diff options
-rw-r--r-- | modules/private/environment.nix | 24 | ||||
-rw-r--r-- | modules/private/mail/postfix.nix | 94 |
2 files changed, 100 insertions, 18 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 550b060..5f5f6c8 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -40,14 +40,14 @@ let | |||
40 | }; | 40 | }; |
41 | }; | 41 | }; |
42 | }; | 42 | }; |
43 | mkMysqlOptions = name: mkOption { | 43 | mkMysqlOptions = name: more: mkOption { |
44 | description = "${name} mysql configuration"; | 44 | description = "${name} mysql configuration"; |
45 | type = submodule { | 45 | type = submodule { |
46 | options = mysqlOptions // { | 46 | options = mysqlOptions // { |
47 | database = mkOption { description = "${name} database"; type = str; }; | 47 | database = mkOption { description = "${name} database"; type = str; }; |
48 | user = mkOption { description = "${name} user"; type = str; }; | 48 | user = mkOption { description = "${name} user"; type = str; }; |
49 | password = mkOption { description = "mysql password of the ${name} user"; type = str; }; | 49 | password = mkOption { description = "mysql password of the ${name} user"; type = str; }; |
50 | }; | 50 | } // more; |
51 | }; | 51 | }; |
52 | }; | 52 | }; |
53 | psqlOptions = { | 53 | psqlOptions = { |
@@ -533,7 +533,9 @@ in | |||
533 | ''; | 533 | ''; |
534 | type = listOf str; | 534 | type = listOf str; |
535 | }; | 535 | }; |
536 | mysql = mkMysqlOptions "Postfix"; | 536 | mysql = mkMysqlOptions "Postfix" { |
537 | password_encrypt = mkOption { type = str; description = "Key to encrypt relay password in database"; }; | ||
538 | }; | ||
537 | backup_domains = mkOption { | 539 | backup_domains = mkOption { |
538 | description = '' | 540 | description = '' |
539 | Domains that are accepted for relay as backup domain | 541 | Domains that are accepted for relay as backup domain |
@@ -954,7 +956,7 @@ in | |||
954 | description = "Yourls configuration"; | 956 | description = "Yourls configuration"; |
955 | type = submodule { | 957 | type = submodule { |
956 | options = { | 958 | options = { |
957 | mysql = mkMysqlOptions "Yourls"; | 959 | mysql = mkMysqlOptions "Yourls" {}; |
958 | ldap = mkLdapOptions "Yourls" {}; | 960 | ldap = mkLdapOptions "Yourls" {}; |
959 | cookieKey = mkOption { type = str; description = "Cookie key"; }; | 961 | cookieKey = mkOption { type = str; description = "Cookie key"; }; |
960 | }; | 962 | }; |
@@ -998,7 +1000,7 @@ in | |||
998 | type = submodule { | 1000 | type = submodule { |
999 | options = { | 1001 | options = { |
1000 | environment = mkOption { type = str; description = "Symfony environment"; }; | 1002 | environment = mkOption { type = str; description = "Symfony environment"; }; |
1001 | mysql = mkMysqlOptions "Chloe"; | 1003 | mysql = mkMysqlOptions "Chloe" {}; |
1002 | ldap = mkLdapOptions "Chloe" {}; | 1004 | ldap = mkLdapOptions "Chloe" {}; |
1003 | }; | 1005 | }; |
1004 | }; | 1006 | }; |
@@ -1020,7 +1022,7 @@ in | |||
1020 | type = submodule { | 1022 | type = submodule { |
1021 | options = { | 1023 | options = { |
1022 | environment = mkOption { type = str; description = "Symfony environment"; }; | 1024 | environment = mkOption { type = str; description = "Symfony environment"; }; |
1023 | mysql = mkMysqlOptions "Connexionswing"; | 1025 | mysql = mkMysqlOptions "Connexionswing" {}; |
1024 | secret = mkOption { type = str; description = "Symfony App secret"; }; | 1026 | secret = mkOption { type = str; description = "Symfony App secret"; }; |
1025 | email = mkOption { type = str; description = "Symfony email notification"; }; | 1027 | email = mkOption { type = str; description = "Symfony email notification"; }; |
1026 | }; | 1028 | }; |
@@ -1038,7 +1040,7 @@ in | |||
1038 | description = "Naturaloutil configuration"; | 1040 | description = "Naturaloutil configuration"; |
1039 | type = submodule { | 1041 | type = submodule { |
1040 | options = { | 1042 | options = { |
1041 | mysql = mkMysqlOptions "Naturaloutil"; | 1043 | mysql = mkMysqlOptions "Naturaloutil" {}; |
1042 | server_admin = mkOption { type = str; description = "Server admin e-mail"; }; | 1044 | server_admin = mkOption { type = str; description = "Server admin e-mail"; }; |
1043 | }; | 1045 | }; |
1044 | }; | 1046 | }; |
@@ -1060,7 +1062,7 @@ in | |||
1060 | type = submodule { | 1062 | type = submodule { |
1061 | options = { | 1063 | options = { |
