X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fpostfix.nix;h=9fdc7bde8e05f0d3b99aff974cc5a164bac4d43a;hp=edfd19652e88f46606e8b807221d70617ff44048;hb=8415083eb6acc343dfa404dbbc12fa0171a48a20;hpb=8fa7ff2c63fb0722144bc90837512d9f8b8c929d diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index edfd196..9fdc7bd 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -1,267 +1,269 @@ { lib, pkgs, config, myconfig, ... }: { - config.services.backup.profiles.mail.excludeFile = '' - + /var/lib/postfix - ''; - config.secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; - user = config.services.postfix.user; - group = config.services.postfix.group; - permissions = "0440"; - text = '' - # We need to specify that option to trigger ssl connection - tls_ciphers = TLSv1.2 - user = ${myconfig.env.mail.postfix.mysql.user} - password = ${myconfig.env.mail.postfix.mysql.password} - hosts = unix:${myconfig.env.mail.postfix.mysql.socket} - dbname = ${myconfig.env.mail.postfix.mysql.database} - query = SELECT DISTINCT destination - FROM forwardings_merge - WHERE - ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) - AND active = 1 - AND '%s' NOT IN - ( - SELECT source + config = lib.mkIf config.myServices.mail.enable { + services.backup.profiles.mail.excludeFile = '' + + /var/lib/postfix + ''; + secrets.keys = [ + { + dest = "postfix/mysql_alias_maps"; + user = config.services.postfix.user; + group = config.services.postfix.group; + permissions = "0440"; + text = '' + # We need to specify that option to trigger ssl connection + tls_ciphers = TLSv1.2 + user = ${myconfig.env.mail.postfix.mysql.user} + password = ${myconfig.env.mail.postfix.mysql.password} + hosts = unix:${myconfig.env.mail.postfix.mysql.socket} + dbname = ${myconfig.env.mail.postfix.mysql.database} + query = SELECT DISTINCT destination + FROM forwardings_merge + WHERE + ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) + AND active = 1 + AND '%s' NOT IN + ( + SELECT source + FROM forwardings_blacklisted + WHERE source = '%s' + ) UNION + SELECT 'devnull@immae.eu' FROM forwardings_blacklisted WHERE source = '%s' - ) UNION - SELECT 'devnull@immae.eu' - FROM forwardings_blacklisted - WHERE source = '%s' - ''; - } - { - dest = "postfix/mysql_mailbox_maps"; - user = config.services.postfix.user; - group = config.services.postfix.group; - permissions = "0440"; - text = '' - # We need to specify that option to trigger ssl connection - tls_ciphers = TLSv1.2 - user = ${myconfig.env.mail.postfix.mysql.user} - password = ${myconfig.env.mail.postfix.mysql.password} - hosts = unix:${myconfig.env.mail.postfix.mysql.socket} - dbname = ${myconfig.env.mail.postfix.mysql.database} - result_format = /%d/%u - query = SELECT DISTINCT '%s' - FROM mailboxes - WHERE active = 1 - AND ( - (domain = '%d' AND user = '%u' AND regex = 0) - OR ( - regex = 1 - AND '%d' REGEXP CONCAT('^',domain,'$') - AND '%u' REGEXP CONCAT('^',user,'$') + ''; + } + { + dest = "postfix/mysql_mailbox_maps"; + user = config.services.postfix.user; + group = config.services.postfix.group; + permissions = "0440"; + text = '' + # We need to specify that option to trigger ssl connection + tls_ciphers = TLSv1.2 + user = ${myconfig.env.mail.postfix.mysql.user} + password = ${myconfig.env.mail.postfix.mysql.password} + hosts = unix:${myconfig.env.mail.postfix.mysql.socket} + dbname = ${myconfig.env.mail.postfix.mysql.database} + result_format = /%d/%u + query = SELECT DISTINCT '%s' + FROM mailboxes + WHERE active = 1 + AND ( + (domain = '%d' AND user = '%u' AND regex = 0) + OR ( + regex = 1 + AND '%d' REGEXP CONCAT('^',domain,'$') + AND '%u' REGEXP CONCAT('^',user,'$') + ) ) - ) - LIMIT 1 - ''; - } - { - dest = "postfix/mysql_sender_login_maps"; - user = config.services.postfix.user; - group = config.services.postfix.group; - permissions = "0440"; - text = '' - # We need to specify that option to trigger ssl connection - tls_ciphers = TLSv1.2 - user = ${myconfig.env.mail.postfix.mysql.user} - password = ${myconfig.env.mail.postfix.mysql.password} - hosts = unix:${myconfig.env.mail.postfix.mysql.socket} - dbname = ${myconfig.env.mail.postfix.mysql.database} - query = SELECT DISTINCT destination - FROM forwardings_merge - WHERE - ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) - AND active = 1 - UNION