aboutsummaryrefslogtreecommitdiff
path: root/modules/private
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-01-06 15:35:37 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-01-06 15:35:37 +0100
commit87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0 (patch)
tree8af5d366c687af8eed78b4176e0f492684ed2c4a /modules/private
parent213c323ad4d91f6fff3e9d21541342ab22ee11b6 (diff)
downloadNix-87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0.tar.gz
Nix-87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0.tar.zst
Nix-87a8bffd2dd9fc0cab3ede58d39c6fe963969ff0.zip
Add relay hosts for specific senders
Diffstat (limited to 'modules/private')
-rw-r--r--modules/private/environment.nix24
-rw-r--r--modules/private/mail/postfix.nix94
2 files changed, 100 insertions, 18 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 550b060..5f5f6c8 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -40,14 +40,14 @@ let
40 }; 40 };
41 }; 41 };
42 }; 42 };
43 mkMysqlOptions = name: mkOption { 43 mkMysqlOptions = name: more: mkOption {
44 description = "${name} mysql configuration"; 44 description = "${name} mysql configuration";
45 type = submodule { 45 type = submodule {
46 options = mysqlOptions // { 46 options = mysqlOptions // {
47 database = mkOption { description = "${name} database"; type = str; }; 47 database = mkOption { description = "${name} database"; type = str; };
48 user = mkOption { description = "${name} user"; type = str; }; 48 user = mkOption { description = "${name} user"; type = str; };
49 password = mkOption { description = "mysql password of the ${name} user"; type = str; }; 49 password = mkOption { description = "mysql password of the ${name} user"; type = str; };
50 }; 50 } // more;
51 }; 51 };
52 }; 52 };
53 psqlOptions = { 53 psqlOptions = {
@@ -533,7 +533,9 @@ in
533 ''; 533 '';
534 type = listOf str; 534 type = listOf str;
535 }; 535 };
536 mysql = mkMysqlOptions "Postfix"; 536 mysql = mkMysqlOptions "Postfix" {
537 password_encrypt = mkOption { type = str; description = "Key to encrypt relay password in database"; };
538 };
537 backup_domains = mkOption { 539 backup_domains = mkOption {
538 description = '' 540 description = ''
539 Domains that are accepted for relay as backup domain 541 Domains that are accepted for relay as backup domain
@@ -954,7 +956,7 @@ in
954 description = "Yourls configuration"; 956 description = "Yourls configuration";
955 type = submodule { 957 type = submodule {
956 options = { 958 options = {
957 mysql = mkMysqlOptions "Yourls"; 959 mysql = mkMysqlOptions "Yourls" {};
958 ldap = mkLdapOptions "Yourls" {}; 960 ldap = mkLdapOptions "Yourls" {};
959 cookieKey = mkOption { type = str; description = "Cookie key"; }; 961 cookieKey = mkOption { type = str; description = "Cookie key"; };
960 }; 962 };
@@ -998,7 +1000,7 @@ in
998 type = submodule { 1000 type = submodule {
999 options = { 1001 options = {
1000 environment = mkOption { type = str; description = "Symfony environment"; }; 1002 environment = mkOption { type = str; description = "Symfony environment"; };
1001 mysql = mkMysqlOptions "Chloe"; 1003 mysql = mkMysqlOptions "Chloe" {};
1002 ldap = mkLdapOptions "Chloe" {}; 1004 ldap = mkLdapOptions "Chloe" {};
1003 }; 1005 };
1004 }; 1006 };
@@ -1020,7 +1022,7 @@ in
1020 type = submodule { 1022 type = submodule {
1021 options = { 1023 options = {
1022 environment = mkOption { type = str; description = "Symfony environment"; }; 1024 environment = mkOption { type = str; description = "Symfony environment"; };
1023 mysql = mkMysqlOptions "Connexionswing"; 1025 mysql = mkMysqlOptions "Connexionswing" {};
1024 secret = mkOption { type = str; description = "Symfony App secret"; }; 1026 secret = mkOption { type = str; description = "Symfony App secret"; };
1025 email = mkOption { type = str; description = "Symfony email notification"; }; 1027 email = mkOption { type = str; description = "Symfony email notification"; };
1026 }; 1028 };
@@ -1038,7 +1040,7 @@ in
1038 description = "Naturaloutil configuration"; 1040 description = "Naturaloutil configuration";
