modules/private/mail/postfix.nix

   1 { lib, pkgs, config, myconfig,  ... }:
   2 {
   3   config.secrets.keys = [
   4     {
   5       dest = "postfix/mysql_alias_maps";
   6       user = config.services.postfix.user;
   7       group = config.services.postfix.group;
   8       permissions = "0440";
   9       text = ''
  10         # We need to specify that option to trigger ssl connection
  11         tls_ciphers = TLSv1.2
  12         user = ${myconfig.env.mail.postfix.mysql.user}
  13         password = ${myconfig.env.mail.postfix.mysql.password}
  14         hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
  15         dbname = ${myconfig.env.mail.postfix.mysql.database}
  16         query = SELECT DISTINCT destination
  17           FROM forwardings_merge
  18           WHERE
  19             ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
  20             AND active = 1
  21             AND '%s' NOT IN
  22             (
  23               SELECT source
  24               FROM forwardings_blacklisted
  25               WHERE source = '%s'
  26             ) UNION
  27             SELECT 'devnull@immae.eu'
  28             FROM forwardings_blacklisted
  29             WHERE source = '%s'
  30         '';
  31     }
  32     {
  33       dest = "postfix/mysql_mailbox_maps";
  34       user = config.services.postfix.user;
  35       group = config.services.postfix.group;
  36       permissions = "0440";
  37       text = ''
  38         # We need to specify that option to trigger ssl connection
  39         tls_ciphers = TLSv1.2
  40         user = ${myconfig.env.mail.postfix.mysql.user}
  41         password = ${myconfig.env.mail.postfix.mysql.password}
  42         hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
  43         dbname = ${myconfig.env.mail.postfix.mysql.database}
  44         result_format = /%d/%u
  45         query = SELECT DISTINCT '%s'
  46           FROM mailboxes
  47           WHERE active = 1
  48           AND (
  49             (domain = '%d' AND user = '%u' AND regex = 0)
  50             OR (
  51               regex = 1
  52               AND '%d' REGEXP CONCAT('^',domain,'$')
  53               AND '%u' REGEXP CONCAT('^',user,'$')
  54             )
  55           )
  56           LIMIT 1
  57       '';
  58     }
  59     {
  60       dest = "postfix/mysql_sender_login_maps";
  61       user = config.services.postfix.user;
  62       group = config.services.postfix.group;
  63       permissions = "0440";
  64       text = ''
  65         # We need to specify that option to trigger ssl connection
  66         tls_ciphers = TLSv1.2
  67         user = ${myconfig.env.mail.postfix.mysql.user}
  68         password = ${myconfig.env.mail.postfix.mysql.password}
  69         hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
  70         dbname = ${myconfig.env.mail.postfix.mysql.database}
  71         query = SELECT DISTINCT destination
  72           FROM forwardings_merge
  73           WHERE
  74             ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
  75             AND active = 1
  76           UNION SELECT '%s' AS destination
  77         '';
  78     }
  79   ];
  80
  81   config.networking.firewall.allowedTCPPorts = [ 25 465 587 ];
  82
  83   config.nixpkgs.overlays = [ (self: super: {
  84     postfix = super.postfix.override { withMySQL = true; };
  85   }) ];
  86   config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
  87   config.services.filesWatcher.postfix = {
  88     restart = true;
  89     paths = [
  90       config.secrets.fullPaths."postfix/mysql_alias_maps"
  91       config.secrets.fullPaths."postfix/mysql_mailbox_maps"
  92       config.secrets.fullPaths."postfix/mysql_sender_login_maps"
  93     ];
  94   };
  95   config.services.postfix = {
  96     mapFiles = let
  97       recipient_maps = let
  98         name = n: i: "relay_${n}_${toString i}";
  99         pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
 100           if m.type == "hash"
 101           then pkgs.writeText (name n i) m.content
 102           else null
 103         );
 104         pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
 105       in lib.attrsets.filterAttrs (k: v: v != null) (
 106         lib.attrsets.listToAttrs (lib.flatten (
 107           lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
 108         ))
 109       );
 110       relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
 111         lib.attrsets.mapAttrs' (n: v:
 112           lib.attrsets.nameValuePair "recipient_access_${n}" (
 113             if lib.attrsets.hasAttr "relay_restrictions" v
 114             then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
 115             else null
 116           )
 117         ) myconfig.env.mail.postfix.backup_domains
 118       );
 119     in
 120       recipient_maps // relay_restrictions;
 121     config = {
 122       ### postfix module overrides
 123       readme_directory = "${pkgs.postfix}/share/postfix/doc";
 124       smtp_tls_CAfile = lib.mkForce "";
 125       smtp_tls_cert_file = lib.mkForce "";
 126       smtp_tls_key_file = lib.mkForce "";
 127
 128       message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
 129       alias_database = "\$alias_maps";
 130
 131       ### Virtual mailboxes config
 132       virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
 133       virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