SELECT '%s' AS destination + LIMIT 1 ''; - } - ]; + } + { + dest = "postfix/mysql_sender_login_maps"; + user = config.services.postfix.user; + group = config.services.postfix.group; + permissions = "0440"; + text = '' + # We need to specify that option to trigger ssl connection + tls_ciphers = TLSv1.2 + user = ${myconfig.env.mail.postfix.mysql.user} + password = ${myconfig.env.mail.postfix.mysql.password} + hosts = unix:${myconfig.env.mail.postfix.mysql.socket} + dbname = ${myconfig.env.mail.postfix.mysql.database} + query = SELECT DISTINCT destination + FROM forwardings_merge + WHERE + ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) + AND active = 1 + UNION SELECT '%s' AS destination + ''; + } + ]; - config.networking.firewall.allowedTCPPorts = [ 25 465 587 ]; + networking.firewall.allowedTCPPorts = [ 25 465 587 ]; - config.nixpkgs.overlays = [ (self: super: { - postfix = super.postfix.override { withMySQL = true; }; - }) ]; - config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; - config.services.filesWatcher.postfix = { - restart = true; - paths = [ - config.secrets.fullPaths."postfix/mysql_alias_maps" - config.secrets.fullPaths."postfix/mysql_mailbox_maps" - config.secrets.fullPaths."postfix/mysql_sender_login_maps" - ]; - }; - config.services.postfix = { - mapFiles = let - recipient_maps = let - name = n: i: "relay_${n}_${toString i}"; - pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( - if m.type == "hash" - then pkgs.writeText (name n i) m.content - else null - ); - pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; - in lib.attrsets.filterAttrs (k: v: v != null) ( - lib.attrsets.listToAttrs (lib.flatten ( - lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains - )) - ); - relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) ( - lib.attrsets.mapAttrs' (n: v: - lib.attrsets.nameValuePair "recipient_access_${n}" ( - if lib.attrsets.hasAttr "relay_restrictions" v - then pkgs.writeText "recipient_access_${n}" v.relay_restrictions + nixpkgs.overlays = [ (self: super: { + postfix = super.postfix.override { withMySQL = true; }; + }) ]; + users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; + services.filesWatcher.postfix = { + restart = true; + paths = [ + config.secrets.fullPaths."postfix/mysql_alias_maps" + config.secrets.fullPaths."postfix/mysql_mailbox_maps" + config.secrets.fullPaths."postfix/mysql_sender_login_maps" + ]; + }; + services.postfix = { + mapFiles = let + recipient_maps = let + name = n: i: "relay_${n}_${toString i}"; + pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( + if m.type == "hash" + then pkgs.writeText (name n i) m.content else null - ) - ) myconfig.env.mail.postfix.backup_domains - ); - in - recipient_maps // relay_restrictions; - config = { - ### postfix module overrides - readme_directory = "${pkgs.postfix}/share/postfix/doc"; - smtp_tls_CAfile = lib.mkForce ""; - smtp_tls_cert_file = lib.mkForce ""; - smtp_tls_key_file = lib.mkForce ""; + ); + pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; + in lib.attrsets.filterAttrs (k: v: v != null) ( + lib.attrsets.listToAttrs (lib.flatten ( + lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains + )) + ); + relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) ( + lib.attrsets.mapAttrs' (n: v: + lib.attrsets.nameValuePair "recipient_access_${n}" ( + if lib.attrsets.hasAttr "relay_restrictions" v + then pkgs.writeText "recipient_access_${n}" v.relay_restrictions + else null + ) + ) myconfig.env.mail.postfix.backup_domains + ); + in + recipient_maps // relay_restrictions; + config = { + ### postfix module overrides + readme_directory = "${pkgs.postfix}/share/postfix/doc"; + smtp_tls_CAfile = lib.mkForce ""; + smtp_tls_cert_file = lib.mkForce ""; + smtp_tls_key_file = lib.mkForce ""; - message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited" - alias_database = "\$alias_maps"; + message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited" + alias_database = "\$alias_maps"; - ### Virtual mailboxes config - virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"; - virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains - ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map - (zone: map - (e: if e.receive - then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}" - else