hosts/mermet/postfix.nix

   1 { pkgs, lib, config, inputs, ... }:
   2 let
   3   inherit (builtins) attrNames readFile toPath;
   4   inherit (lib) types;
   5   inherit (config) networking users;
   6   inherit (config.services) postfix dovecot2 openldap;
   7 in
   8 {
   9 imports = [
  10   postfix/autogeree.net.nix
  11   postfix/sourcephile.fr.nix
  12 ];
  13 users.groups.acme.members = [ postfix.user ];
  14 networking.nftables.ruleset = ''
  15   table inet filter {
  16     chain input-net {
  17       tcp dport { smtp, submissions } counter accept comment "postfix: SMTP"
  18     }
  19     chain output-net {
  20       skuid ${postfix.user} tcp dport smtp counter accept comment "postfix: SMTP"
  21     }
  22   }
  23 '';
  24 services.postfix = {
  25   enable = true;
  26   networksStyle = "host";
  27   hostname ="${networking.hostName}.${networking.domain}";
  28   domain = networking.domain;
  29   origin = "$myhostname";
  30   destination = [
  31     "localhost"
  32     "localhost.localdomain"
  33     "$myhostname"
  34   ];
  35   postmasterAlias = "root";
  36   rootAlias = "root@${networking.domain}";
  37   sslKey = "/var/lib/acme/${networking.domain}/key.pem";
  38   sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
  39   networks = [
  40     "127.0.0.0/8"
  41     "[::1]/128"
  42   ];
  43   setSendmail = true;
  44   # Parse the extension in email address, eg. contact+extension@
  45   recipientDelimiter = "+";
  46   mapFiles.sender_access = inputs.secrets + "/postfix/sender_access";
  47   #mapFiles.virtual_mailbox_maps = ;
  48   config = {
  49     debug_peer_level = "4";
  50     debug_peer_list = [
  51       #"chomsky.autogeree.net"
  52       #"localhost"
  53       #"mail.sourcephile.fr"
  54     ];
  55
  56     #
  57     # Sending to the world
  58     #
  59     # Appending .domain is the MUA's job
  60     append_dot_mydomain = false;
  61     smtp_body_checks = "";
  62     #smtp_cname_overrides_servername = false;
  63     smtp_connect_timeout = "60s";
  64     #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
  65     smtp_mime_header_checks = "";
  66     smtp_nested_header_checks = "";
  67     smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
  68     #smtp_tls_fingerprint_digest = "sha1";
  69     smtp_tls_loglevel = "1";
  70     #smtp_tls_note_starttls_offer = true;
  71     #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
  72     # Only allow TLSv* protocols
  73     smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
  74     #smtp_tls_scert_verifydepth = "5";
  75     #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
  76     smtp_tls_security_level = "may";
  77     smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
  78     #smtp_tls_session_cache_timeout = "3600s";
  79     #smtp_tls_verify_cert_match = "hostname";
  80
  81     #
  82     # Receiving from the world
  83     #
  84     message_size_limit = "20480000";
  85     maximal_queue_lifetime = "5d";
  86     default_extra_recipient_limit = "5000";
  87     line_length_limit = "2048";
  88     duplicate_filter_limit = "5000";
  89     # Stops mail from poorly written software
  90     strict_rfc821_envelopes = true;
  91     mime_header_checks = [];
  92     milter_header_checks = [];
  93     nested_header_checks = [];
  94     body_checks = [];
  95     content_filter = "";
  96     permit_mx_backup_networks = [];
  97     propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
  98     #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
  99     #masquerade_domains = "";
 100     #masquerade_exceptions = "root";
 101     queue_minfree = "0";
 102     # Stops some techniques used to harvest email addresses
 103     disable_vrfy_command = true;
 104     enable_long_queue_ids = false;
 105     # Useful to test restrictions
 106     smtpd_authorized_xclient_hosts = "127.0.0.1";
 107     smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
 108     smtpd_client_connection_count_limit = "50";
 109     smtpd_client_connection_rate_limit = "0";
 110     smtpd_client_event_limit_exceptions = "$mynetworks";
 111     smtpd_client_message_rate_limit = "0";
 112     smtpd_client_new_tls_session_rate_limit = "0";
 113     smtpd_client_port_logging = false;
 114     smtpd_client_recipient_rate_limit = "0";
 115     # Ban 5 sec on error
 116     smtpd_error_sleep_time = "5";
 117     # Needed to enforce reject_unknown_helo_hostname
 118     smtpd_helo_required = true;
 119     smtpd_helo_restrictions = [
 120       "reject_invalid_helo_hostname"
 121       "reject_non_fqdn_helo_hostname"
 122       # Don't talk to mail systems that don't know their own hostname.