 134        ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
 135           (zone: map
 136             (e: if e.receive
 137             then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
 138             else null
 139             )
 140             (zone.withEmail or [])
 141           )
 142           myconfig.env.dns.masterZones
 143         )));
 144       virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
 145       dovecot_destination_recipient_limit = "1";
 146       virtual_transport = "dovecot";
 147
 148       ### Relay domains
 149       relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
 150       relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
 151         lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
 152       ) myconfig.env.mail.postfix.backup_domains);
 153       smtpd_relay_restrictions = [
 154         "permit_mynetworks"
 155         "permit_sasl_authenticated"
 156         "defer_unauth_destination"
 157       ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
 158         if lib.attrsets.hasAttr "relay_restrictions" v
 159         then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
 160         else []
 161       ) myconfig.env.mail.postfix.backup_domains);
 162
 163       ### Additional smtpd configuration
 164       smtpd_tls_received_header = "yes";
 165       smtpd_tls_loglevel = "1";
 166
 167       ### Email sending configuration
 168       smtp_tls_security_level = "may";
 169       smtp_tls_loglevel = "1";
 170
 171       ### Force ip bind for smtp
 172       smtp_bind_address  = myconfig.env.servers.eldiron.ips.main.ip4;
 173       smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
 174
 175       # #Unneeded if postfix can only send e-mail from "self" domains
 176       # #smtp_sasl_auth_enable = "yes";
 177       # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
 178       # #smtp_sasl_security_options = "noanonymous";
 179       # #smtp_sender_dependent_authentication = "yes";
 180       # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
 181
 182       ### opendkim, opendmarc, openarc milters
 183       non_smtpd_milters = [
 184         "unix:${config.myServices.mail.milters.sockets.opendkim}"
 185         "unix:${config.myServices.mail.milters.sockets.opendmarc}"
 186         "unix:${config.myServices.mail.milters.sockets.openarc}"
 187       ];
 188       smtpd_milters = [
 189         "unix:${config.myServices.mail.milters.sockets.opendkim}"
 190         "unix:${config.myServices.mail.milters.sockets.opendmarc}"
 191         "unix:${config.myServices.mail.milters.sockets.openarc}"
 192       ];
 193     };
 194     enable = true;
 195     enableSmtp = true;
 196     enableSubmission = true;
 197     submissionOptions = {
 198       smtpd_tls_security_level = "encrypt";
 199       smtpd_sasl_auth_enable = "yes";
 200       smtpd_tls_auth_only = "yes";
 201       smtpd_sasl_tls_security_options = "noanonymous";
 202       smtpd_sasl_type = "dovecot";
 203       smtpd_sasl_path = "private/auth";
 204       smtpd_reject_unlisted_recipient = "no";
 205       smtpd_client_restrictions = "permit_sasl_authenticated,reject";
 206       # Refuse to send e-mails with a From that is not handled
 207       smtpd_sender_restrictions =
 208         "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
 209       smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
 210       smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
 211       milter_macro_daemon_name = "ORIGINATING";
 212       smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
 213     };
 214     # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
 215     # prioritized MX, which provokes "mail for localhost.immae.eu loops
 216     # back to myself" errors. This transport entry forces to push
 217     # e-mails to its right destination.
 218     transport = ''
 219       localhost.immae.eu   smtp:[immae.eu]:25
 220       '';
 221     destination = ["localhost"];
 222     # This needs to reverse DNS
 223     hostname = "eldiron.immae.eu";
 224     setSendmail = true;
 225     sslCert = "/var/lib/acme/mail/fullchain.pem";
 226     sslKey = "/var/lib/acme/mail/key.pem";
 227     recipientDelimiter = "+";
 228     masterConfig = {
 229       submissions = {
 230         type = "inet";
 231         private = false;
 232         command = "smtpd";
 233         args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
 234           mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
 235         in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
 236         );
 237       };
 238       dovecot = {
 239         type = "unix";
 240         privileged = true;
 241         chroot = false;
 242         command = "pipe";
 243         args = let
 244           # rspamd could be used as a milter, but then it cannot apply
 245           # its checks "per user" (milter is not yet dispatched to
 246           # users), so we wrap dovecot-lda inside rspamc per recipient
 247           # here.
 248           dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
 249         in [
 250           "flags=DRhu" "user=vhost:vhost"
 251           "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
 252         ];
 253       };
 254     };
 255   };
 256   config.security.acme.certs."mail" = {
 257     postRun = ''
 258       systemctl restart postfix.service
 259       '';
 260     extraDomains = {
 261       "smtp.immae.eu" = null;
 262     };
 263   };
 264 }