]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/mail/postfix.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add backup MX
[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 6623735c2e35c46d13a07a820499fd2256fb6a13..bd284cbf1d3a4015b344ac7be7e5c6c35a2a2273 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, nodes, ... }:
+{ lib, pkgs, config, nodes, name, ... }:
 {
   config = lib.mkIf config.myServices.mail.enable {
     services.duplyBackup.profiles.mail.excludeFile = ''
@@ -299,8 +299,6 @@
           lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
         ) config.myEnv.mail.postfix.backup_domains);
         smtpd_relay_restrictions = [
-          "permit_mynetworks"
-          "permit_sasl_authenticated"
           "defer_unauth_destination"
         ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
           if lib.attrsets.hasAttr "relay_restrictions" v
@@ -317,8 +315,8 @@
         smtp_tls_loglevel = "1";
 
         ### Force ip bind for smtp
-        smtp_bind_address  = config.myEnv.servers.eldiron.ips.main.ip4;
-        smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
+        smtp_bind_address  = config.hostEnv.ips.main.ip4;
+        smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6;
 
         # Use some relays when authorized senders are not myself
         smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
@@ -333,13 +331,11 @@
         ### opendkim, opendmarc, openarc milters
         non_smtpd_milters = [
           "unix:${config.myServices.mail.milters.sockets.opendkim}"
-          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
-          "unix:${config.myServices.mail.milters.sockets.openarc}"
         ];
         smtpd_milters = [
           "unix:${config.myServices.mail.milters.sockets.opendkim}"
-          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
           "unix:${config.myServices.mail.milters.sockets.openarc}"
+          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
         ];
       };
       enable = true;
@@ -357,6 +353,7 @@
         smtpd_sasl_path = "private/auth";
         smtpd_reject_unlisted_recipient = "no";
         smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+        smtpd_relay_restrictions = "permit_sasl_authenticated,reject";
         # Refuse to send e-mails with a From that is not handled
         smtpd_sender_restrictions =
           "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
@@ -378,7 +375,7 @@
         '';
       destination = ["localhost"];
       # This needs to reverse DNS
-      hostname = "eldiron.immae.eu";
+      hostname = config.hostEnv.fqdn;
       setSendmail = true;
       sslCert = "/var/lib/acme/mail/fullchain.pem";
       sslKey = "/var/lib/acme/mail/key.pem";
My infrastructure configuration