 123       "reject_unknown_helo_hostname"
 124       "permit"
 125     ];
 126     smtpd_client_restrictions = [
 127     ];
 128     # Set in postfix/*.nix and used in submissions/smptd
 129     # with reject_sender_login_mismatch
 130     smtpd_sender_login_maps = [];
 131     smtpd_sender_restrictions = [
 132       "reject_non_fqdn_sender"
 133       "check_sender_access hash:/etc/postfix/sender_access"
 134       "permit"
 135     ];
 136     smtpd_reject_unlisted_recipient = true;
 137     # Check the RCPT TO, before smtpd_recipient_restrictions
 138     # Restrictions based on what is allowed or not,
 139     # these are applied before smtpd_recipient_restrictions
 140     smtpd_relay_restrictions = [
 141       "permit_mynetworks"
 142       # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
 143       "permit_auth_destination"
 144       # The world is only authorized to use our relay for the above destinations.
 145       "reject"
 146     ];
 147     # Restrictions based on what is working or not
 148     smtpd_recipient_restrictions = [
 149       # Reject if the domain is not fully qualified
 150       "reject_non_fqdn_recipient"
 151       # Reject if the domain is not working, even before bothering to check the address
 152       "reject_unknown_recipient_domain"
 153       # Reject if the address is not working
 154       # WARNING: this does not work if the recipient is greylisting.
 155       # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
 156       # postmap -s btree:/var/lib/postfix/data/verify_cache
 157       #"reject_unverified_recipient"
 158       "permit"
 159     ];
 160     # Trust the verify database
 161     #unverified_recipient_reject_code = "550";
 162     smtpd_data_restrictions = [
 163       # Force the smtpd's client to wait OK before sending
 164       "reject_unauth_pipelining"
 165       "permit"
 166     ];
 167     smtpd_end_of_data_restrictions = [
 168       # Enforce mail volume quota via policy service callouts.
 169       #check_policy_service unix:private/policy
 170     ];
 171     #smtpd_milters = "";
 172     smtpd_peername_lookup = true;
 173     smtpd_recipient_limit = "5000";
 174     smtpd_recipient_overshoot_limit = "5000";
 175     #smtpd_restriction_classes = "";
 176     #smtpd_sasl_auth_enable = true;
 177     #smtpd_sasl_path = "private/auth";
 178     #smtpd_sasl_security_options = "noanonymous";
 179     #smtpd_sasl_type = "dovecot";
 180     smtpd_starttls_timeout = "300s";
 181     #smtpd_tls_always_issue_session_ids = true;
 182     #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
 183     smtpd_tls_ask_ccert = false;
 184     #smtpd_tls_ccert_verifydepth = "5";
 185     smtpd_tls_ciphers = "high";
 186     smtpd_tls_eecdh_grade = "auto";
 187     # Disable weak ciphers as reported by https://ssl-tools.net
 188     # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
 189     smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
 190     smtpd_tls_fingerprint_digest = "sha512";
 191     # Log only a summary message on TLS handshake completion
 192     smtpd_tls_loglevel = "1";
 193     smtpd_tls_mandatory_ciphers = "high";
 194     smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
 195     # Only allow TLSv*
 196     smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
 197     #smtpd_tls_received_header = false;
 198     smtpd_tls_req_ccert = false;
 199     # Postfix 2.3 and later
 200     # encrypt
 201     #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
 202     #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
 203     #  SMTP server. Instead, this option should be used only on dedicated servers.