1039 type = submodule { 1041 type = submodule {
1040 options = { 1042 options = {
1041 mysql = mkMysqlOptions "Naturaloutil"; 1043 mysql = mkMysqlOptions "Naturaloutil" {};
1042 server_admin = mkOption { type = str; description = "Server admin e-mail"; }; 1044 server_admin = mkOption { type = str; description = "Server admin e-mail"; };
1043 }; 1045 };
1044 }; 1046 };
@@ -1060,7 +1062,7 @@ in
1060 type = submodule { 1062 type = submodule {
1061 options = { 1063 options = {
1062 environment = mkOption { type = str; description = "Symfony environment"; }; 1064 environment = mkOption { type = str; description = "Symfony environment"; };
1063 mysql = mkMysqlOptions "LudivineCassal"; 1065 mysql = mkMysqlOptions "LudivineCassal" {};
1064 ldap = mkLdapOptions "LudivineCassal" {}; 1066 ldap = mkLdapOptions "LudivineCassal" {};
1065 secret = mkOption { type = str; description = "Symfony App secret"; }; 1067 secret = mkOption { type = str; description = "Symfony App secret"; };
1066 }; 1068 };
@@ -1107,7 +1109,7 @@ in
1107 type = submodule { 1109 type = submodule {
1108 options = { 1110 options = {
1109 environment = mkOption { type = str; description = "Symfony environment"; }; 1111 environment = mkOption { type = str; description = "Symfony environment"; };
1110 mysql = mkMysqlOptions "Piedsjaloux"; 1112 mysql = mkMysqlOptions "Piedsjaloux" {};
1111 secret = mkOption { type = str; description = "Symfony App secret"; }; 1113 secret = mkOption { type = str; description = "Symfony App secret"; };
1112 }; 1114 };
1113 }; 1115 };
@@ -1124,7 +1126,7 @@ in
1124 description = "Europe Richie configurations by environment"; 1126 description = "Europe Richie configurations by environment";
1125 type = submodule { 1127 type = submodule {
1126 options = { 1128 options = {
1127 mysql = mkMysqlOptions "Richie"; 1129 mysql = mkMysqlOptions "Richie" {};
1128 smtp_mailer = mkOption { 1130 smtp_mailer = mkOption {
1129 description = "SMTP mailer configuration"; 1131 description = "SMTP mailer configuration";
1130 type = submodule { 1132 type = submodule {
@@ -1146,7 +1148,7 @@ in
1146 type = submodule { 1148 type = submodule {
1147 options = { 1149 options = {
1148 environment = mkOption { type = str; description = "Symfony environment"; }; 1150 environment = mkOption { type = str; description = "Symfony environment"; };
1149 mysql = mkMysqlOptions "Tellesflorian"; 1151 mysql = mkMysqlOptions "Tellesflorian" {};
1150 secret = mkOption { type = str; description = "Symfony App secret"; }; 1152 secret = mkOption { type = str; description = "Symfony App secret"; };
1151 invite_passwords = mkOption { type = str; description = "Password basic auth"; }; 1153 invite_passwords = mkOption { type = str; description = "Password basic auth"; };
1152 }; 1154 };
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index a31841f..6623735 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -81,6 +81,76 @@
81 ''; 81 '';
82 } 82 }
83 { 83 {
84 dest = "postfix/mysql_sender_relays_maps";
85 user = config.services.postfix.user;
86 group = config.services.postfix.group;
87 permissions = "0440";
88 text = ''
89 # We need to specify that option to trigger ssl connection
90 tls_ciphers = TLSv1.2
91 user = ${config.myEnv.mail.postfix.mysql.user}
92 password = ${config.myEnv.mail.postfix.mysql.password}
93 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
94 dbname = ${config.myEnv.mail.postfix.mysql.database}
95 # INSERT INTO sender_relays
96 # (`from`, owner, relay, login, password, regex, active)
97 # VALUES
98 # ( 'sender@otherhost.org'
99 # , 'me@mail.immae.eu'
100 # , '[otherhost.org]:587'
101 # , 'otherhostlogin'
102 # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
103 # , '0'
104 # , '1');
105
106 query = SELECT DISTINCT `owner`
107 FROM sender_relays
108 WHERE
109 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
110 AND active = 1
111 '';
112 }
113 {
114 dest = "postfix/mysql_sender_relays_hosts";
115 user = config.services.postfix.user;
116 group = config.services.postfix.group;
117 permissions = "0440";
118 text = ''
119 # We need to specify that option to trigger ssl connection
