]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/postfix.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
+dev/update(julm-nix): pin latest
[sourcephile-nix.git] / hosts / losurdo / postfix.nix
1 { lib, config, ... }:
2 let
3 inherit (config) networking users;
4 inherit (config.services) postfix;
5 in
6 {
7 imports = [
8 #postfix/autogeree.net.nix
9 #postfix/sourcephile.fr.nix
10 ];
11 users.groups.acme.members = [ postfix.user ];
12 networking.nftables.ruleset = ''
13 table inet filter {
14 chain input-net {
15 #tcp dport 25 counter accept comment "postfix: SMTP"
16 #tcp dport 465 counter accept comment "postfix: submissions"
17 }
18 chain output-net {
19 skuid ${postfix.user} tcp dport smtp counter accept comment "postfix: SMTP"
20 }
21 }
22 '';
23 services.postfix = {
24 enable = true;
25 networksStyle = "host";
26 hostname = "${networking.hostName}.${networking.domain}";
27 domain = networking.domain;
28 origin = "$myhostname";
29 destination = [
30 "localhost"
31 "localhost.localdomain"
32 "$myhostname"
33 ];
34 postmasterAlias = "root";
35 rootAlias = "root@${networking.domain}";
36 networks = [
37 "127.0.0.0/8"
38 "[::1]/128"
39 ];
40 setSendmail = true;
41 # Parse the extension in email address, eg. contact+extension@
42 recipientDelimiter = "+";
43 config = {
44 debug_peer_level = "4";
45 debug_peer_list = [
46 #"chomsky.autogeree.net"
47 #"localhost"
48 #"mail.sourcephile.fr"
49 ];
50
51 #
52 # Sending to the world
53 #
54 # Appending .domain is the MUA's job
55 append_dot_mydomain = false;
56 smtp_body_checks = "";
57 #smtp_cname_overrides_servername = false;
58 smtp_connect_timeout = "60s";
59 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
60 smtp_mime_header_checks = "";
61 smtp_nested_header_checks = "";
62 smtp_tls_exclude_ciphers = [
63 "ADH"
64 "MD5"
65 "CAMELLIA"
66 "SEED"
67 "3DES"
68 "DES"
69 "RC4"
70 "eNULL"
71 "aNULL"
72 ];
73 #smtp_tls_fingerprint_digest = "sha1";
74 smtp_tls_loglevel = "1";
75 #smtp_tls_note_starttls_offer = true;
76 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
77 # Only allow TLSv* protocols
78 smtp_tls_protocols = [
79 "!SSLv2"
80 "!SSLv3"
81 ];
82 #smtp_tls_scert_verifydepth = "5";
83 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
84 smtp_tls_security_level = "may";
85 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
86 #smtp_tls_session_cache_timeout = "3600s";
87 #smtp_tls_verify_cert_match = "hostname";
88
89 #
90 # Receiving from the world
91 #
92 message_size_limit = 20480000;
93 maximal_queue_lifetime = "5d";
94 default_extra_recipient_limit = "5000";
95 line_length_limit = "2048";
96 duplicate_filter_limit = "5000";
97 # Stops mail from poorly written software
98 strict_rfc821_envelopes = true;
99 mime_header_checks = [ ];
100 milter_header_checks = [ ];
101 nested_header_checks = [ ];
102 body_checks = [ ];
103 content_filter = "";
104 permit_mx_backup_networks = [ ];
105 propagate_unmatched_extensions = [
106 "canonical"
107 "virtual"
108 "alias"
109 ];
110 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
111 #masquerade_domains = "";
112 #masquerade_exceptions = "root";
113 queue_minfree = "0";
114 # Stops some techniques used to harvest email addresses
115 disable_vrfy_command = true;
116 enable_long_queue_ids = false;
117 # Useful to test restrictions
118 smtpd_authorized_xclient_hosts = "127.0.0.1";
119 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
120 smtpd_client_connection_count_limit = "50";
121 smtpd_client_connection_rate_limit = "0";
122 smtpd_client_event_limit_exceptions = "$mynetworks";
123 smtpd_client_message_rate_limit = "0";
124 smtpd_client_new_tls_session_rate_limit = "0";
125 smtpd_client_port_logging = false;
126 smtpd_client_recipient_rate_limit = "0";
127 # Ban 5 sec on error
128 smtpd_error_sleep_time = "5";
129 # Needed to enforce reject_unknown_helo_hostname
130 smtpd_helo_required = true;
131 smtpd_helo_restrictions = [
132 "reject_invalid_helo_hostname"
133 "reject_non_fqdn_helo_hostname"
134 # Don't talk to mail systems that don't know their own hostname.
135 "reject_unknown_helo_hostname"
136 "permit"
137 ];
138 smtpd_client_restrictions = [
139 ];
140 # Set in postfix/*.nix and used in submissions/smptd
141 # with reject_sender_login_mismatch
142 smtpd_sender_login_maps = [ ];
143 smtpd_sender_restrictions = [
144 "reject_non_fqdn_sender"
145 "permit"
146 ];
147 smtpd_reject_unlisted_recipient = true;
148 # Check the RCPT TO, before smtpd_recipient_restrictions
149 # Restrictions based on what is allowed or not,
150 # these are applied before smtpd_recipient_restrictions
151 smtpd_relay_restrictions = [
152 "permit_mynetworks"
153 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
154 "permit_auth_destination"
155 # The world is only authorized to use our relay for the above destinations.
156 "reject"
157 ];
158 # Restrictions based on what is working or not
159 smtpd_recipient_restrictions = [
160 # Reject if the domain is not fully qualified
161 "reject_non_fqdn_recipient"
162 # Reject if the domain is not working, even before bothering to check the address
163 "reject_unknown_recipient_domain"
164 # Reject if the address is not working
165 # WARNING: this does not work if the recipient is greylisting.
166 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
167 # postmap -s btree:/var/lib/postfix/data/verify_cache
168 #"reject_unverified_recipient"
169 "permit"
170 ];
171 # