aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-07-03 13:39:08 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-07-03 13:39:08 +0200
commit04b2ab97a0206dedb2135be26cbc097d164072b2 (patch)
tree6c92d05f2ce36476f0e55124cfafad2551328545
parentaa4f91ad67fa6287217bf67e8122a703327e5e0e (diff)
downloadNix-04b2ab97a0206dedb2135be26cbc097d164072b2.tar.gz
Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.tar.zst
Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.zip
Add relay restrictions per domain
-rw-r--r--modules/private/mail/postfix.nix38
1 files changed, 29 insertions, 9 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index ee4ac35..2dccc41 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -93,19 +93,30 @@
93 }; 93 };
94 config.services.postfix = { 94 config.services.postfix = {
95 mapFiles = let 95 mapFiles = let
96 name = n: i: "relay_${n}_${toString i}"; 96 recipient_maps = let
97 pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( 97 name = n: i: "relay_${n}_${toString i}";
98 if m.type == "hash" 98 pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
99 then pkgs.writeText (name n i) m.content 99 if m.type == "hash"
100 else null 100 then pkgs.writeText (name n i) m.content
101 ); 101 else null
102 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; 102 );
103 in 103 pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
104 lib.attrsets.filterAttrs (k: v: v != null) ( 104 in lib.attrsets.filterAttrs (k: v: v != null) (
105 lib.attrsets.listToAttrs (lib.flatten ( 105 lib.attrsets.listToAttrs (lib.flatten (
106 lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains 106 lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
107 )) 107 ))
108 ); 108 );
109 relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
110 lib.attrsets.mapAttrs' (n: v:
111 lib.attrsets.nameValuePair "recipient_access_${n}" (
112 if lib.attrsets.hasAttr "relay_restrictions" v
113 then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
114 else null
115 )
116 ) myconfig.env.mail.postfix.backup_domains
117 );
118 in
119 recipient_maps // relay_restrictions;
109 config = { 120 config = {
110 ### postfix module overrides 121 ### postfix module overrides
111 readme_directory = "${pkgs.postfix}/share/postfix/doc"; 122 readme_directory = "${pkgs.postfix}/share/postfix/doc";
@@ -138,6 +149,15 @@
138 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: 149 relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
139 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps 150 lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
140 ) myconfig.env.mail.postfix.backup_domains); 151 ) myconfig.env.mail.postfix.backup_domains);
152 smtpd_relay_restrictions = [
153 "permit_mynetworks"
154 "permit_sasl_authenticated"
155 "defer_unauth_destination"
156 ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
157 if lib.attrsets.hasAttr "relay_restrictions" v
158 then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
159 else []
160 ) myconfig.env.mail.postfix.backup_domains);
141 161
142 ### Additional smtpd configuration 162 ### Additional smtpd configuration
143 smtpd_tls_received_header = "yes"; 163 smtpd_tls_received_header = "yes";