]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/postfix.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nftables: revamp to declarative configuration
[sourcephile-nix.git] / hosts / losurdo / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config) networking users;
5 inherit (config.services) postfix;
6 in
7 {
8 imports = [
9 #postfix/autogeree.net.nix
10 #postfix/sourcephile.fr.nix
11 ];
12 users.groups.acme.members = [ postfix.user ];
13 networking.nftables.ruleset = ''
14 table inet filter {
15 chain input-net {
16 #tcp dport 25 counter accept comment "postfix: SMTP"
17 #tcp dport 465 counter accept comment "postfix: submissions"
18 }
19 chain output-net {
20 skuid ${postfix.user} tcp dport smtp counter accept comment "postfix: SMTP"
21 }
22 }
23 '';
24 services.postfix = {
25 enable = true;
26 networksStyle = "host";
27 hostname ="${networking.hostName}.${networking.domain}";
28 domain = networking.domain;
29 origin = "$myhostname";
30 destination = [
31 "localhost"
32 "localhost.localdomain"
33 "$myhostname"
34 ];
35 postmasterAlias = "root";
36 rootAlias = "root@${networking.domain}";
37 sslKey = "/var/lib/acme/${networking.domain}/key.pem";
38 sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
39 networks = [
40 "127.0.0.0/8"
41 "[::1]/128"
42 ];
43 setSendmail = true;
44 # Parse the extension in email address, eg. contact+extension@
45 recipientDelimiter = "+";
46 config = {
47 debug_peer_level = "4";
48 debug_peer_list = [
49 #"chomsky.autogeree.net"
50 #"localhost"
51 #"mail.sourcephile.fr"
52 ];
53
54 #
55 # Sending to the world
56 #
57 # Appending .domain is the MUA's job
58 append_dot_mydomain = false;
59 smtp_body_checks = "";
60 #smtp_cname_overrides_servername = false;
61 smtp_connect_timeout = "60s";
62 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
63 smtp_mime_header_checks = "";
64 smtp_nested_header_checks = "";
65 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
66 #smtp_tls_fingerprint_digest = "sha1";
67 smtp_tls_loglevel = "1";
68 #smtp_tls_note_starttls_offer = true;
69 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
70 # Only allow TLSv* protocols
71 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
72 #smtp_tls_scert_verifydepth = "5";
73 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
74 smtp_tls_security_level = "may";
75 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
76 #smtp_tls_session_cache_timeout = "3600s";
77 #smtp_tls_verify_cert_match = "hostname";
78
79 #
80 # Receiving from the world
81 #
82 message_size_limit = "20480000";
83 maximal_queue_lifetime = "5d";
84 default_extra_recipient_limit = "5000";
85 line_length_limit = "2048";
86 duplicate_filter_limit = "5000";
87 # Stops mail from poorly written software
88 strict_rfc821_envelopes = true;
89 mime_header_checks = [];
90 milter_header_checks = [];
91 nested_header_checks = [];
92 body_checks = [];
93 content_filter = "";
94 permit_mx_backup_networks = [];
95 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
96 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
97 #masquerade_domains = "";
98 #masquerade_exceptions = "root";
99 queue_minfree = "0";
100 # Stops some techniques used to harvest email addresses
101 disable_vrfy_command = true;
102 enable_long_queue_ids = false;
103 # Useful to test restrictions
104 smtpd_authorized_xclient_hosts = "127.0.0.1";
105 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
106 smtpd_client_connection_count_limit = "50";
107 smtpd_client_connection_rate_limit = "0";
108 smtpd_client_event_limit_exceptions = "$mynetworks";
109 smtpd_client_message_rate_limit = "0";
110 smtpd_client_new_tls_session_rate_limit = "0";
111 smtpd_client_port_logging = false;
112 smtpd_client_recipient_rate_limit = "0";
113 # Ban 5 sec on error
114 smtpd_error_sleep_time = "5";
115 # Needed to enforce reject_unknown_helo_hostname
116 smtpd_helo_required = true;
117 smtpd_helo_restrictions = [
118 "reject_invalid_helo_hostname"
119 "reject_non_fqdn_helo_hostname"
120 # Don't talk to mail systems that don't know their own hostname.
121 "reject_unknown_helo_hostname"
122 "permit"
123 ];
124 smtpd_client_restrictions = [
125 ];
126 # Set in postfix/*.nix and used in submissions/smptd
127 # with reject_sender_login_mismatch
128 smtpd_sender_login_maps = [];
129 smtpd_sender_restrictions = [
130 "reject_non_fqdn_sender"
131 "permit"
132 ];
133 smtpd_reject_unlisted_recipient = true;
134 # Check the RCPT TO, before smtpd_recipient_restrictions
135 # Restrictions based on what is allowed or not,
136 # these are applied before smtpd_recipient_restrictions
137 smtpd_relay_restrictions = [
138 "permit_mynetworks"
139 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
140 "permit_auth_destination"
141 # The world is only authorized to use our relay for the above destinations.
142 "reject"
143 ];
144 # Restrictions based on what is working or not
145 smtpd_recipient_restrictions = [
146 # Reject if the domain is not fully qualified
147 "reject_non_fqdn_recipient"
148 # Reject if the domain is not working, even before bothering to check the address
149 "reject_unknown_recipient_domain"
150 # Reject if the address is not working
151 # WARNING: this does not work if the recipient is greylisting.
152 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
153 # postmap -s btree:/var/lib/postfix/data/verify_cache
154 #"reject_unverified_recipient"
155 "permit"
156 ];
157 # Trust the verify database
158 #unverified_recipient_reject_code = "550";
159 smtpd_data_restrictions = [
160 # Force the smtpd's client to wait OK before sending
161 "reject_unauth_pipelining"
162 "permit"
163 ];
164 smtpd_end_of_data_restrictions = [
165 # Enforce mail volume quota via policy service callouts.
166 #check_policy_service unix:private/policy
167 ];
168 #smtpd_milters = "";
169 smtpd_peername_lookup = true;
170 smtpd_recipient_limit = "5000";
171 smtpd_recipient_overshoot_limit = "5000";
172 #smtpd_restriction_classes = "";
173 #smtpd_sasl_auth_enable = true;
174 #smtpd_sasl_path = "private/auth";
175 #smtpd_sasl_security_options = "noanonymous";
176 #smtpd_sasl_type = "dovecot";
177 smtpd_starttls_timeout = "300s";
178 #smtpd_tls_always_issue_session_ids = true;
179 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
180 smtpd_tls_ask_ccert = false;
181 #smtpd_tls_ccert_verifydepth = "5";
182 smtpd_tls_ciphers = "high";
183 smtpd_tls_eecdh_grade = "auto";
184 # Disable weak ciphers as reported by https://ssl-tools.net
185 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
186 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
187 smtpd_tls_fingerprint_digest = "sha512";
188 # Log only a summary message on TLS handshake completion
189 smtpd_tls_loglevel = "1";
190 smtpd_tls_mandatory_ciphers = "high";
191 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
192 # Only allow TLSv*
193 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
194 #smtpd_tls_received_header = false;
195 smtpd_tls_req_ccert = false;
196 # Postfix 2.3 and later
197 # encrypt
198 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
199 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
200 # SMTP server. Instead, this option should be used only on dedicated servers.
201 smtpd_tls_security_level = "may";
202 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
203 #smtpd_tls_session_cache_timeout = "3600s";
204 #smtpd_tls_chain_files =
205
206 relayhost = [];
207 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
208 # This is where to put backup MX domains
209 relay_domains = [];
210 relay_recipient_maps = [];
211
212 # Use a non blocking source of randomness
213 tls_random_source = "dev:/dev/urandom";
214 # Map each domain to a specific X.509 certificate
215 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
216
217 # Only explicitely aliased accounts have a mail, not all the passwd
218 #local_recipient_maps = "$alias_maps";
219 # Note that the local transport rewrites the envelope recipient
220 # according to the alias_maps, and thus the aliasing is transparent
221 # to the nexthop (eg. dovecot)
222 local_transport = "local:$myhostname";
223 # No console bell on new mail
224 biff = false;
225 forward_path = [
226 /*
227 "$home/.forward''${recipient_delimiter}''${extension}"
228 */
229 "$home/.forward"
230 ];
231
232 # Filled by the postfix/*.nix
233 virtual_mailbox_domains = [];
234 # Completed by the postfix/*.nix
235 virtual_mailbox_maps = [
236 #"hash:/etc/postfix/virtual"
237 ];
238 #virtual_transport = "lmtp:unix:private/dovecot-lmtp";
239 /*
240 dovecot_destination_recipient_limit = "1";
241 virtual_transport = "dovecot";
242 */
243
244 # There is no fallback
245 fallback_transport = "";
246 };
247 transport = ''
248 sourcephile.wg local:losurdo
249 '';
250 virtualMapType = "hash";
251 masterConfig =
252 let
253 mkVal = value:
254 if lib.isList value
255 then lib.concatStringsSep "," value
256 else
257 if value == true then "yes"
258 else if value == false then "no"
259 else toString value;
260 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
261 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
262 in {
263 pickup = {
264 args = mkArgs {
265 cleanup_service_name = "submissions-header-cleanup";
266 };
267 };
268 /*
269 # Implicit TLS on port 465
270 # https://tools.ietf.org/html/rfc8314#section-3.3
271 submissions = {
272 type = "inet";
273 private = false;
274 command = "smtpd";
275 args = mkArgs {
276 syslog_name = "postfix/submissions";
277 # Implicit TLS, not STARTTLS
278 smtpd_tls_wrappermode = true;
279 smtpd_tls_mandatory_protocols = [
280 "TLSv1.3"
281 # FIXME: to be removed when K-9 Mail will support TLSv1.3,
282 # K-9 Mail 5.600 does not.
283 "TLSv1.2"
284 ];
285 milter_macro_daemon_name = "ORIGINATING";
286 smtpd_helo_restrictions = [
287 "permit_sasl_authenticated"
288 ] ++ postfix.config.smtpd_helo_restrictions;
289 smtpd_relay_restrictions = [
290 # SASL authorizes to send to the world
291 "permit_sasl_authenticated"
292 "reject"
293 ];
294 smtpd_sasl_auth_enable = true;
295 smtpd_sasl_type = "dovecot";
296 smtpd_sasl_path = "private/auth";
297 smtpd_sasl_local_domain = "";
298 # Offer SASL authentication only after a TLS-encrypted session has been established
299 smtpd_tls_auth_only = true;
300 smtpd_sasl_tls_security_options = [ "noanonymous" ];
301 # Do not put SASL logins in mail headers
302 smtpd_sasl_authenticated_header = false;
303 # Who cares about (old) Outlook
304 broken_sasl_auth_clients = false;
305 smtpd_sender_restrictions = [
306 "reject_non_fqdn_sender"
307 # Check that the SASL user is using only its own
308 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
309 "reject_sender_login_mismatch"
310 "permit"
311 ];
312 # No X.509 certificates for users, for now
313 smtpd_tls_ask_ccert = false;
314 smtpd_tls_ccert_verifydepth = 0;
315 smtpd_tls_loglevel = 1;
316 smtpd_tls_req_ccert = false;
317 cleanup_service_name = "submissions-header-cleanup";
318 };
319 };
320 */
321 };
322 extraMasterConf = ''
323 '';
324 };
325 }
NixOS configurations for Sourcephile's infrastructure