null + ### Virtual mailboxes config + virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"; + virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains + ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map + (zone: map + (e: if e.receive + then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}" + else null + ) + (zone.withEmail or []) ) - (zone.withEmail or []) - ) - myconfig.env.dns.masterZones - ))); - virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; - dovecot_destination_recipient_limit = "1"; - virtual_transport = "dovecot"; + myconfig.env.dns.masterZones + ))); + virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; + dovecot_destination_recipient_limit = "1"; + virtual_transport = "dovecot"; - ### Relay domains - relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains); - relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: - lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps - ) myconfig.env.mail.postfix.backup_domains); - smtpd_relay_restrictions = [ - "permit_mynetworks" - "permit_sasl_authenticated" - "defer_unauth_destination" - ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: - if lib.attrsets.hasAttr "relay_restrictions" v - then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ] - else [] - ) myconfig.env.mail.postfix.backup_domains); + ### Relay domains + relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains); + relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: + lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps + ) myconfig.env.mail.postfix.backup_domains); + smtpd_relay_restrictions = [ + "permit_mynetworks" + "permit_sasl_authenticated" + "defer_unauth_destination" + ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: + if lib.attrsets.hasAttr "relay_restrictions" v + then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ] + else [] + ) myconfig.env.mail.postfix.backup_domains); - ### Additional smtpd configuration - smtpd_tls_received_header = "yes"; - smtpd_tls_loglevel = "1"; + ### Additional smtpd configuration + smtpd_tls_received_header = "yes"; + smtpd_tls_loglevel = "1"; - ### Email sending configuration - smtp_tls_security_level = "may"; - smtp_tls_loglevel = "1"; + ### Email sending configuration + smtp_tls_security_level = "may"; + smtp_tls_loglevel = "1"; - ### Force ip bind for smtp - smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4; - smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6; + ### Force ip bind for smtp + smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4; + smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6; - # #Unneeded if postfix can only send e-mail from "self" domains - # #smtp_sasl_auth_enable = "yes"; - # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; - # #smtp_sasl_security_options = "noanonymous"; - # #smtp_sender_dependent_authentication = "yes"; - # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; + # #Unneeded if postfix can only send e-mail from "self" domains + # #smtp_sasl_auth_enable = "yes"; + # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; + # #smtp_sasl_security_options = "noanonymous"; + # #smtp_sender_dependent_authentication = "yes"; + # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; - ### opendkim, opendmarc, openarc milters - non_smtpd_milters = [ - "unix:${config.myServices.mail.milters.sockets.opendkim}" - "unix:${config.myServices.mail.milters.sockets.opendmarc}" - "unix:${config.myServices.mail.milters.sockets.openarc}" - ]; - smtpd_milters = [ - "unix:${config.myServices.mail.milters.sockets.opendkim}" - "unix:${config.myServices.mail.milters.sockets.opendmarc}" - "unix:${config.myServices.mail.milters.sockets.openarc}" - ]; - }; - enable = true; - enableSmtp = true; - enableSubmission = true; - submissionOptions = { - smtpd_tls_security_level = "encrypt"; - smtpd_sasl_auth_enable = "yes"; - smtpd_tls_auth_only = "yes"; - smtpd_sasl_tls_security_options = "noanonymous"; - smtpd_sasl_type = "dovecot"; - smtpd_sasl_path = "private/auth"; - smtpd_reject_unlisted_recipient = "no"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - # Refuse to send e-mails with a From that is not handled - smtpd_sender_restrictions = - "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; - smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; - smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; - milter_macro_daemon_name = "ORIGINATING"; - smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; - }; - # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as - # prioritized MX, which provokes "mail for localhost.immae.eu loops - # back to myself" errors. This transport entry forces to push - # e-mails to its right destination. - transport = '' - localhost.immae.eu smtp:[immae.eu]:25 - ''; - destination = ["localhost"]; - # This needs to reverse DNS - hostname = "eldiron.immae.eu"; - setSendmail = true; - sslCert = "/var/lib/acme/mail/fullchain.pem"; - sslKey = "/var/lib/acme/mail/key.pem"; - recipientDelimiter = "+"; - masterConfig = { - submissions = { - type = "inet"; - private = false; - command = "smtpd"; - args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let - mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ]; - in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions) - ); - }; - dovecot = { - type = "unix"; - privileged = true; - chroot = false; - command = "pipe"; - args = let - # rspamd could be used as a milter, but then it cannot apply - # its checks "per user" (milter is not yet dispatched to - # users), so we wrap dovecot-lda inside rspamc per recipient - # here. - dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}"; - in [ - "flags=DRhu" "user=vhost:vhost" - "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}" + ### opendkim, opendmarc, openarc milters + non_smtpd_milters = [ + "unix:${config.myServices.mail.milters.sockets.opendkim}" + "unix:${config.myServices.mail.milters.sockets.opendmarc}" + "unix:${config.myServices.mail.milters.sockets.openarc}" + ]; + smtpd_milters = [ + "unix:${config.myServices.mail.milters.sockets.opendkim}" + "unix:${config.myServices.mail.milters.sockets.opendmarc}" + "unix:${config.myServices.mail.milters.sockets.openarc}" ]; }; + enable = true; + enableSmtp = true; + enableSubmission = true; + submissionOptions = { + smtpd_tls_security_level = "encrypt"; + smtpd_sasl_auth_enable = "yes"; + smtpd_tls_auth_only = "yes"; + smtpd_sasl_tls_security_options = "noanonymous"; + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "private/auth"; + smtpd_reject_unlisted_recipient = "no"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + # Refuse to send e-mails with a From that is not handled + smtpd_sender_restrictions = + "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; + smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; + smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; + milter_macro_daemon_name = "ORIGINATING"; + smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; + }; + # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as + # prioritized MX, which provokes "mail for localhost.immae.eu loops + # back to myself" errors. This transport entry forces to push + # e-mails to its right destination. + transport = '' + localhost.immae.eu smtp:[immae.eu]:25 + ''; + destination = ["localhost"]; + # This needs to reverse DNS + hostname = "eldiron.immae.eu"; + setSendmail = true; + sslCert = "/var/lib/acme/mail/fullchain.pem"; + sslKey = "/var/lib/acme/mail/key.pem"; + recipientDelimiter = "+"; + masterConfig = { + submissions = { + type = "inet"; + private = false; + command = "smtpd"; + args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let + mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ]; + in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions) + ); + }; + dovecot = { + type = "unix"; + privileged = true; + chroot = false; + command = "pipe"; + args = let + # rspamd could be used as a milter, but then it cannot apply + # its checks "per user" (milter is not yet dispatched to + # users), so we wrap dovecot-lda inside rspamc per recipient + # here. + dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}"; + in [ + "flags=DRhu" "user=vhost:vhost" + "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}" + ]; + }; + }; }; - }; - config.security.acme.certs."mail" = { - postRun = '' - systemctl restart postfix.service - ''; - extraDomains = { - "smtp.immae.eu" = null; + security.acme.certs."mail" = { + postRun = '' + systemctl restart postfix.service + ''; + extraDomains = { + "smtp.immae.eu" = null; + }; }; }; }