4 files changed, 66 insertions, 13 deletions
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index 839939c..a617934 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -5,8 +5,10 @@
    ./postfix.nix
    ./dovecot.nix
    ./rspamd.nix
+    ./opensmtpd.nix
  ];
  options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";
+  options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services";
  config = lib.mkIf config.myServices.mail.enable {
    security.acme.certs."mail" = config.myServices.certificates.certConfig // {
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix
new file mode 100644
index 0000000..7831ac0
--- /dev/null
+++ b/modules/private/mail/opensmtpd.nix
@@ -0,0 +1,51 @@
+{ lib, pkgs, config, name, ... }:
+{
+  config = lib.mkIf config.myServices.mailRelay.enable {
+    secrets.keys = [
+      {
+        dest = "opensmtpd/creds";
+        user = "smtpd";
+        group = "smtpd";
+        permissions = "0400";
+        text = ''
+          eldiron    ${name}:${config.myEnv.servers."${name}".ldap.password}
+          '';
+      }
+    ];
+    users.users.smtpd.extraGroups = [ "keys" ];
+    services.opensmtpd = {
+      enable = true;
+      serverConfiguration = ''
+        table creds \
+          "${config.secrets.fullPaths."opensmtpd/creds"}"
+        # FIXME: filtering requires 6.6
+        # filter "fixfrom" \
+        #   proc-exec "${pkgs.procmail}/bin/formail -i 'From: ${name}@immae.eu'"
+        action "relay-rewrite-from" relay \
+          helo ${config.hostEnv.FQDN} \
+          host smtp+tls://eldiron@eldiron.immae.eu:587 \
+          auth <creds> \
+          mail-from ${name}@immae.eu
+        action "relay" relay \
+          helo ${config.hostEnv.FQDN} \
+          host smtp+tls://eldiron@eldiron.immae.eu:587 \
+          auth <creds>
+        match for any !mail-from "@immae.eu" action "relay-rewrite-from"
+        match for any mail-from "@immae.eu" action "relay"
+        '';
+    };
+    environment.systemPackages = [ config.services.opensmtpd.package ];
+    services.mail.sendmailSetuidWrapper = {
+      program = "sendmail";
+      source = "${config.services.opensmtpd.package}/bin/smtpctl";
+      setuid = false;
+      setgid = false;
+    };
+    security.wrappers.mailq = {
+      program = "mailq";
+      source = "${config.services.opensmtpd.package}/bin/smtpctl";
+      setuid = false;
+      setgid = false;
+    };
+  };
+}
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 9c4b87c..a31841f 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, nodes, ... }:
 {
  config = lib.mkIf config.myServices.mail.enable {
    services.duplyBackup.profiles.mail.excludeFile = ''
@@ -186,8 +186,15 @@
            )
          );
        };
+        sasl_access = {
+          host_sender_login = pkgs.writeText "host-sender-login"
+            (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList
+            (n: v: (map (e: "${e}  ${n}@immae.eu") v.emails)) config.myEnv.servers)));
+          host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
+            (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu  dummy") nodes));
+        };
      in
-        recipient_maps // relay_restrictions // virtual_map;
+        recipient_maps // relay_restrictions // virtual_map // sasl_access;
      config = {
        ### postfix module overrides
        readme_directory = "${pkgs.postfix}/share/postfix/doc";
@@ -212,7 +219,7 @@
            )
            config.myEnv.dns.masterZones
          )));
-        virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+        virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
        dovecot_destination_recipient_limit = "1";
        virtual_transport = "dovecot";
@@ -277,7 +284,7 @@
        # Refuse to send e-mails with a From that is not handled
        smtpd_sender_restrictions =
          "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
-        smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+        smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
        smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
        milter_macro_daemon_name = "ORIGINATING";
        smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index f241ad1..ede5bc2 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
 { privateFiles }:
-{ config, pkgs, resources, ... }:
+{ config, pkgs, resources, name, ... }:
 {
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -33,14 +33,6 @@
      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
      config.myEnv.servers.backup-2.ips);
    defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-    defaultMailServer = {
-      directDelivery = true;
-      hostName = "eldiron.immae.eu:25";
-      useTLS = true;
-      useSTARTTLS = true;
-      root = "postmaster@immae.eu";
-    };
  };
  services.cron = {
@@ -56,6 +48,7 @@
    ssh_key_private = config.myEnv.rsync_backup.ssh_key.private;
  };
+  myServices.mailRelay.enable = true;
  myServices.monitoring.enable = true;
  myServices.databasesReplication = {
    postgresql = {

diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 839939c..a617934 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix
@@ -5,8 +5,10 @@
5	./postfix.nix	5	./postfix.nix
6	./dovecot.nix	6	./dovecot.nix
7	./rspamd.nix	7	./rspamd.nix
		8	./opensmtpd.nix
8	];	9	];
9	options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";	10	options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";
		11	options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services";
10		12
11	config = lib.mkIf config.myServices.mail.enable {	13	config = lib.mkIf config.myServices.mail.enable {
12	security.acme.certs."mail" = config.myServices.certificates.certConfig // {	14	security.acme.certs."mail" = config.myServices.certificates.certConfig // {


diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix new file mode 100644 index 0000000..7831ac0 --- /dev/null +++ b/modules/private/mail/opensmtpd.nix
@@ -0,0 +1,51 @@
		1	{ lib, pkgs, config, name, ... }:
		2	{
		3	config = lib.mkIf config.myServices.mailRelay.enable {
		4	secrets.keys = [
		5	{
		6	dest = "opensmtpd/creds";
		7	user = "smtpd";
		8	group = "smtpd";
		9	permissions = "0400";
		10	text = ''
		11	eldiron ${name}:${config.myEnv.servers."${name}".ldap.password}
		12	'';
		13	}
		14	];
		15	users.users.smtpd.extraGroups = [ "keys" ];
		16	services.opensmtpd = {
		17	enable = true;
		18	serverConfiguration = ''
		19	table creds \
		20	"${config.secrets.fullPaths."opensmtpd/creds"}"
		21	# FIXME: filtering requires 6.6
		22	# filter "fixfrom" \
		23	# proc-exec "${pkgs.procmail}/bin/formail -i 'From: ${name}@immae.eu'"
		24	action "relay-rewrite-from" relay \
		25	helo ${config.hostEnv.FQDN} \
		26	host smtp+tls://eldiron@eldiron.immae.eu:587 \
		27	auth <creds> \
		28	mail-from ${name}@immae.eu
		29	action "relay" relay \
		30	helo ${config.hostEnv.FQDN} \
		31	host smtp+tls://eldiron@eldiron.immae.eu:587 \
		32	auth <creds>
		33	match for any !mail-from "@immae.eu" action "relay-rewrite-from"
		34	match for any mail-from "@immae.eu" action "relay"
		35	'';
		36	};
		37	environment.systemPackages = [ config.services.opensmtpd.package ];
		38	services.mail.sendmailSetuidWrapper = {
		39	program = "sendmail";
		40	source = "${config.services.opensmtpd.package}/bin/smtpctl";
		41	setuid = false;
		42	setgid = false;
		43	};
		44	security.wrappers.mailq = {
		45	program = "mailq";
		46	source = "${config.services.opensmtpd.package}/bin/smtpctl";
		47	setuid = false;
		48	setgid = false;
		49	};
		50	};
		51	}


diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 9c4b87c..a31841f 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix
@@ -1,4 +1,4 @@
1	{ lib, pkgs, config, ... }:	1	{ lib, pkgs, config, nodes, ... }:
2	{	2	{
3	config = lib.mkIf config.myServices.mail.enable {	3	config = lib.mkIf config.myServices.mail.enable {
4	services.duplyBackup.profiles.mail.excludeFile = ''	4	services.duplyBackup.profiles.mail.excludeFile = ''
@@ -186,8 +186,15 @@
186	)	186	)
187	);	187	);
188	};	188	};
		189	sasl_access = {
		190	host_sender_login = pkgs.writeText "host-sender-login"
		191	(builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList
		192	(n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers)));
		193	host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
		194	(builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
		195	};
189	in	196	in
190	recipient_maps // relay_restrictions // virtual_map;	197	recipient_maps // relay_restrictions // virtual_map // sasl_access;
191	config = {	198	config = {
192	### postfix module overrides	199	### postfix module overrides
193	readme_directory = "${pkgs.postfix}/share/postfix/doc";	200	readme_directory = "${pkgs.postfix}/share/postfix/doc";
@@ -212,7 +219,7 @@
212	)	219	)
213	config.myEnv.dns.masterZones	220	config.myEnv.dns.masterZones
214	)));	221	)));
215	virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";	222	virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
216	dovecot_destination_recipient_limit = "1";	223	dovecot_destination_recipient_limit = "1";
217	virtual_transport = "dovecot";	224	virtual_transport = "dovecot";
218		225
@@ -277,7 +284,7 @@
277	# Refuse to send e-mails with a From that is not handled	284	# Refuse to send e-mails with a From that is not handled
278	smtpd_sender_restrictions =	285	smtpd_sender_restrictions =
279	"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";	286	"reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
280	smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";	287	smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
281	smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";	288	smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
282	milter_macro_daemon_name = "ORIGINATING";	289	milter_macro_daemon_name = "ORIGINATING";
283	smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";	290	smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";


diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index f241ad1..ede5bc2 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
1	{ privateFiles }:	1	{ privateFiles }:
2	{ config, pkgs, resources, ... }:	2	{ config, pkgs, resources, name, ... }:
3	{	3	{
4	boot.kernelPackages = pkgs.linuxPackages_latest;	4	boot.kernelPackages = pkgs.linuxPackages_latest;
5	myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };	5	myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -33,14 +33,6 @@
33	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))	33	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
34	config.myEnv.servers.backup-2.ips);	34	config.myEnv.servers.backup-2.ips);
35	defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };	35	defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
36
37	defaultMailServer = {
38	directDelivery = true;
39	hostName = "eldiron.immae.eu:25";
40	useTLS = true;
41	useSTARTTLS = true;
42	root = "postmaster@immae.eu";
43	};
44	};	36	};
45		37
46	services.cron = {	38	services.cron = {
@@ -56,6 +48,7 @@
56	ssh_key_private = config.myEnv.rsync_backup.ssh_key.private;	48	ssh_key_private = config.myEnv.rsync_backup.ssh_key.private;
57	};	49	};
58		50
		51	myServices.mailRelay.enable = true;
59	myServices.monitoring.enable = true;	52	myServices.monitoring.enable = true;
60	myServices.databasesReplication = {	53	myServices.databasesReplication = {
61	postgresql = {	54	postgresql = {