix/mysql_mailbox_maps";
38 user = config.services.postfix.user;
39 group = config.services.postfix.group;
40 permissions = "0440";
41 text = ''
42 # We need to specify that option to trigger ssl connection
43 tls_ciphers = TLSv1.2
44 user = ${config.myEnv.mail.postfix.mysql.user}
45 password = ${config.myEnv.mail.postfix.mysql.password}
46 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
47 dbname = ${config.myEnv.mail.postfix.mysql.database}
48 result_format = /%d/%u
49 query = SELECT DISTINCT '%s'
50 FROM mailboxes
51 WHERE active = 1
52 AND (
53 (domain = '%d' AND user = '%u' AND regex = 0)
54 OR (
55 regex = 1
56 AND '%d' REGEXP CONCAT('^',domain,'$')
57 AND '%u' REGEXP CONCAT('^',user,'$')
58 )
59 )
60 LIMIT 1
61 '';
62 }
63 {
64 dest = "postfix/mysql_sender_login_maps";
65 user = config.services.postfix.user;
66 group = config.services.postfix.group;
67 permissions = "0440";
68 text = ''
69 # We need to specify that option to trigger ssl connection
70 tls_ciphers = TLSv1.2
71 user = ${config.myEnv.mail.postfix.mysql.user}
72 password = ${config.myEnv.mail.postfix.mysql.password}
73 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
74 dbname = ${config.myEnv.mail.postfix.mysql.database}
75 query = SELECT DISTINCT destination
76 FROM forwardings_merge
77 WHERE
78 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
79 AND active = 1
80 UNION SELECT '%s' AS destination
81 '';
82 }
83 {
84 dest = "postfix/mysql_sender_relays_maps";
85 user = config.services.postfix.user;
86 group = config.services.postfix.group;
87 permissions = "0440";
88 text = ''
89 # We need to specify that option to trigger ssl connection
90 tls_ciphers = TLSv1.2
91 user = ${config.myEnv.mail.postfix.mysql.user}
92 password = ${config.myEnv.mail.postfix.mysql.password}
93 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
94 dbname = ${config.myEnv.mail.postfix.mysql.database}
95 # INSERT INTO sender_relays
96 # (`from`, owner, relay, login, password, regex, active)
97 # VALUES
98 # ( 'sender@otherhost.org'
99 # , 'me@mail.immae.eu'
100 # , '[otherhost.org]:587'
101 # , 'otherhostlogin'
102 # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
103 # , '0'
104 # , '1');
105
106 query = SELECT DISTINCT `owner`
107 FROM sender_relays
108 WHERE
109 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
110 AND active = 1
111 '';
112 }
113 {
114 dest = "postfix/mysql_sender_relays_hosts";
115 user = config.services.postfix.user;
116 group = config.services.postfix.group;
117 permissions = "0440";
118 text = ''
119 # We need to specify that option to trigger ssl connection
120 tls_ciphers = TLSv1.2
121 user = ${config.myEnv.mail.postfix.mysql.user}
122 password = ${config.myEnv.mail.postfix.mysql.password}
123 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
124 dbname = ${config.myEnv.mail.postfix.mysql.database}
125
126 query = SELECT DISTINCT relay
127 FROM sender_relays
128 WHERE
129 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
130 AND active = 1
131 '';
132 }
133 {
134 dest = "postfix/mysql_sender_relays_creds";
135 user = config.services.postfix.user;
136 group = config.services.postfix.group;
137 permissions = "0440";
138 text = ''
139 # We need to specify that option to trigger ssl connection
140 tls_ciphers = TLSv1.2
141 user = ${config.myEnv.mail.postfix.mysql.user}
142 password = ${config.myEnv.mail.postfix.mysql.password}
143 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
144 dbname = ${config.myEnv.mail.postfix.mysql.database}
145
146 query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
147 FROM sender_relays
148 WHERE
149 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
150 AND active = 1
151 '';
152 }
153 {
154 dest = "postfix/ldap_ejabberd_users_immae_fr";
155 user = config.services.postfix.user;
156 group = config.services.postfix.group;
157 permissions = "0440";
158 text = ''
159 server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
160 search_base = ${config.myEnv.jabber.ldap.base}
161 query_filter = ${config.myEnv.jabber.postfix_user_filter}
162 domain = immae.fr
163 bind_dn = ${config.myEnv.jabber.ldap.dn}
164 bind_pw = ${config.myEnv.jabber.ldap.password}
165 result_attribute = immaeXmppUid
166 result_format = ejabberd@localhost
167 version = 3
168 '';
169 }
170 ];
171
172 networking.firewall.allowedTCPPorts = [ 25 465 587 ];
173
174 nixpkgs.overlays = [ (self: super: {
175 postfix = super.postfix.override { withMySQL = true; };
176 }) ];
177 users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
178 services.filesWatcher.postfix = {
179 restart = true;
180 paths = [
181 config.secrets.fullPaths."postfix/mysql_alias_maps"
182 config.secrets.fullPaths."postfix/mysql_mailbox_maps"
183 config.secrets.fullPaths."postfix/mysql_sender_login_maps"
184 config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
185 ];
186 };
187 services.postfix = {
188 extraAliases = let
189 toScript = name: script: pkgs.writeScript name ''
190 #! ${pkgs.stdenv.shell}
191 mail=$(${pkgs.coreutils}/bin/cat -)
192 output=$(echo "$mail" | ${script} 2>&1)
193 ret=$?