 204     smtpd_tls_security_level = "may";
 205     smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
 206     #smtpd_tls_session_cache_timeout = "3600s";
 207     #smtpd_tls_chain_files =
 208
 209     relayhost = [];
 210     #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
 211     # This is where to put backup MX domains
 212     relay_domains = [];
 213     relay_recipient_maps = [];
 214
 215     # Use a non blocking source of randomness
 216     tls_random_source = "dev:/dev/urandom";
 217     # Map each domain to a specific X.509 certificate
 218     tls_server_sni_maps = "hash:/run/keys/postfix-sni";
 219
 220     # Only explicitely aliased accounts have a mail, not all the passwd
 221     #local_recipient_maps = "$alias_maps";
 222     # Note that the local transport rewrites the envelope recipient
 223     # according to the alias_maps, and thus the aliasing is transparent
 224     # to the nexthop (eg. dovecot)
 225     #local_transport = local:$myhostname
 226     # No console bell on new mail
 227     biff = false;
 228     forward_path = [
 229       /*
 230       "$home/.forward''${recipient_delimiter}''${extension}"
 231       */
 232       "$home/.forward"
 233     ];
 234
 235     # Filled by the postfix/*.nix
 236     virtual_mailbox_domains = [];
 237     # Completed by the postfix/*.nix
 238     virtual_mailbox_maps = [
 239       # Is it necessary because it's already in virtual_alias_maps
 240       "hash:/etc/postfix/virtual"
 241     ];
 242     virtual_transport = "lmtp:unix:private/dovecot-lmtp";
 243     /*
 244     dovecot_destination_recipient_limit = "1";
 245     virtual_transport = "dovecot";
 246     */
 247
 248     # There is no fallback
 249     fallback_transport = "";
 250   };
 251   virtualMapType = "hash";
 252   masterConfig =
 253     let
 254       mkVal = value:
 255         if lib.isList value
 256         then lib.concatStringsSep "," value
 257         else
 258           if value == true then "yes"
 259           else if value == false then "no"
 260           else toString value;
 261       mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
 262       mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
 263     in {
 264     pickup = {
 265       args = mkArgs {
 266         cleanup_service_name = "submissions-header-cleanup";
 267       };
 268     };
 269     # Implicit TLS on port 465
 270     # https://tools.ietf.org/html/rfc8314#section-3.3
 271     submissions = {
 272       type = "inet";
 273       private = false;
 274       command = "smtpd";
 275       args = mkArgs {
 276         syslog_name = "postfix/submissions";
 277         # Implicit TLS, not STARTTLS
 278         smtpd_tls_wrappermode = true;
 279         smtpd_tls_mandatory_protocols = [
 280           "TLSv1.3"
 281           # FIXME: to be removed when K-9 Mail will support TLSv1.3,
 282           # K-9 Mail 5.600 does not.
 283           "TLSv1.2"
 284         ];
 285         milter_macro_daemon_name = "ORIGINATING";
 286         smtpd_helo_restrictions = [
 287           "permit_sasl_authenticated"
 288         ] ++ postfix.config.smtpd_helo_restrictions;
 289         smtpd_relay_restrictions = [
 290           # SASL authorizes to send to the world
 291           "permit_sasl_authenticated"
 292           "reject"
 293         ];
 294         smtpd_sasl_auth_enable = true;
 295         smtpd_sasl_type = "dovecot";
 296         smtpd_sasl_path = "private/auth";
 297         smtpd_sasl_local_domain = "";
 298         # Offer SASL authentication only after a TLS-encrypted session has been established
 299         smtpd_tls_auth_only = true;
 300         smtpd_sasl_tls_security_options = [ "noanonymous" ];
 301         # Do not put SASL logins in mail headers
 302         smtpd_sasl_authenticated_header = false;
 303         # Who cares about (old) Outlook
 304         broken_sasl_auth_clients = false;
 305         smtpd_sender_restrictions = [
 306           "reject_non_fqdn_sender"
 307           # Check that the SASL user is using only its own
 308           # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
 309           "reject_sender_login_mismatch"
 310           "permit"
 311         ];
 312         # No X.509 certificates for users, for now
 313         smtpd_tls_ask_ccert = false;
 314         smtpd_tls_ccert_verifydepth = 0;
 315         smtpd_tls_loglevel = 1;
