diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-07-03 13:39:08 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-07-03 13:39:08 +0200 |
| commit | 04b2ab97a0206dedb2135be26cbc097d164072b2 (patch) | |
| tree | 6c92d05f2ce36476f0e55124cfafad2551328545 /modules | |
| parent | aa4f91ad67fa6287217bf67e8122a703327e5e0e (diff) | |
| download | Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.tar.gz Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.tar.zst Nix-04b2ab97a0206dedb2135be26cbc097d164072b2.zip | |
Add relay restrictions per domain
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/private/mail/postfix.nix | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index ee4ac35..2dccc41 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
| @@ -93,19 +93,30 @@ | |||
| 93 | }; | 93 | }; |
| 94 | config.services.postfix = { | 94 | config.services.postfix = { |
| 95 | mapFiles = let | 95 | mapFiles = let |
| 96 | name = n: i: "relay_${n}_${toString i}"; | 96 | recipient_maps = let |
| 97 | pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( | 97 | name = n: i: "relay_${n}_${toString i}"; |
| 98 | if m.type == "hash" | 98 | pair = n: i: m: lib.attrsets.nameValuePair (name n i) ( |
| 99 | then pkgs.writeText (name n i) m.content | 99 | if m.type == "hash" |
| 100 | else null | 100 | then pkgs.writeText (name n i) m.content |
| 101 | ); | 101 | else null |
| 102 | pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; | 102 | ); |
| 103 | in | 103 | pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; |
| 104 | lib.attrsets.filterAttrs (k: v: v != null) ( | 104 | in lib.attrsets.filterAttrs (k: v: v != null) ( |
| 105 | lib.attrsets.listToAttrs (lib.flatten ( | 105 | lib.attrsets.listToAttrs (lib.flatten ( |
| 106 | lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains | 106 | lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains |
| 107 | )) | 107 | )) |
| 108 | ); | 108 | ); |
| 109 | relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) ( | ||
| 110 | lib.attrsets.mapAttrs' (n: v: | ||
| 111 | lib.attrsets.nameValuePair "recipient_access_${n}" ( | ||
| 112 | if lib.attrsets.hasAttr "relay_restrictions" v | ||
| 113 | then pkgs.writeText "recipient_access_${n}" v.relay_restrictions | ||
| 114 | else null | ||
| 115 | ) | ||
| 116 | ) myconfig.env.mail.postfix.backup_domains | ||
| 117 | ); | ||
| 118 | in | ||
| 119 | recipient_maps // relay_restrictions; | ||
| 109 | config = { | 120 | config = { |
| 110 | ### postfix module overrides | 121 | ### postfix module overrides |
| 111 | readme_directory = "${pkgs.postfix}/share/postfix/doc"; | 122 | readme_directory = "${pkgs.postfix}/share/postfix/doc"; |
| @@ -138,6 +149,15 @@ | |||
| 138 | relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: | 149 | relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: |
| 139 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps | 150 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps |
| 140 | ) myconfig.env.mail.postfix.backup_domains); | 151 | ) myconfig.env.mail.postfix.backup_domains); |
| 152 | smtpd_relay_restrictions = [ | ||
| 153 | "permit_mynetworks" | ||
| 154 | "permit_sasl_authenticated" | ||
| 155 | "defer_unauth_destination" | ||
| 156 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: | ||
| 157 | if lib.attrsets.hasAttr "relay_restrictions" v | ||
| 158 | then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ] | ||
| 159 | else [] | ||
| 160 | ) myconfig.env.mail.postfix.backup_domains); | ||
| 141 | 161 | ||
| 142 | ### Additional smtpd configuration | 162 | ### Additional smtpd configuration |
| 143 | smtpd_tls_received_header = "yes"; | 163 | smtpd_tls_received_header = "yes"; |