diff options
Diffstat (limited to 'modules/private/mail/postfix.nix')
-rw-r--r-- | modules/private/mail/postfix.nix | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 6623735..bd284cb 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { lib, pkgs, config, nodes, ... }: | 1 | { lib, pkgs, config, nodes, name, ... }: |
2 | { | 2 | { |
3 | config = lib.mkIf config.myServices.mail.enable { | 3 | config = lib.mkIf config.myServices.mail.enable { |
4 | services.duplyBackup.profiles.mail.excludeFile = '' | 4 | services.duplyBackup.profiles.mail.excludeFile = '' |
@@ -299,8 +299,6 @@ | |||
299 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps | 299 | lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps |
300 | ) config.myEnv.mail.postfix.backup_domains); | 300 | ) config.myEnv.mail.postfix.backup_domains); |
301 | smtpd_relay_restrictions = [ | 301 | smtpd_relay_restrictions = [ |
302 | "permit_mynetworks" | ||
303 | "permit_sasl_authenticated" | ||
304 | "defer_unauth_destination" | 302 | "defer_unauth_destination" |
305 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: | 303 | ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v: |
306 | if lib.attrsets.hasAttr "relay_restrictions" v | 304 | if lib.attrsets.hasAttr "relay_restrictions" v |
@@ -317,8 +315,8 @@ | |||
317 | smtp_tls_loglevel = "1"; | 315 | smtp_tls_loglevel = "1"; |
318 | 316 | ||
319 | ### Force ip bind for smtp | 317 | ### Force ip bind for smtp |
320 | smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; | 318 | smtp_bind_address = config.hostEnv.ips.main.ip4; |
321 | smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; | 319 | smtp_bind_address6 = builtins.head config.hostEnv.ips.main.ip6; |
322 | 320 | ||
323 | # Use some relays when authorized senders are not myself | 321 | # Use some relays when authorized senders are not myself |
324 | smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix | 322 | smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix |
@@ -333,13 +331,11 @@ | |||
333 | ### opendkim, opendmarc, openarc milters | 331 | ### opendkim, opendmarc, openarc milters |
334 | non_smtpd_milters = [ | 332 | non_smtpd_milters = [ |
335 | "unix:${config.myServices.mail.milters.sockets.opendkim}" | 333 | "unix:${config.myServices.mail.milters.sockets.opendkim}" |
336 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | ||
337 | "unix:${config.myServices.mail.milters.sockets.openarc}" | ||
338 | ]; | 334 | ]; |
339 | smtpd_milters = [ | 335 | smtpd_milters = [ |
340 | "unix:${config.myServices.mail.milters.sockets.opendkim}" | 336 | "unix:${config.myServices.mail.milters.sockets.opendkim}" |
341 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | ||
342 | "unix:${config.myServices.mail.milters.sockets.openarc}" | 337 | "unix:${config.myServices.mail.milters.sockets.openarc}" |
338 | "unix:${config.myServices.mail.milters.sockets.opendmarc}" | ||
343 | ]; | 339 | ]; |
344 | }; | 340 | }; |
345 | enable = true; | 341 | enable = true; |
@@ -357,6 +353,7 @@ | |||
357 | smtpd_sasl_path = "private/auth"; | 353 | smtpd_sasl_path = "private/auth"; |
358 | smtpd_reject_unlisted_recipient = "no"; | 354 | smtpd_reject_unlisted_recipient = "no"; |
359 | smtpd_client_restrictions = "permit_sasl_authenticated,reject"; | 355 | smtpd_client_restrictions = "permit_sasl_authenticated,reject"; |
356 | smtpd_relay_restrictions = "permit_sasl_authenticated,reject"; | ||
360 | # Refuse to send e-mails with a From that is not handled | 357 | # Refuse to send e-mails with a From that is not handled |
361 | smtpd_sender_restrictions = | 358 | smtpd_sender_restrictions = |
362 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; | 359 | "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; |
@@ -378,7 +375,7 @@ | |||
378 | ''; | 375 | ''; |
379 | destination = ["localhost"]; | 376 | destination = ["localhost"]; |
380 | # This needs to reverse DNS | 377 | # This needs to reverse DNS |
381 | hostname = "eldiron.immae.eu"; | 378 | hostname = config.hostEnv.fqdn; |
382 | setSendmail = true; | 379 | setSendmail = true; |
383 | sslCert = "/var/lib/acme/mail/fullchain.pem"; | 380 | sslCert = "/var/lib/acme/mail/fullchain.pem"; |
384 | sslKey = "/var/lib/acme/mail/key.pem"; | 381 | sslKey = "/var/lib/acme/mail/key.pem"; |