1 files changed, 87 insertions, 7 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index a31841f..6623735 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -81,6 +81,76 @@
          '';
      }
      {
+        dest = "postfix/mysql_sender_relays_maps";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          # INSERT INTO sender_relays
+          #   (`from`, owner, relay, login, password, regex, active)
+          # VALUES
+          #   ( 'sender@otherhost.org'
+          #   , 'me@mail.immae.eu'
+          #   , '[otherhost.org]:587'
+          #   , 'otherhostlogin'
+          #   , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
+          #   , '0'
+          #   , '1');
+          query = SELECT DISTINCT `owner`
+            FROM sender_relays
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+              AND active = 1
+          '';
+      }
+      {
+        dest = "postfix/mysql_sender_relays_hosts";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          query = SELECT DISTINCT relay
+            FROM sender_relays
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+              AND active = 1
+          '';
+      }
+      {
+        dest = "postfix/mysql_sender_relays_creds";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
+            FROM sender_relays
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
+              AND active = 1
+          '';
+      }
+      {
        dest = "postfix/ldap_ejabberd_users_immae_fr";
        user = config.services.postfix.user;
        group = config.services.postfix.group;
@@ -250,12 +320,15 @@
        smtp_bind_address  = config.myEnv.servers.eldiron.ips.main.ip4;
        smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
-        # #Unneeded if postfix can only send e-mail from "self" domains
+        # Use some relays when authorized senders are not myself
-        # #smtp_sasl_auth_enable = "yes";
+        smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
-        # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
+        smtp_sasl_auth_enable = "yes";
-        # #smtp_sasl_security_options = "noanonymous";
+        smtp_sasl_password_maps =
-        # #smtp_sender_dependent_authentication = "yes";
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
-        # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+        smtp_sasl_security_options = "noanonymous";
+        smtp_sender_dependent_authentication = "yes";
+        sender_dependent_relayhost_maps =
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
        ### opendkim, opendmarc, openarc milters
        non_smtpd_milters = [
@@ -273,6 +346,9 @@
      enableSmtp = true;
      enableSubmission = true;
      submissionOptions = {
+        # Don’t use "long form", only commas (cf
+        # http://www.postfix.org/master.5.html long form is not handled
+        # well by the submission function)
        smtpd_tls_security_level = "encrypt";
        smtpd_sasl_auth_enable = "yes";
        smtpd_tls_auth_only = "yes";
@@ -284,7 +360,11 @@
        # Refuse to send e-mails with a From that is not handled
        smtpd_sender_restrictions =
          "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
-        smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+        smtpd_sender_login_maps = builtins.concatStringsSep "," [
+          "hash:/etc/postfix/host_sender_login"
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
+          "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
+        ];
        smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
        milter_macro_daemon_name = "ORIGINATING";
        smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";

diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index a31841f..6623735 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix
@@ -81,6 +81,76 @@
81	'';	81	'';
82	}	82	}
83	{	83	{
		84	dest = "postfix/mysql_sender_relays_maps";
		85	user = config.services.postfix.user;
		86	group = config.services.postfix.group;
		87	permissions = "0440";
		88	text = ''
		89	# We need to specify that option to trigger ssl connection
		90	tls_ciphers = TLSv1.2
		91	user = ${config.myEnv.mail.postfix.mysql.user}
		92	password = ${config.myEnv.mail.postfix.mysql.password}
		93	hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
		94	dbname = ${config.myEnv.mail.postfix.mysql.database}
		95	# INSERT INTO sender_relays
		96	# (`from`, owner, relay, login, password, regex, active)
		97	# VALUES
		98	# ( 'sender@otherhost.org'
		99	# , 'me@mail.immae.eu'
		100	# , '[otherhost.org]:587'
		101	# , 'otherhostlogin'
		102	# , AES_ENCRYPT('otherhostpassword', '${config.myEnv.mail.postfix.mysql.password_encrypt}')
		103	# , '0'