 316         smtpd_tls_req_ccert = false;
 317         cleanup_service_name = "submissions-header-cleanup";
 318       };
 319     };
 320   };
 321   extraMasterConf = ''
 322     #spfcheck    unix  -        n       n       -        0        spawn
 323     #  user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
 324     # -o smtpd_sender_restrictions=reject_sender_login_mismatch
 325     # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
 326     # -o cleanup_service_name=submissions-header-cleanup
 327     #spfcheck  unix  -       n       n       -       0       spawn
 328     #  user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
 329     #uucp      unix  -       n       n       -       -       pipe
 330     #  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 331     #smtp      inet  n       -       -       -       -       smtpd
 332     #  -o cleanup_service_name=pre-cleanup
 333     #  -o content_filter=amavis:[127.0.0.1]:10024
 334     #  -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
 335     #  -o receive_override_options=no_address_mappings
 336     #amavis    unix  -       -       n        -      2       lmtp
 337     #  -o lmtp_data_done_timeout=1200
 338     #  -o lmtp_send_xforward_command=yes
 339     #  -o lmtp_tls_note_starttls_offer=no
 340     #127.0.0.1:10025 inet n  -       n       -       -       smtpd
 341     #  -o content_filter=
 342     #  -o local_header_rewrite_clients=
 343     #  -o local_recipient_maps=
 344     #  -o mynetworks=127.0.0.0/8
 345     #  -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
 346     #  -o relay_recipient_maps=
 347     #  -o smtpd_client_connection_count_limit=0
 348     #  -o smtpd_client_connection_rate_limit=0
 349     #  -o smtpd_client_restrictions=permit_mynetworks,reject
 350     #  -o smtpd_data_restrictions=reject_unauth_pipelining
 351     #  -o smtpd_delay_reject=no
 352     #  -o smtpd_end_of_data_restrictions=
 353     #  -o smtpd_error_sleep_time=0
 354     #  -o smtpd_hard_error_limit=1000
 355     #  -o smtpd_helo_restrictions=
 356     #  -o smtpd_milters=
 357     #  -o smtpd_recipient_restrictions=permit_mynetworks,reject
 358     #  -o smtpd_restriction_classes=
 359     #  -o smtpd_sender_restrictions=
 360     #  -o smtpd_soft_error_limit=1001
 361     #  -o strict_rfc821_envelopes=yes
 362     #submission inet n       -       -       -       -       smtpd
 363     #  -o cleanup_service_name=pre-cleanup
 364     #  -o content_filter=amavis:[127.0.0.1]:10024
 365     #  -o milter_macro_daemon_name=ORIGINATING
 366     #  -o receive_override_options=no_address_mappings
 367     #  -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
 368     #  -o smtpd_tls_ask_ccert=yes
 369     #  -o smtpd_tls_auth_only=yes
 370     #  -o smtpd_tls_ccert_verifydepth=2
 371     #  -o smtpd_tls_loglevel=1
 372     #  -o smtpd_tls_req_ccert=yes
 373     #  -o smtpd_tls_security_level=encrypt
 374     #smtps     inet  n       -       -       -       -       smtpd
 375     #  -o milter_macro_daemon_name=ORIGINATING
 376     #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 377     #  -o smtpd_sasl_auth_enable=yes
 378     #  -o smtpd_tls_ask_ccert=yes
 379     #  -o smtpd_tls_auth_only=yes
 380     #  -o smtpd_tls_ccert_verifydepth=0
 381     #  -o smtpd_tls_loglevel=1
 382     #  -o smtpd_tls_req_ccert=no
 383     #  -o smtpd_tls_security_level=encrypt
 384     #  -o smtpd_tls_wrappermode=yes
 385     #pickup    fifo  n       -       -       60      1       pickup
 386     #  -o cleanup_service_name=pre-cleanup
 387     #  -o content_filter=amavis:[127.0.0.1]:10024
 388     #pre-cleanup unix n      -       -       -       0       cleanup
 389     #  -o virtual_alias_maps=
 390     #cleanup   unix  n       -       -       -       0       cleanup
 391     #  -o mime_header_checks=
 392     #  -o nested_header_checks=
 393     #  -o body_checks=
 394     #  -o header_checks=
 395     #-- SYMPA begin
 396     #sympa unix - n n - - pipe
 397     #  flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
 398     #sympabounce unix - n n - - pipe
 399     #  flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
 400     #-- SYMPA end
 401   '';
 402    #noclue    unix  -       n       n       -       -       pipe
 403    #  flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
 404 };
 405 }