194
195 if [ "$ret" != "0" ]; then
196 echo "$mail" \
197 | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
198 | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
199
200 messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
201 repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
202
203 ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
204 $repeat
205 To: scripts_error+${name}@mail.immae.eu
206 Subject: Log from script error
207 Content-Type: text/plain; charset="UTF-8"
208 Content-Transfer-Encoding: 8bit
209 References:$messageId
210 MIME-Version: 1.0
211 X-Return-Code: $ret
212
213 Error code: $ret
214 Output of message:
215 --------------
216 $output
217 --------------
218 EOF
219 fi
220 '';
221 scripts = lib.attrsets.mapAttrs (n: v:
222 toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
223 ) config.myEnv.mail.scripts // {
224 testmail = pkgs.writeScript "testmail" ''
225 #! ${pkgs.stdenv.shell}
226 ${pkgs.coreutils}/bin/touch \
227 "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')"
228 '';
229 };
230 in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
231 mapFiles = let
232 recipient_maps = let
233 name = n: i: "relay_${n}_${toString i}";
234 pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
235 if m.type == "hash"
236 then pkgs.writeText (name n i) m.content
237 else null
238 );
239 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
240 in lib.attrsets.filterAttrs (k: v: v != null) (
241 lib.attrsets.listToAttrs (lib.flatten (
242 lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
243 ))
244 );
245 relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
246 lib.attrsets.mapAttrs' (n: v:
247 lib.attrsets.nameValuePair "recipient_access_${n}" (
248 if lib.attrsets.hasAttr "relay_restrictions" v
249 then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
250 else null
251 )
252 ) config.myEnv.mail.postfix.backup_domains
253 );
254 virtual_map = {
255 virtual = let
256 cfg = config.myEnv.monitoring.email_check.eldiron;
257 address = "${cfg.mail_address}@${cfg.mail_domain}";
258 in pkgs.writeText "postfix-virtual" (
259 builtins.concatStringsSep "\n" (
260 ["${address} testmail@localhost"] ++
261 lib.attrsets.mapAttrsToList (
262 n: v: lib.optionalString v.external ''
263 script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
264 ''
265 ) config.myEnv.mail.scripts
266 )
267 );
268 };
269 sasl_access = {
270 host_sender_login = with lib.attrsets; let
271 addresses = zipAttrs (lib.flatten (mapAttrsToList
272 (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers));
273 joined = builtins.concatStringsSep ",";
274 in pkgs.writeText "host-sender-login"
275 (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses));
276 host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
277 (builtins.concatStringsSep "\n" (["immae-eu@immae.eu dummy"] ++ lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
278 };
279 in
280 recipient_maps // relay_restrictions // virtual_map // sasl_access;
281 config = {
282 ### postfix module overrides
283 readme_directory = "${pkgs.postfix}/share/postfix/doc";
284 smtp_tls_CAfile = lib.mkForce "";
285 smtp_tls_cert_file = lib.mkForce "";
286 smtp_tls_key_file = lib.mkForce "";
287
288 message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
289 mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
290 alias_database = "\$alias_maps";
291
292 ### Virtual mailboxes config
293 virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}";
294 virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
295 ++ lib.remove null (lib.flatten (map
296 (zone: map
297 (e: if e.receive
298 then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
299 else null
300 )
301 (zone.withEmail or [])
302 )
303 config.myEnv.dns.masterZones
304 ));
305 virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
306 dovecot_destination_recipient_limit = "1";
307 virtual_transport = "dovecot";
308
309 ### Relay domains
310 relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
311 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
312 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
313 ) config.myEnv.mail.postfix.backup_domains);
314 smtpd_relay_restrictions = [
315 "defer_unauth_destination"
316 ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
317 if lib.attrsets.hasAttr "relay_restrictions" v
318 then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
319 else []
320 ) config.myEnv.mail.postfix.backup_domains);
321
322 ### Additional smtpd configuration
323 smtpd_tls_received_header = "yes";
324 smtpd_tls_loglevel = "1";
325
326 ### Email sending configuration
327 smtp_tls_security_level = "may";
328 smtp_tls_loglevel = "1";
329
