diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-06 15:35:37 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-06 15:35:37 +0100 |
| commit | 87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0 (patch) | |
| tree | 8af5d366c687af8eed78b4176e0f492684ed2c4a /modules/private/mail | |
| parent | 213c323ad4d91f6fff3e9d21541342ab22ee11b6 (diff) | |
| download | Nix-87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0.tar.gz Nix-87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0.tar.zst Nix-87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0.zip | |
Add relay hosts for specific senders
Diffstat (limited to 'modules/private/mail')
| -rw-r--r-- | modules/private/mail/postfix.nix | 94 |
1 files changed, 87 insertions, 7 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index a31841f..6623735 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
| @@ -81,6 +81,76 @@ | |||
| 81 | ''; | 81 | ''; |
| 82 | } | 82 | } |
| 83 | { | 83 | { |
| 84 | dest = "postfix/mysql_sender_relays_maps"; | ||
| 85 | user = config.services.postfix.user; | ||
| 86 | group = config.services.postfix.group; | ||
| 87 | permissions = "0440"; | ||
| 88 | text = '' | ||
| 89 | # We need to specify that option to trigger ssl connection | ||
| 90 | tls_ciphers = TLSv1.2 | ||
| 91 | user = ${config.myEnv.mail.postfix.mysql.user} | ||
| 92 | password = ${config.myEnv.mail.postfix.mysql.password} | ||
| 93 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | ||
| 94 | dbname = ${config.myEnv.mail.postfix.mysql.database} | ||
| 95 | # INSERT INTO sender_relays | ||
| 96 | # (`from`, owner, relay, login, password, regex, active) | ||
| 97 | # VALUES | ||
| 98 | # ( 'sender@otherhost.org' | ||
| 99 | # , 'me@mail.immae.eu' | ||
| 100 | # , '[otherhost.org]:587' | ||
| 101 | # , 'otherhostlogin' | ||
| 102 | # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}') | ||
| 103 | # , '0' | ||
| 104 | # , '1'); | ||
| 105 | |||
| 106 | query = SELECT DISTINCT `owner` | ||
| 107 | FROM sender_relays | ||
| 108 | WHERE | ||
| 109 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | ||
| 110 | AND active = 1 | ||
| 111 | ''; | ||
| 112 | } | ||
| 113 | { | ||
| 114 | dest = "postfix/mysql_sender_relays_hosts"; | ||
| 115 | user = config.services.postfix.user; | ||
| 116 | group = config.services.postfix.group; | ||
| 117 | permissions = "0440"; | ||
| 118 | text = '' | ||
| 119 | # We need to specify that option to trigger ssl connection | ||
| 120 | tls_ciphers = TLSv1.2 | ||
| 121 | user = ${config.myEnv.mail.postfix.mysql.user} | ||
| 122 | password = ${config.myEnv.mail.postfix.mysql.password} | ||
| 123 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | ||
| 124 | dbname = ${config.myEnv.mail.postfix.mysql.database} | ||
| 125 | |||
| 126 | query = SELECT DISTINCT relay | ||
| 127 | FROM sender_relays | ||
| 128 | WHERE | ||
| 129 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | ||
| 130 | AND active = 1 | ||
| 131 | ''; | ||
| 132 | } | ||
| 133 | { | ||
| 134 | dest = "postfix/mysql_sender_relays_creds"; | ||
| 135 | user = config.services.postfix.user; | ||
| 136 | group = config.services.postfix.group; | ||
| 137 | permissions = "0440"; | ||
| 138 | text = '' | ||
| 139 | # We need to specify that option to trigger ssl connection | ||
| 140 | tls_ciphers = TLSv1.2 | ||
| 141 | user = ${config.myEnv.mail.postfix.mysql.user} | ||
| 142 | password = ${config.myEnv.mail.postfix.mysql.password} | ||
| 143 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | ||
| 144 | dbname = ${config.myEnv.mail.postfix.mysql.database} | ||
| 145 | |||
| 146 | query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}')) | ||
| 147 | FROM sender_relays | ||
| 148 | WHERE | ||
| 149 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | ||
| 150 | AND active = 1 | ||
| 151 | ''; | ||
| 152 | } | ||
| 153 | { | ||
| 84 | dest = "postfix/ldap_ejabberd_users_immae_fr"; | 154 | dest = "postfix/ldap_ejabberd_users_immae_fr"; |
| 85 | user = config.services.postfix.user; | 155 | user = config.services.postfix.user; |
| 86 | group = config.services.postfix.group; | 156 | group = config.services.postfix.group; |
| @@ -250,12 +320,15 @@ | |||
| 250 | smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; | 320 | smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; |
| 251 | smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; | 321 | smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; |
| 252 | 322 | ||
| 253 | # #Unneeded if postfix can only send e-mail from "self" domains | 323 | # Use some relays when authorized senders are not myself |
| 254 | # #smtp_sasl_auth_enable = "yes"; | 324 | smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix |
| 255 | # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; | 325 | smtp_sasl_auth_enable = "yes"; |
| 256 | # #smtp_sasl_security_options = "noanonymous"; | 326 | smtp_sasl_password_maps = |
| 257 | # #smtp_sender_dependent_authentication = "yes"; | 327 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}"; |
| 258 | # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; | 328 | smtp_sasl_security_options = "noanonymous"; |
| 329 | smtp_sender_dependent_authentication = "yes"; | ||
| 330 | sender_dependent_relayhost_maps = | ||
| 331 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}"; | ||
| 259 | 332 | ||
| 260 | ### opendkim, opendmarc, openarc milters | 333 | ### opendkim, opendmarc, openarc milters |
| 261 | non_smtpd_milters = [ | 334 | non_smtpd_milters = [ |
| @@ -273,6 +346,9 @@ | |||
| 273 | enableSmtp = true; | 346 | enableSmtp = true; |
| 274 | enableSubmission = true; | 347 | enableSubmission = true; |
| 275 | submissionOptions = { | 348 | submissionOptions = { |
| 349 | # Don’t use "long form", only commas (cf | ||
| 350 | # http://www.postfix.org/master.5.html long form is not handled | ||
| 351 | # well by the submission function) | ||
| 276 | smtpd_tls_security_level = "encrypt"; | 352 | smtpd_tls_security_level = "encrypt"; |
| 277 | smtpd_sasl_auth_enable = "yes"; | 353 | smtpd_sasl_auth_enable = "yes"; |
| 278 | smtpd_tls_auth_only = "yes"; | 354 | smtpd_tls_auth_only = "yes"; |
| @@ -284,7 +360,11 @@ | |||
| 284 | # Refuse to send e-mails with a From that is not handled | 360 | # Refuse to send e-mails with a From that is not handled |
| 285 | smtpd_sender_restrictions = | 361 | smtpd_sender_restrictions = |
| 286 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; | 362 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; |
| 287 | smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; | 363 | smtpd_sender_login_maps = builtins.concatStringsSep "," [ |
| 364 | "hash:/etc/postfix/host_sender_login" | ||
| 365 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}" | ||
| 366 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}" | ||
| 367 | ]; | ||
| 288 | smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; | 368 | smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; |
| 289 | milter_macro_daemon_name = "ORIGINATING"; | 369 | milter_macro_daemon_name = "ORIGINATING"; |
| 290 | smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; | 370 | smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; |