-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, nodes, ... }:
{
config = lib.mkIf config.myServices.mail.enable {
- services.backup.profiles.mail.excludeFile = ''
+ services.duplyBackup.profiles.mail.excludeFile = ''
+ /var/lib/postfix
'';
secrets.keys = [
text = ''
# We need to specify that option to trigger ssl connection
tls_ciphers = TLSv1.2
- user = ${myconfig.env.mail.postfix.mysql.user}
- password = ${myconfig.env.mail.postfix.mysql.password}
- hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
- dbname = ${myconfig.env.mail.postfix.mysql.database}
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
FROM forwardings_merge
WHERE
text = ''
# We need to specify that option to trigger ssl connection
tls_ciphers = TLSv1.2
- user = ${myconfig.env.mail.postfix.mysql.user}
- password = ${myconfig.env.mail.postfix.mysql.password}
- hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
- dbname = ${myconfig.env.mail.postfix.mysql.database}
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
result_format = /%d/%u
query = SELECT DISTINCT '%s'
FROM mailboxes
text = ''
# We need to specify that option to trigger ssl connection
tls_ciphers = TLSv1.2
- user = ${myconfig.env.mail.postfix.mysql.user}
- password = ${myconfig.env.mail.postfix.mysql.password}
- hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
- dbname = ${myconfig.env.mail.postfix.mysql.database}
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
FROM forwardings_merge
WHERE
UNION SELECT '%s' AS destination
'';
}
+ {
+ dest = "postfix/mysql_sender_relays_maps";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+ # INSERT INTO sender_relays
+ # (`from`, owner, relay, login, password, regex, active)
+ # VALUES
+ # ( 'sender@otherhost.org'
+ # , 'me@mail.immae.eu'
+ # , '[otherhost.org]:587'
+ # , 'otherhostlogin'
+ # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
+ # , '0'
+ # , '1');
+
+ query = SELECT DISTINCT `owner`
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ }
+ {
+ dest = "postfix/mysql_sender_relays_hosts";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+ query = SELECT DISTINCT relay
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ }
+ {
+ dest = "postfix/mysql_sender_relays_creds";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+ query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ }
+ {
+ dest = "postfix/ldap_ejabberd_users_immae_fr";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ server_host = ldaps://${config.myEnv.jabber.ldap.host}:636
+ search_base = ${config.myEnv.jabber.ldap.base}
+ query_filter = ${config.myEnv.jabber.postfix_user_filter}
+ domain = immae.fr
+ bind_dn = ${config.myEnv.jabber.ldap.dn}
+ bind_pw = ${config.myEnv.jabber.ldap.password}
+ result_attribute = immaeXmppUid
+ result_format = ejabberd@localhost
+ version = 3
+ '';
+ }
];
networking.firewall.allowedTCPPorts = [ 25 465 587 ];
config.secrets.fullPaths."postfix/mysql_alias_maps"
config.secrets.fullPaths."postfix/mysql_mailbox_maps"
config.secrets.fullPaths."postfix/mysql_sender_login_maps"
+ config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"
];
};
services.postfix = {
+ extraAliases = let
+ toScript = name: script: pkgs.writeScript name ''
+ #! ${pkgs.stdenv.shell}
+ mail=$(${pkgs.coreutils}/bin/cat -)
+ output=$(echo "$mail" | ${script} 2>&1)
+ ret=$?