1062 | environment = mkOption { type = str; description = "Symfony environment"; }; | 1064 | environment = mkOption { type = str; description = "Symfony environment"; }; |
1063 | mysql = mkMysqlOptions "LudivineCassal"; | 1065 | mysql = mkMysqlOptions "LudivineCassal" {}; |
1064 | ldap = mkLdapOptions "LudivineCassal" {}; | 1066 | ldap = mkLdapOptions "LudivineCassal" {}; |
1065 | secret = mkOption { type = str; description = "Symfony App secret"; }; | 1067 | secret = mkOption { type = str; description = "Symfony App secret"; }; |
1066 | }; | 1068 | }; |
@@ -1107,7 +1109,7 @@ in | |||
1107 | type = submodule { | 1109 | type = submodule { |
1108 | options = { | 1110 | options = { |
1109 | environment = mkOption { type = str; description = "Symfony environment"; }; | 1111 | environment = mkOption { type = str; description = "Symfony environment"; }; |
1110 | mysql = mkMysqlOptions "Piedsjaloux"; | 1112 | mysql = mkMysqlOptions "Piedsjaloux" {}; |
1111 | secret = mkOption { type = str; description = "Symfony App secret"; }; | 1113 | secret = mkOption { type = str; description = "Symfony App secret"; }; |
1112 | }; | 1114 | }; |
1113 | }; | 1115 | }; |
@@ -1124,7 +1126,7 @@ in | |||
1124 | description = "Europe Richie configurations by environment"; | 1126 | description = "Europe Richie configurations by environment"; |
1125 | type = submodule { | 1127 | type = submodule { |
1126 | options = { | 1128 | options = { |
1127 | mysql = mkMysqlOptions "Richie"; | 1129 | mysql = mkMysqlOptions "Richie" {}; |
1128 | smtp_mailer = mkOption { | 1130 | smtp_mailer = mkOption { |
1129 | description = "SMTP mailer configuration"; | 1131 | description = "SMTP mailer configuration"; |
1130 | type = submodule { | 1132 | type = submodule { |
@@ -1146,7 +1148,7 @@ in | |||
1146 | type = submodule { | 1148 | type = submodule { |
1147 | options = { | 1149 | options = { |
1148 | environment = mkOption { type = str; description = "Symfony environment"; }; | 1150 | environment = mkOption { type = str; description = "Symfony environment"; }; |
1149 | mysql = mkMysqlOptions "Tellesflorian"; | 1151 | mysql = mkMysqlOptions "Tellesflorian" {}; |
1150 | secret = mkOption { type = str; description = "Symfony App secret"; }; | 1152 | secret = mkOption { type = str; description = "Symfony App secret"; }; |
1151 | invite_passwords = mkOption { type = str; description = "Password basic auth"; }; | 1153 | invite_passwords = mkOption { type = str; description = "Password basic auth"; }; |
1152 | }; | 1154 | }; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index a31841f..6623735 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -81,6 +81,76 @@ | |||
81 | ''; | 81 | ''; |
82 | } | 82 | } |
83 | { | 83 | { |
84 | dest = "postfix/mysql_sender_relays_maps"; | ||
85 | user = config.services.postfix.user; | ||
86 | group = config.services.postfix.group; | ||
87 | permissions = "0440"; | ||
88 | text = '' | ||
89 | # We need to specify that option to trigger ssl connection | ||
90 | tls_ciphers = TLSv1.2 | ||
91 | user = ${config.myEnv.mail.postfix.mysql.user} | ||
92 | password = ${config.myEnv.mail.postfix.mysql.password} | ||
93 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | ||
94 | dbname = ${config.myEnv.mail.postfix.mysql.database} | ||
95 | # INSERT INTO sender_relays | ||
96 | # (`from`, owner, relay, login, password, regex, active) | ||
97 | # VALUES | ||
98 | # ( 'sender@otherhost.org' | ||
99 | # , 'me@mail.immae.eu' | ||
100 | # , '[otherhost.org]:587' | ||
101 | # , 'otherhostlogin' | ||
102 | # , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}') | ||
103 | # , '0' | ||
104 | # , '1'); | ||
105 | |||
106 | query = SELECT DISTINCT `owner` | ||
107 | FROM sender_relays | ||
108 | WHERE | ||
109 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | ||
110 | AND active = 1 | ||
111 | ''; | ||
112 | } | ||
113 | { | ||
114 | dest = "postfix/mysql_sender_relays_hosts"; | ||
115 | user = config.services.postfix.user; | ||
116 | group = config.services.postfix.group; | ||
117 | permissions = "0440"; | ||
118 | text = '' | ||
119 | # We need to specify that option to trigger ssl connection | ||
120 | tls_ciphers = TLSv1.2 | ||
121 | user = ${config.myEnv.mail.postfix.mysql.user} | ||
122 | password = ${config.myEnv.mail.postfix.mysql.password} | ||
123 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | ||