330 ### Force ip bind for smtp
331 smtp_bind_address = config.hostEnv.ips.main.ip4;
332 smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
333
334 # Use some relays when authorized senders are not myself
335 smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
336 smtp_sasl_auth_enable = "yes";
337 smtp_sasl_password_maps =
338 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
339 smtp_sasl_security_options = "noanonymous";
340 smtp_sender_dependent_authentication = "yes";
341 sender_dependent_relayhost_maps =
342 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
343
344 ### opendkim, opendmarc, openarc milters
345 non_smtpd_milters = [
346 "unix:${config.myServices.mail.milters.sockets.opendkim}"
347 ];
348 smtpd_milters = [
349 "unix:${config.myServices.mail.milters.sockets.opendkim}"
350 "unix:${config.myServices.mail.milters.sockets.openarc}"
351 "unix:${config.myServices.mail.milters.sockets.opendmarc}"
352 ];
353
354 smtp_use_tls = true;
355 smtpd_use_tls = true;
356 smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
357 };
358 enable = true;
359 enableSmtp = true;
360 enableSubmission = true;
361 submissionOptions = {
362 # Don’t use "long form", only commas (cf
363 # http://www.postfix.org/master.5.html long form is not handled
364 # well by the submission function)
365 smtpd_tls_security_level = "encrypt";
366 smtpd_sasl_auth_enable = "yes";
367 smtpd_tls_auth_only = "yes";
368 smtpd_sasl_tls_security_options = "noanonymous";
369 smtpd_sasl_type = "dovecot";
370 smtpd_sasl_path = "private/auth";
371 smtpd_reject_unlisted_recipient = "no";
372 smtpd_client_restrictions = "permit_sasl_authenticated,reject";
373 smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
374 # Refuse to send e-mails with a From that is not handled
375 smtpd_sender_restrictions =
376 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
377 smtpd_sender_login_maps = builtins.concatStringsSep "," [
378 "hash:/etc/postfix/host_sender_login"
379 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
380 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
381 ];
382 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
383 milter_macro_daemon_name = "ORIGINATING";
384 smtpd_milters = builtins.concatStringsSep "," [
385 # FIXME: put it back when opensmtpd is upgraded and able to
386 # rewrite the from header
387 #"unix:/run/milter_verify_from/verify_from.sock"
388 "unix:${config.myServices.mail.milters.sockets.opendkim}"
389 ];
390 };
391 destination = ["localhost"];
392 # This needs to reverse DNS
393 hostname = config.hostEnv.fqdn;
394 setSendmail = true;
395 recipientDelimiter = "+";
396 masterConfig = {
397 submissions = {
398 type = "inet";
399 private = false;
400 command = "smtpd";
401 args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
402 mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
403 in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
404 );
405 };
406 dovecot = {
407 type = "unix";
408 privileged = true;
409 chroot = false;
410 command = "pipe";
411 args = let
412 # rspamd could be used as a milter, but then it cannot apply
413 # its checks "per user" (milter is not yet dispatched to
414 # users), so we wrap dovecot-lda inside rspamc per recipient
415 # here.
416 rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
417 #! ${pkgs.stdenv.shell}
418 sender="$1"
419 original_recipient="$2"
420 user="$3"
421
422 ${pkgs.coreutils}/bin/cat - | \
423 (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
424 ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
425 '';
426 in [
427 "flags=DRhu" "user=vhost:vhost"
428 "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
429 ];
430 };
431 };
432 };
433 security.acme.certs."mail" = {
434 postRun = ''
435 systemctl restart postfix.service
436 '';
437 extraDomains = {
438 "smtp.immae.eu" = null;
439 };
440 };
441 system.activationScripts.testmail = {
442 deps = [ "users" ];
443 text = let
444 allCfg = config.myEnv.monitoring.email_check;
445 cfg = allCfg.eldiron;
446 reverseTargets = builtins.attrNames (lib.attrsets.filterAttrs (k: v: builtins.elem "eldiron" v.targets) allCfg);
447 to_email = cfg': host':
448 let sep = if lib.strings.hasInfix "+" cfg'.mail_address then "_" else "+";
449 in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
450 mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
451 in ''
452 install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email
453 for f in ${mails_to_receive}; do
454 if [ ! -f /var/lib/naemon/checks/email/$f ]; then
455 install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f
456 touch -m -d @0 /var/lib/naemon/checks/email/$f
457 fi
458 done
459 '';
460 };
461 };
462 }
My infrastructure configuration