+
+ if [ "$ret" != "0" ]; then
+ echo "$mail" \
+ | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
+ | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+
+ messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
+ repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
+
+ ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+ $repeat
+ To: scripts_error+${name}@mail.immae.eu
+ Subject: Log from script error
+ Content-Type: text/plain; charset="UTF-8"
+ Content-Transfer-Encoding: 8bit
+ References:$messageId
+ MIME-Version: 1.0
+ X-Return-Code: $ret
+
+ Error code: $ret
+ Output of message:
+ --------------
+ $output
+ --------------
+ EOF
+ fi
+ '';
+ scripts = lib.attrsets.mapAttrs (n: v:
+ toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+ ) config.myEnv.mail.scripts;
+ in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
mapFiles = let
recipient_maps = let
name = n: i: "relay_${n}_${toString i}";
pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
in lib.attrsets.filterAttrs (k: v: v != null) (
lib.attrsets.listToAttrs (lib.flatten (
- lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
+ lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
))
);
relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
else null
)
- ) myconfig.env.mail.postfix.backup_domains
+ ) config.myEnv.mail.postfix.backup_domains
);
+ virtual_map = {
+ virtual = pkgs.writeText "postfix-virtual" (
+ builtins.concatStringsSep "\n" (
+ lib.attrsets.mapAttrsToList (
+ n: v: lib.optionalString v.external ''
+ script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
+ ''
+ ) config.myEnv.mail.scripts
+ )
+ );
+ };
+ sasl_access = {
+ host_sender_login = pkgs.writeText "host-sender-login"
+ (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList
+ (n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers)));
+ host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
+ (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
+ };
in
- recipient_maps // relay_restrictions;
+ recipient_maps // relay_restrictions // virtual_map // sasl_access;
config = {
### postfix module overrides
readme_directory = "${pkgs.postfix}/share/postfix/doc";
smtp_tls_key_file = lib.mkForce "";
message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
+ mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
alias_database = "\$alias_maps";
### Virtual mailboxes config
- virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
- virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
+ virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}";
+ virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
(zone: map
(e: if e.receive
)
(zone.withEmail or [])
)
- myconfig.env.dns.masterZones
+ config.myEnv.dns.masterZones
)));
- virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+ virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
dovecot_destination_recipient_limit = "1";
virtual_transport = "dovecot";
### Relay domains
- relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
+ relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
- ) myconfig.env.mail.postfix.backup_domains);
+ ) config.myEnv.mail.postfix.backup_domains);
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
if lib.attrsets.hasAttr "relay_restrictions" v
then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
else []
- ) myconfig.env.mail.postfix.backup_domains);
+ ) config.myEnv.mail.postfix.backup_domains);
### Additional smtpd configuration
smtpd_tls_received_header = "yes";
smtp_tls_loglevel = "1";
### Force ip bind for smtp
- smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4;
- smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
+ smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;
+ smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
- # #Unneeded if postfix can only send e-mail from "self" domains
- # #smtp_sasl_auth_enable = "yes";
- # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
- # #smtp_sasl_security_options = "noanonymous";
- # #smtp_sender_dependent_authentication = "yes";
- # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+ # Use some relays when authorized senders are not myself
+ smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
+ smtp_sasl_auth_enable = "yes";
+ smtp_sasl_password_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
+ smtp_sasl_security_options = "noanonymous";
+ smtp_sender_dependent_authentication = "yes";
+ sender_dependent_relayhost_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
### opendkim, opendmarc, openarc milters
non_smtpd_milters = [
enableSmtp = true;
enableSubmission = true;
submissionOptions = {
+ # Don’t use "long form", only commas (cf
+ # http://www.postfix.org/master.5.html long form is not handled
+ # well by the submission function)
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_tls_auth_only = "yes";
# Refuse to send e-mails with a From that is not handled
smtpd_sender_restrictions =
"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
- smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+ smtpd_sender_login_maps = builtins.concatStringsSep "," [
+ "hash:/etc/postfix/host_sender_login"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
+ ];
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
milter_macro_daemon_name = "ORIGINATING";
smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
# its checks "per user" (milter is not yet dispatched to
# users), so we wrap dovecot-lda inside rspamc per recipient
# here.
- dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
+ rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
+ #! ${pkgs.stdenv.shell}
+ sender="$1"
+ original_recipient="$2"
+ user="$3"
+
+ ${pkgs.coreutils}/bin/cat - | \
+ (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
+ ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
+ '';
in [
"flags=DRhu" "user=vhost:vhost"
- "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
+ "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
];
};
};
projects / perso / Immae / Config / Nix.git / blobdiff