From deca5e9bf0cfd02c52c39e051753aeb9640a66f3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 5 Jan 2020 17:29:17 +0100 Subject: [PATCH] Change mail relay to opensmtpd --- modules/private/mail/default.nix | 2 ++ modules/private/mail/opensmtpd.nix | 51 +++++++++++++++++++++++++++++ modules/private/mail/postfix.nix | 15 ++++++--- modules/private/system/backup-2.nix | 11 ++----- 4 files changed, 66 insertions(+), 13 deletions(-) create mode 100644 modules/private/mail/opensmtpd.nix diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 839939c..a617934 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix @@ -5,8 +5,10 @@ ./postfix.nix ./dovecot.nix ./rspamd.nix + ./opensmtpd.nix ]; options.myServices.mail.enable = lib.mkEnableOption "enable Mail services"; + options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services"; config = lib.mkIf config.myServices.mail.enable { security.acme.certs."mail" = config.myServices.certificates.certConfig // { diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix new file mode 100644 index 0000000..7831ac0 --- /dev/null +++ b/modules/private/mail/opensmtpd.nix @@ -0,0 +1,51 @@ +{ lib, pkgs, config, name, ... }: +{ + config = lib.mkIf config.myServices.mailRelay.enable { + secrets.keys = [ + { + dest = "opensmtpd/creds"; + user = "smtpd"; + group = "smtpd"; + permissions = "0400"; + text = '' + eldiron ${name}:${config.myEnv.servers."${name}".ldap.password} + ''; + } + ]; + users.users.smtpd.extraGroups = [ "keys" ]; + services.opensmtpd = { + enable = true; + serverConfiguration = '' + table creds \ + "${config.secrets.fullPaths."opensmtpd/creds"}" + # FIXME: filtering requires 6.6 + # filter "fixfrom" \ + # proc-exec "${pkgs.procmail}/bin/formail -i 'From: ${name}@immae.eu'" + action "relay-rewrite-from" relay \ + helo ${config.hostEnv.FQDN} \ + host smtp+tls://eldiron@eldiron.immae.eu:587 \ + auth \ + mail-from ${name}@immae.eu + action "relay" relay \ + helo ${config.hostEnv.FQDN} \ + host smtp+tls://eldiron@eldiron.immae.eu:587 \ + auth + match for any !mail-from "@immae.eu" action "relay-rewrite-from" + match for any mail-from "@immae.eu" action "relay" + ''; + }; + environment.systemPackages = [ config.services.opensmtpd.package ]; + services.mail.sendmailSetuidWrapper = { + program = "sendmail"; + source = "${config.services.opensmtpd.package}/bin/smtpctl"; + setuid = false; + setgid = false; + }; + security.wrappers.mailq = { + program = "mailq"; + source = "${config.services.opensmtpd.package}/bin/smtpctl"; + setuid = false; + setgid = false; + }; + }; +} diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 9c4b87c..a31841f 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ lib, pkgs, config, nodes, ... }: { config = lib.mkIf config.myServices.mail.enable { services.duplyBackup.profiles.mail.excludeFile = '' @@ -186,8 +186,15 @@ ) ); }; + sasl_access = { + host_sender_login = pkgs.writeText "host-sender-login" + (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList + (n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers))); + host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox" + (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes)); + }; in - recipient_maps // relay_restrictions // virtual_map; + recipient_maps // relay_restrictions // virtual_map // sasl_access; config = { ### postfix module overrides readme_directory = "${pkgs.postfix}/share/postfix/doc"; @@ -212,7 +219,7 @@ ) config.myEnv.dns.masterZones ))); - virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; + virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; dovecot_destination_recipient_limit = "1"; virtual_transport = "dovecot"; @@ -277,7 +284,7 @@ # Refuse to send e-mails with a From that is not handled smtpd_sender_restrictions = "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; - smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; + smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; milter_macro_daemon_name = "ORIGINATING"; smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index f241ad1..ede5bc2 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -1,5 +1,5 @@ { privateFiles }: -{ config, pkgs, resources, ... }: +{ config, pkgs, resources, name, ... }: { boot.kernelPackages = pkgs.linuxPackages_latest; myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; @@ -33,14 +33,6 @@ (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) config.myEnv.servers.backup-2.ips); defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; - - defaultMailServer = { - directDelivery = true; - hostName = "eldiron.immae.eu:25"; - useTLS = true; - useSTARTTLS = true; - root = "postmaster@immae.eu"; - }; }; services.cron = { @@ -56,6 +48,7 @@ ssh_key_private = config.myEnv.rsync_backup.ssh_key.private; }; + myServices.mailRelay.enable = true; myServices.monitoring.enable = true; myServices.databasesReplication = { postgresql = { -- 2.41.0