120 tls_ciphers = TLSv1.2
121 user = ${config.myEnv.mail.postfix.mysql.user}
122 password = ${config.myEnv.mail.postfix.mysql.password}
123 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
124 dbname = ${config.myEnv.mail.postfix.mysql.database}
125
126 query = SELECT DISTINCT relay
127 FROM sender_relays
128 WHERE
129 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
130 AND active = 1
131 '';
132 }
133 {
134 dest = "postfix/mysql_sender_relays_creds";
135 user = config.services.postfix.user;
136 group = config.services.postfix.group;
137 permissions = "0440";
138 text = ''
139 # We need to specify that option to trigger ssl connection
140 tls_ciphers = TLSv1.2
141 user = ${config.myEnv.mail.postfix.mysql.user}
142 password = ${config.myEnv.mail.postfix.mysql.password}
143 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
144 dbname = ${config.myEnv.mail.postfix.mysql.database}
145
146 query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
147 FROM sender_relays
148 WHERE
149 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
150 AND active = 1
151 '';
152 }
153 {
84 dest = "postfix/ldap_ejabberd_users_immae_fr"; 154 dest = "postfix/ldap_ejabberd_users_immae_fr";
85 user = config.services.postfix.user; 155 user = config.services.postfix.user;
86 group = config.services.postfix.group; 156 group = config.services.postfix.group;
@@ -250,12 +320,15 @@
250 smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; 320 smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;
251 smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; 321 smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
252 322
253 # #Unneeded if postfix can only send e-mail from "self" domains 323 # Use some relays when authorized senders are not myself
254 # #smtp_sasl_auth_enable = "yes"; 324 smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
255 # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; 325 smtp_sasl_auth_enable = "yes";
256 # #smtp_sasl_security_options = "noanonymous"; 326 smtp_sasl_password_maps =
257 # #smtp_sender_dependent_authentication = "yes"; 327 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
258 # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; 328 smtp_sasl_security_options = "noanonymous";
329 smtp_sender_dependent_authentication = "yes";
330 sender_dependent_relayhost_maps =
331 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
259 332
260 ### opendkim, opendmarc, openarc milters 333 ### opendkim, opendmarc, openarc milters
261 non_smtpd_milters = [ 334 non_smtpd_milters = [
@@ -273,6 +346,9 @@
273 enableSmtp = true; 346 enableSmtp = true;
274 enableSubmission = true; 347 enableSubmission = true;
275 submissionOptions = { 348 submissionOptions = {
349 # Don’t use "long form", only commas (cf
350 # http://www.postfix.org/master.5.html long form is not handled
351 # well by the submission function)
276 smtpd_tls_security_level = "encrypt"; 352 smtpd_tls_security_level = "encrypt";
277 smtpd_sasl_auth_enable = "yes"; 353 smtpd_sasl_auth_enable = "yes";
278 smtpd_tls_auth_only = "yes"; 354 smtpd_tls_auth_only = "yes";
@@ -284,7 +360,11 @@
284 # Refuse to send e-mails with a From that is not handled 360 # Refuse to send e-mails with a From that is not handled
285 smtpd_sender_restrictions = 361 smtpd_sender_restrictions =
286 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; 362 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
287 smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; 363 smtpd_sender_login_maps = builtins.concatStringsSep "," [
364 "hash:/etc/postfix/host_sender_login"
365 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
366 "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
367 ];
288 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; 368 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
289 milter_macro_daemon_name = "ORIGINATING"; 369 milter_macro_daemon_name = "ORIGINATING";
290 smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; 370 smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-07 23:11:05 +0000