};
};
};
- mkMysqlOptions = name: mkOption {
+ mkMysqlOptions = name: more: mkOption {
description = "${name} mysql configuration";
type = submodule {
options = mysqlOptions // {
database = mkOption { description = "${name} database"; type = str; };
user = mkOption { description = "${name} user"; type = str; };
password = mkOption { description = "mysql password of the ${name} user"; type = str; };
- };
+ } // more;
};
};
psqlOptions = {
'';
type = listOf str;
};
- mysql = mkMysqlOptions "Postfix";
+ mysql = mkMysqlOptions "Postfix" {
+ password_encrypt = mkOption { type = str; description = "Key to encrypt relay password in database"; };
+ };
backup_domains = mkOption {
description = ''
Domains that are accepted for relay as backup domain
description = "Yourls configuration";
type = submodule {
options = {
- mysql = mkMysqlOptions "Yourls";
+ mysql = mkMysqlOptions "Yourls" {};
ldap = mkLdapOptions "Yourls" {};
cookieKey = mkOption { type = str; description = "Cookie key"; };
};
type = submodule {
options = {
environment = mkOption { type = str; description = "Symfony environment"; };
- mysql = mkMysqlOptions "Chloe";
+ mysql = mkMysqlOptions "Chloe" {};
ldap = mkLdapOptions "Chloe" {};
};
};
type = submodule {
options = {
environment = mkOption { type = str; description = "Symfony environment"; };
- mysql = mkMysqlOptions "Connexionswing";
+ mysql = mkMysqlOptions "Connexionswing" {};
secret = mkOption { type = str; description = "Symfony App secret"; };
email = mkOption { type = str; description = "Symfony email notification"; };
};
description = "Naturaloutil configuration";
type = submodule {
options = {
- mysql = mkMysqlOptions "Naturaloutil";
+ mysql = mkMysqlOptions "Naturaloutil" {};
server_admin = mkOption { type = str; description = "Server admin e-mail"; };
};
};
type = submodule {
options = {
environment = mkOption { type = str; description = "Symfony environment"; };
- mysql = mkMysqlOptions "LudivineCassal";
+ mysql = mkMysqlOptions "LudivineCassal" {};
ldap = mkLdapOptions "LudivineCassal" {};
secret = mkOption { type = str; description = "Symfony App secret"; };
};
type = submodule {
options = {
environment = mkOption { type = str; description = "Symfony environment"; };
- mysql = mkMysqlOptions "Piedsjaloux";
+ mysql = mkMysqlOptions "Piedsjaloux" {};
secret = mkOption { type = str; description = "Symfony App secret"; };
};
};
description = "Europe Richie configurations by environment";
type = submodule {
options = {
- mysql = mkMysqlOptions "Richie";
+ mysql = mkMysqlOptions "Richie" {};
smtp_mailer = mkOption {
description = "SMTP mailer configuration";
type = submodule {
type = submodule {
options = {
environment = mkOption { type = str; description = "Symfony environment"; };
- mysql = mkMysqlOptions "Tellesflorian";
+ mysql = mkMysqlOptions "Tellesflorian" {};
secret = mkOption { type = str; description = "Symfony App secret"; };
invite_passwords = mkOption { type = str; description = "Password basic auth"; };
};
UNION SELECT '%s' AS destination
'';
}
+ {
+ dest = "postfix/mysql_sender_relays_maps";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+ # INSERT INTO sender_relays
+ # (`from`, owner, relay, login, password, regex, active)
+ # VALUES
+ # ( 'sender@otherhost.org'
+ # , 'me@mail.immae.eu'
+ # , '[otherhost.org]:587'
+ # , 'otherhostlogin'
+ # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
+ # , '0'
+ # , '1');
+
+ query = SELECT DISTINCT `owner`
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ }
+ {
+ dest = "postfix/mysql_sender_relays_hosts";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+ query = SELECT DISTINCT relay
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ }
+ {
+ dest = "postfix/mysql_sender_relays_creds";
+ user = config.services.postfix.user;
+ group = config.services.postfix.group;
+ permissions = "0440";
+ text = ''
+ # We need to specify that option to trigger ssl connection
+ tls_ciphers = TLSv1.2
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
+
+ query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
+ FROM sender_relays
+ WHERE
+ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+ AND active = 1
+ '';
+ }
{
dest = "postfix/ldap_ejabberd_users_immae_fr";
user = config.services.postfix.user;
smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;
smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
- # #Unneeded if postfix can only send e-mail from "self" domains
- # #smtp_sasl_auth_enable = "yes";
- # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
- # #smtp_sasl_security_options = "noanonymous";
- # #smtp_sender_dependent_authentication = "yes";
- # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+ # Use some relays when authorized senders are not myself
+ smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
+ smtp_sasl_auth_enable = "yes";
+ smtp_sasl_password_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
+ smtp_sasl_security_options = "noanonymous";
+ smtp_sender_dependent_authentication = "yes";
+ sender_dependent_relayhost_maps =
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
### opendkim, opendmarc, openarc milters
non_smtpd_milters = [
enableSmtp = true;
enableSubmission = true;
submissionOptions = {
+ # Don’t use "long form", only commas (cf
+ # http://www.postfix.org/master.5.html long form is not handled
+ # well by the submission function)
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_tls_auth_only = "yes";
# Refuse to send e-mails with a From that is not handled
smtpd_sender_restrictions =
"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
- smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+ smtpd_sender_login_maps = builtins.concatStringsSep "," [
+ "hash:/etc/postfix/host_sender_login"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
+ ];
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
milter_macro_daemon_name = "ORIGINATING";
smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
projects / perso / Immae / Config / Nix.git / commitdiff
