X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fpostfix.nix;h=e0347ec11a975d01e67d3da796f63bc2718c476e;hp=a31841ff872ab81af0416660d298b9111ff80643;hb=45730653020eb8b23090a731fc9e687efab850a5;hpb=deca5e9bf0cfd02c52c39e051753aeb9640a66f3 diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index a31841f..e0347ec 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -80,6 +80,76 @@ UNION SELECT '%s' AS destination ''; } + { + dest = "postfix/mysql_sender_relays_maps"; + user = config.services.postfix.user; + group = config.services.postfix.group; + permissions = "0440"; + text = '' + # We need to specify that option to trigger ssl connection + tls_ciphers = TLSv1.2 + user = ${config.myEnv.mail.postfix.mysql.user} + password = ${config.myEnv.mail.postfix.mysql.password} + hosts = unix:${config.myEnv.mail.postfix.mysql.socket} + dbname = ${config.myEnv.mail.postfix.mysql.database} + # INSERT INTO sender_relays + # (`from`, owner, relay, login, password, regex, active) + # VALUES + # ( 'sender@otherhost.org' + # , 'me@mail.immae.eu' + # , '[otherhost.org]:587' + # , 'otherhostlogin' + # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}') + # , '0' + # , '1'); + + query = SELECT DISTINCT `owner` + FROM sender_relays + WHERE + ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) + AND active = 1 + ''; + } + { + dest = "postfix/mysql_sender_relays_hosts"; + user = config.services.postfix.user; + group = config.services.postfix.group; + permissions = "0440"; + text = '' + # We need to specify that option to trigger ssl connection + tls_ciphers = TLSv1.2 + user = ${config.myEnv.mail.postfix.mysql.user} + password = ${config.myEnv.mail.postfix.mysql.password} + hosts = unix:${config.myEnv.mail.postfix.mysql.socket} + dbname = ${config.myEnv.mail.postfix.mysql.database} + + query = SELECT DISTINCT relay + FROM sender_relays + WHERE + ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) + AND active = 1 + ''; + } + { + dest = "postfix/mysql_sender_relays_creds"; + user = config.services.postfix.user; + group = config.services.postfix.group; + permissions = "0440"; + text = '' + # We need to specify that option to trigger ssl connection + tls_ciphers = TLSv1.2 + user = ${config.myEnv.mail.postfix.mysql.user} + password = ${config.myEnv.mail.postfix.mysql.password} + hosts = unix:${config.myEnv.mail.postfix.mysql.socket} + dbname = ${config.myEnv.mail.postfix.mysql.database} + + query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}')) + FROM sender_relays + WHERE + ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) + AND active = 1 + ''; + } { dest = "postfix/ldap_ejabberd_users_immae_fr"; user = config.services.postfix.user; @@ -150,7 +220,13 @@ ''; scripts = lib.attrsets.mapAttrs (n: v: toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; }) - ) config.myEnv.mail.scripts; + ) config.myEnv.mail.scripts // { + testmail = pkgs.writeScript "testmail" '' + #! ${pkgs.stdenv.shell} + ${pkgs.coreutils}/bin/touch \ + "/var/lib/naemon/checks/email/$(${pkgs.procmail}/bin/formail -x To: | ${pkgs.coreutils}/bin/tr -d ' <>')" + ''; + }; in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts); mapFiles = let recipient_maps = let @@ -176,8 +252,12 @@ ) config.myEnv.mail.postfix.backup_domains ); virtual_map = { - virtual = pkgs.writeText "postfix-virtual" ( + virtual = let + cfg = config.myEnv.monitoring.email_check.eldiron; + address = "${cfg.mail_address}@${cfg.mail_domain}"; + in pkgs.writeText "postfix-virtual" ( builtins.concatStringsSep "\n" ( + ["${address} testmail@localhost"] ++ lib.attrsets.mapAttrsToList ( n: v: lib.optionalString v.external '' script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu @@ -187,11 +267,14 @@ ); }; sasl_access = { - host_sender_login = pkgs.writeText "host-sender-login" - (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList - (n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers))); + host_sender_login = with lib.attrsets; let + addresses = zipAttrs (lib.flatten (mapAttrsToList + (n: v: (map (e: { "${e}" = "${n}@immae.eu"; }) v.emails)) config.myEnv.servers)); + joined = builtins.concatStringsSep ","; + in pkgs.writeText "host-sender-login" + (builtins.concatStringsSep "\n" (mapAttrsToList (n: v: "${n} ${joined v}") addresses)); host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox" - (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes)); + (builtins.concatStringsSep "\n" (["immae-eu@immae.eu dummy"] ++ lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes)); }; in recipient_maps // relay_restrictions // virtual_map // sasl_access; @@ -209,7 +292,7 @@ ### Virtual mailboxes config virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"; virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains - ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map + ++ lib.remove null (lib.flatten (map (zone: map (e: if e.receive then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}" @@ -218,7 +301,7 @@ (zone.withEmail or []) ) config.myEnv.dns.masterZones - ))); + )); virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; dovecot_destination_recipient_limit = "1"; virtual_transport = "dovecot"; @@ -229,8 +312,6 @@ lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps ) config.myEnv.mail.postfix.backup_domains); smtpd_relay_restrictions = [ - "permit_mynetworks" - "permit_sasl_authenticated" "defer_unauth_destination" ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: if lib.attrsets.hasAttr "relay_restrictions" v @@ -247,32 +328,36 @@ smtp_tls_loglevel = "1"; ### Force ip bind for smtp - smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; - smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; + smtp_bind_address = config.hostEnv.ips.main.ip4; + smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6; - # #Unneeded if postfix can only send e-mail from "self" domains - # #smtp_sasl_auth_enable = "yes"; - # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; - # #smtp_sasl_security_options = "noanonymous"; - # #smtp_sender_dependent_authentication = "yes"; - # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; + # Use some relays when authorized senders are not myself + smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix + smtp_sasl_auth_enable = "yes"; + smtp_sasl_password_maps = + "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}"; + smtp_sasl_security_options = "noanonymous"; + smtp_sender_dependent_authentication = "yes"; + sender_dependent_relayhost_maps = + "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}"; ### opendkim, opendmarc, openarc milters non_smtpd_milters = [ "unix:${config.myServices.mail.milters.sockets.opendkim}" - "unix:${config.myServices.mail.milters.sockets.opendmarc}" - "unix:${config.myServices.mail.milters.sockets.openarc}" ]; smtpd_milters = [ "unix:${config.myServices.mail.milters.sockets.opendkim}" - "unix:${config.myServices.mail.milters.sockets.opendmarc}" "unix:${config.myServices.mail.milters.sockets.openarc}" + "unix:${config.myServices.mail.milters.sockets.opendmarc}" ]; }; enable = true; enableSmtp = true; enableSubmission = true; submissionOptions = { + # Don’t use "long form", only commas (cf + # http://www.postfix.org/master.5.html long form is not handled + # well by the submission function) smtpd_tls_security_level = "encrypt"; smtpd_sasl_auth_enable = "yes"; smtpd_tls_auth_only = "yes"; @@ -281,24 +366,27 @@ smtpd_sasl_path = "private/auth"; smtpd_reject_unlisted_recipient = "no"; smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + smtpd_relay_restrictions = "permit_sasl_authenticated,reject"; # Refuse to send e-mails with a From that is not handled smtpd_sender_restrictions = "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; - smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; + smtpd_sender_login_maps = builtins.concatStringsSep "," [ + "hash:/etc/postfix/host_sender_login" + "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}" + "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}" + ]; smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; milter_macro_daemon_name = "ORIGINATING"; - smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; + smtpd_milters = builtins.concatStringsSep "," [ + # FIXME: put it back when opensmtpd is upgraded and able to + # rewrite the from header + #"unix:/run/milter_verify_from/verify_from.sock" + "unix:${config.myServices.mail.milters.sockets.opendkim}" + ]; }; - # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as - # prioritized MX, which provokes "mail for localhost.immae.eu loops - # back to myself" errors. This transport entry forces to push - # e-mails to its right destination. - transport = '' - localhost.immae.eu smtp:[immae.eu]:25 - ''; destination = ["localhost"]; # This needs to reverse DNS - hostname = "eldiron.immae.eu"; + hostname = config.hostEnv.fqdn; setSendmail = true; sslCert = "/var/lib/acme/mail/fullchain.pem"; sslKey = "/var/lib/acme/mail/key.pem"; @@ -340,7 +428,7 @@ }; }; }; - security.acme.certs."mail" = { + security.acme2.certs."mail" = { postRun = '' systemctl restart postfix.service ''; @@ -348,5 +436,25 @@ "smtp.immae.eu" = null; }; }; + system.activationScripts.testmail = { + deps = [ "users" ]; + text = let + allCfg = config.myEnv.monitoring.email_check; + cfg = allCfg.eldiron; + reverseTargets = builtins.attrNames (lib.attrsets.filterAttrs (k: v: builtins.elem "eldiron" v.targets) allCfg); + to_email = cfg': host': + let sep = if lib.strings.hasInfix "+" cfg'.mail_address then "_" else "+"; + in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; + mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); + in '' + install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email + for f in ${mails_to_receive}; do + if [ ! -f /var/lib/naemon/checks/email/$f ]; then + install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f + touch -m -d @0 /var/lib/naemon/checks/email/$f + fi + done + ''; + }; }; }