./postfix.nix
./dovecot.nix
./rspamd.nix
+ ./opensmtpd.nix
];
options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";
+ options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services";
config = lib.mkIf config.myServices.mail.enable {
security.acme.certs."mail" = config.myServices.certificates.certConfig // {
--- /dev/null
+{ lib, pkgs, config, name, ... }:
+{
+ config = lib.mkIf config.myServices.mailRelay.enable {
+ secrets.keys = [
+ {
+ dest = "opensmtpd/creds";
+ user = "smtpd";
+ group = "smtpd";
+ permissions = "0400";
+ text = ''
+ eldiron ${name}:${config.myEnv.servers."${name}".ldap.password}
+ '';
+ }
+ ];
+ users.users.smtpd.extraGroups = [ "keys" ];
+ services.opensmtpd = {
+ enable = true;
+ serverConfiguration = ''
+ table creds \
+ "${config.secrets.fullPaths."opensmtpd/creds"}"
+ # FIXME: filtering requires 6.6
+ # filter "fixfrom" \
+ # proc-exec "${pkgs.procmail}/bin/formail -i 'From: ${name}@immae.eu'"
+ action "relay-rewrite-from" relay \
+ helo ${config.hostEnv.FQDN} \
+ host smtp+tls://eldiron@eldiron.immae.eu:587 \
+ auth <creds> \
+ mail-from ${name}@immae.eu
+ action "relay" relay \
+ helo ${config.hostEnv.FQDN} \
+ host smtp+tls://eldiron@eldiron.immae.eu:587 \
+ auth <creds>
+ match for any !mail-from "@immae.eu" action "relay-rewrite-from"
+ match for any mail-from "@immae.eu" action "relay"
+ '';
+ };
+ environment.systemPackages = [ config.services.opensmtpd.package ];
+ services.mail.sendmailSetuidWrapper = {
+ program = "sendmail";
+ source = "${config.services.opensmtpd.package}/bin/smtpctl";
+ setuid = false;
+ setgid = false;
+ };
+ security.wrappers.mailq = {
+ program = "mailq";
+ source = "${config.services.opensmtpd.package}/bin/smtpctl";
+ setuid = false;
+ setgid = false;
+ };
+ };
+}
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, nodes, ... }:
{
config = lib.mkIf config.myServices.mail.enable {
services.duplyBackup.profiles.mail.excludeFile = ''
)
);
};
+ sasl_access = {
+ host_sender_login = pkgs.writeText "host-sender-login"
+ (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList
+ (n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers)));
+ host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
+ (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
+ };
in
- recipient_maps // relay_restrictions // virtual_map;
+ recipient_maps // relay_restrictions // virtual_map // sasl_access;
config = {
### postfix module overrides
readme_directory = "${pkgs.postfix}/share/postfix/doc";
)
config.myEnv.dns.masterZones
)));
- virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+ virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
dovecot_destination_recipient_limit = "1";
virtual_transport = "dovecot";
# Refuse to send e-mails with a From that is not handled
smtpd_sender_restrictions =
"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
- smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+ smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
milter_macro_daemon_name = "ORIGINATING";
smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
{ privateFiles }:
-{ config, pkgs, resources, ... }:
+{ config, pkgs, resources, name, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
config.myEnv.servers.backup-2.ips);
defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-
- defaultMailServer = {
- directDelivery = true;
- hostName = "eldiron.immae.eu:25";
- useTLS = true;
- useSTARTTLS = true;
- root = "postmaster@immae.eu";
- };
};
services.cron = {
ssh_key_private = config.myEnv.rsync_backup.ssh_key.private;
};
+ myServices.mailRelay.enable = true;
myServices.monitoring.enable = true;
myServices.databasesReplication = {
postgresql = {