		104	# , '1');
		105
		106	query = SELECT DISTINCT `owner`
		107	FROM sender_relays
		108	WHERE
		109	((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
		110	AND active = 1
		111	'';
		112	}
		113	{
		114	dest = "postfix/mysql_sender_relays_hosts";
		115	user = config.services.postfix.user;
		116	group = config.services.postfix.group;
		117	permissions = "0440";
		118	text = ''
		119	# We need to specify that option to trigger ssl connection
		120	tls_ciphers = TLSv1.2
		121	user = ${config.myEnv.mail.postfix.mysql.user}
		122	password = ${config.myEnv.mail.postfix.mysql.password}
		123	hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
		124	dbname = ${config.myEnv.mail.postfix.mysql.database}
		125
		126	query = SELECT DISTINCT relay
		127	FROM sender_relays
		128	WHERE
		129	((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
		130	AND active = 1
		131	'';
		132	}
		133	{
		134	dest = "postfix/mysql_sender_relays_creds";
		135	user = config.services.postfix.user;
		136	group = config.services.postfix.group;
		137	permissions = "0440";
		138	text = ''
		139	# We need to specify that option to trigger ssl connection
		140	tls_ciphers = TLSv1.2
		141	user = ${config.myEnv.mail.postfix.mysql.user}
		142	password = ${config.myEnv.mail.postfix.mysql.password}
		143	hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
		144	dbname = ${config.myEnv.mail.postfix.mysql.database}
		145
		146	query = SELECT DISTINCT CONCAT(`login`, ':', AES_DECRYPT(`password`, '${config.myEnv.mail.postfix.mysql.password_encrypt}'))
		147	FROM sender_relays
		148	WHERE
		149	((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
		150	AND active = 1
		151	'';
		152	}
		153	{
84	dest = "postfix/ldap_ejabberd_users_immae_fr";	154	dest = "postfix/ldap_ejabberd_users_immae_fr";
85	user = config.services.postfix.user;	155	user = config.services.postfix.user;
86	group = config.services.postfix.group;	156	group = config.services.postfix.group;
@@ -250,12 +320,15 @@
250	smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;	320	smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;
251	smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;	321	smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
252		322
253	# #Unneeded if postfix can only send e-mail from "self" domains	323	# Use some relays when authorized senders are not myself
254	# #smtp_sasl_auth_enable = "yes";	324	smtp_sasl_mechanism_filter = "plain,login"; # GSSAPI Not correctly supported by postfix
255	# #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";	325	smtp_sasl_auth_enable = "yes";
256	# #smtp_sasl_security_options = "noanonymous";	326	smtp_sasl_password_maps =
257	# #smtp_sender_dependent_authentication = "yes";	327	"mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_creds"}";
258	# #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";	328	smtp_sasl_security_options = "noanonymous";
		329	smtp_sender_dependent_authentication = "yes";
		330	sender_dependent_relayhost_maps =
		331	"mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_hosts"}";
259		332
260	### opendkim, opendmarc, openarc milters	333	### opendkim, opendmarc, openarc milters
261	non_smtpd_milters = [	334	non_smtpd_milters = [
@@ -273,6 +346,9 @@
273	enableSmtp = true;	346	enableSmtp = true;
274	enableSubmission = true;	347	enableSubmission = true;
275	submissionOptions = {	348	submissionOptions = {
		349	# Don’t use "long form", only commas (cf
		350	# http://www.postfix.org/master.5.html long form is not handled
		351	# well by the submission function)
276	smtpd_tls_security_level = "encrypt";	352	smtpd_tls_security_level = "encrypt";
277	smtpd_sasl_auth_enable = "yes";	353	smtpd_sasl_auth_enable = "yes";
278	smtpd_tls_auth_only = "yes";	354	smtpd_tls_auth_only = "yes";
@@ -284,7 +360,11 @@
284	# Refuse to send e-mails with a From that is not handled	360	# Refuse to send e-mails with a From that is not handled
285	smtpd_sender_restrictions =	361	smtpd_sender_restrictions =
286	"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";	362	"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
287	smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";	363	smtpd_sender_login_maps = builtins.concatStringsSep "," [
		364	"hash:/etc/postfix/host_sender_login"
		365	"mysql:${config.secrets.fullPaths."postfix/mysql_sender_relays_maps"}"
		366	"mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"
		367	];
288	smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";	368	smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
289	milter_macro_daemon_name = "ORIGINATING";	369	milter_macro_daemon_name = "ORIGINATING";
290	smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";	370	smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";