124 | dbname = ${config.myEnv.mail.postfix.mysql.database} | ||
125 | |||
126 | query = SELECT DISTINCT relay | ||
127 | FROM sender_relays | ||
128 | WHERE | ||
129 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | ||
130 | AND active = 1 | ||
131 | ''; | ||
132 | } | ||
133 | { | ||
134 | dest = "postfix/mysql_sender_relays_creds"; | ||
135 | user = config.services.postfix.user; | ||
136 | group = config.services.postfix.group; | ||
137 | permissions = "0440"; | ||
138 | text = '' | ||
139 | # We need to specify that option to trigger ssl connection | ||
140 | tls_ciphers = TLSv1.2 | ||
141 | user = ${config.myEnv.mail.postfix.mysql.user} | ||
142 | password = ${config.myEnv.mail.postfix.mysql.password} | ||
143 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | ||
144 | dbname = ${config.myEnv.mail.postfix.mysql.database} | ||
145 | |||
146 | query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}')) | ||
147 | FROM sender_relays | ||
148 | WHERE | ||
149 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | ||
150 | AND active = 1 | ||
151 | ''; | ||
152 | } | ||
153 | { | ||
84 | dest = "postfix/ldap_ejabberd_users_immae_fr"; | 154 | dest = "postfix/ldap_ejabberd_users_immae_fr"; |
85 | user = config.services.postfix.user; | 155 | user = config.services.postfix.user; |
86 | group = config.services.postfix.group; | 156 | group = config.services.postfix.group; |
@@ -250,12 +320,15 @@ | |||
250 | smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; | 320 | smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; |
251 | smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; | 321 | smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; |
252 | 322 | ||
253 | # #Unneeded if postfix can only send e-mail from "self" domains | 323 | # Use some relays when authorized senders are not myself |
254 | # #smtp_sasl_auth_enable = "yes"; | 324 | smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix |
255 | # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds"; | 325 | smtp_sasl_auth_enable = "yes"; |
256 | # #smtp_sasl_security_options = "noanonymous"; | 326 | smtp_sasl_password_maps = |
257 | # #smtp_sender_dependent_authentication = "yes"; | 327 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}"; |
258 | # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay"; | 328 | smtp_sasl_security_options = "noanonymous"; |
329 | smtp_sender_dependent_authentication = "yes"; | ||
330 | sender_dependent_relayhost_maps = | ||
331 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}"; | ||
259 | 332 | ||
260 | ### opendkim, opendmarc, openarc milters | 333 | ### opendkim, opendmarc, openarc milters |
261 | non_smtpd_milters = [ | 334 | non_smtpd_milters = [ |
@@ -273,6 +346,9 @@ | |||
273 | enableSmtp = true; | 346 | enableSmtp = true; |
274 | enableSubmission = true; | 347 | enableSubmission = true; |
275 | submissionOptions = { | 348 | submissionOptions = { |
349 | # Don’t use "long form", only commas (cf | ||
350 | # http://www.postfix.org/master.5.html long form is not handled | ||
351 | # well by the submission function) | ||
276 | smtpd_tls_security_level = "encrypt"; | 352 | smtpd_tls_security_level = "encrypt"; |
277 | smtpd_sasl_auth_enable = "yes"; | 353 | smtpd_sasl_auth_enable = "yes"; |
278 | smtpd_tls_auth_only = "yes"; | 354 | smtpd_tls_auth_only = "yes"; |
@@ -284,7 +360,11 @@ | |||
284 | # Refuse to send e-mails with a From that is not handled | 360 | # Refuse to send e-mails with a From that is not handled |
285 | smtpd_sender_restrictions = | 361 | smtpd_sender_restrictions = |
286 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; | 362 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; |
287 | smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; | 363 | smtpd_sender_login_maps = builtins.concatStringsSep "," [ |
364 | "hash:/etc/postfix/host_sender_login" | ||
365 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}" | ||
366 | "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}" | ||
367 | ]; | ||
288 | smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; | 368 | smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; |
289 | milter_macro_daemon_name = "ORIGINATING"; | 369 | milter_macro_daemon_name = "ORIGINATING"; |
290 | smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; | 370 | smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; |