diff options
Diffstat (limited to 'modules/private/mail/postfix.nix')
| -rw-r--r-- | modules/private/mail/postfix.nix | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 6623735..bd284cb 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | { lib, pkgs, config, nodes, ... }: | 1 | { lib, pkgs, config, nodes, name, ... }: |
| 2 | { | 2 | { |
| 3 | config = lib.mkIf config.myServices.mail.enable { | 3 | config = lib.mkIf config.myServices.mail.enable { |
| 4 | services.duplyBackup.profiles.mail.excludeFile = '' | 4 | services.duplyBackup.profiles.mail.excludeFile = '' |
| @@ -299,8 +299,6 @@ | |||
| 299 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps | 299 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps |
| 300 | ) config.myEnv.mail.postfix.backup_domains); | 300 | ) config.myEnv.mail.postfix.backup_domains); |
| 301 | smtpd_relay_restrictions = [ | 301 | smtpd_relay_restrictions = [ |
| 302 | "permit_mynetworks" | ||
| 303 | "permit_sasl_authenticated" | ||
| 304 | "defer_unauth_destination" | 302 | "defer_unauth_destination" |
| 305 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: | 303 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: |
| 306 | if lib.attrsets.hasAttr "relay_restrictions" v | 304 | if lib.attrsets.hasAttr "relay_restrictions" v |
| @@ -317,8 +315,8 @@ | |||
| 317 | smtp_tls_loglevel = "1"; | 315 | smtp_tls_loglevel = "1"; |
| 318 | 316 | ||
| 319 | ### Force ip bind for smtp | 317 | ### Force ip bind for smtp |
| 320 | smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; | 318 | smtp_bind_address = config.hostEnv.ips.main.ip4; |
| 321 | smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; | 319 | smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6; |
| 322 | 320 | ||
| 323 | # Use some relays when authorized senders are not myself | 321 | # Use some relays when authorized senders are not myself |
| 324 | smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix | 322 | smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix |
| @@ -333,13 +331,11 @@ | |||
| 333 | ### opendkim, opendmarc, openarc milters | 331 | ### opendkim, opendmarc, openarc milters |
| 334 | non_smtpd_milters = [ | 332 | non_smtpd_milters = [ |
| 335 | "unix:${config.myServices.mail.milters.sockets.opendkim}" | 333 | "unix:${config.myServices.mail.milters.sockets.opendkim}" |
| 336 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | ||
| 337 | "unix:${config.myServices.mail.milters.sockets.openarc}" | ||
| 338 | ]; | 334 | ]; |
| 339 | smtpd_milters = [ | 335 | smtpd_milters = [ |
| 340 | "unix:${config.myServices.mail.milters.sockets.opendkim}" | 336 | "unix:${config.myServices.mail.milters.sockets.opendkim}" |
| 341 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | ||
| 342 | "unix:${config.myServices.mail.milters.sockets.openarc}" | 337 | "unix:${config.myServices.mail.milters.sockets.openarc}" |
| 338 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | ||
| 343 | ]; | 339 | ]; |
| 344 | }; | 340 | }; |
| 345 | enable = true; | 341 | enable = true; |
| @@ -357,6 +353,7 @@ | |||
| 357 | smtpd_sasl_path = "private/auth"; | 353 | smtpd_sasl_path = "private/auth"; |
| 358 | smtpd_reject_unlisted_recipient = "no"; | 354 | smtpd_reject_unlisted_recipient = "no"; |
| 359 | smtpd_client_restrictions = "permit_sasl_authenticated,reject"; | 355 | smtpd_client_restrictions = "permit_sasl_authenticated,reject"; |
| 356 | smtpd_relay_restrictions = "permit_sasl_authenticated,reject"; | ||
| 360 | # Refuse to send e-mails with a From that is not handled | 357 | # Refuse to send e-mails with a From that is not handled |
| 361 | smtpd_sender_restrictions = | 358 | smtpd_sender_restrictions = |
| 362 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; | 359 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; |
| @@ -378,7 +375,7 @@ | |||
| 378 | ''; | 375 | ''; |
| 379 | destination = ["localhost"]; | 376 | destination = ["localhost"]; |
| 380 | # This needs to reverse DNS | 377 | # This needs to reverse DNS |
| 381 | hostname = "eldiron.immae.eu"; | 378 | hostname = config.hostEnv.fqdn; |
| 382 | setSendmail = true; | 379 | setSendmail = true; |
| 383 | sslCert = "/var/lib/acme/mail/fullchain.pem"; | 380 | sslCert = "/var/lib/acme/mail/fullchain.pem"; |
| 384 | sslKey = "/var/lib/acme/mail/key.pem"; | 381 | sslKey = "/var/lib/acme/mail/key.pem"; |