Add relay hosts for specific senders

[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix

diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index a31841ff872ab81af0416660d298b9111ff80643..6623735c2e35c46d13a07a820499fd2256fb6a13 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -80,6 +80,76 @@
             UNION SELECT '%s' AS destination
           '';
       }
+      {
+        dest = "postfix/mysql_sender_relays_maps";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          # INSERT INTO sender_relays
+          #   (`from`, owner, relay, login, password, regex, active)
+          # VALUES
+          #   ( 'sender@otherhost.org'
+          #   , 'me@mail.immae.eu'
+          #   , '[otherhost.org]:587'
+          #   , 'otherhostlogin'
+          #   , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
+          #   , '0'
+          #   , '1');
+
+          query = SELECT DISTINCT `owner`
+            FROM sender_relays
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+              AND active = 1
+          '';
+      }
+      {
+        dest = "postfix/mysql_sender_relays_hosts";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+          query = SELECT DISTINCT relay
+            FROM sender_relays
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+              AND active = 1
+          '';
+      }
+      {
+        dest = "postfix/mysql_sender_relays_creds";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+          query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
+            FROM sender_relays
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+              AND active = 1
+          '';
+      }
       {
         dest = "postfix/ldap_ejabberd_users_immae_fr";
         user = config.services.postfix.user;
@@ -250,12 +320,15 @@
         smtp_bind_address  = config.myEnv.servers.eldiron.ips.main.ip4;
         smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
 
-        # #Unneeded if postfix can only send e-mail from "self" domains
-        # #smtp_sasl_auth_enable = "yes";
-        # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
-        # #smtp_sasl_security_options = "noanonymous";
-        # #smtp_sender_dependent_authentication = "yes";
-        # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+        # Use some relays when authorized senders are not myself
+        smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
+        smtp_sasl_auth_enable = "yes";
+        smtp_sasl_password_maps =
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
+        smtp_sasl_security_options = "noanonymous";
+        smtp_sender_dependent_authentication = "yes";
+        sender_dependent_relayhost_maps =
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
 
         ### opendkim, opendmarc, openarc milters
         non_smtpd_milters = [
@@ -273,6 +346,9 @@
       enableSmtp = true;
       enableSubmission = true;
       submissionOptions = {
+        # Don’t use "long form", only commas (cf
+        # http://www.postfix.org/master.5.html long form is not handled
+        # well by the submission function)
         smtpd_tls_security_level = "encrypt";
         smtpd_sasl_auth_enable = "yes";
         smtpd_tls_auth_only = "yes";
@@ -284,7 +360,11 @@
         # Refuse to send e-mails with a From that is not handled
         smtpd_sender_restrictions =
           "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
-        smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+        smtpd_sender_login_maps = builtins.concatStringsSep "," [
+          "hash:/etc/postfix/host_sender_login"
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
+        ];
         smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
         milter_macro_daemon_name = "ORIGINATING";
         smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";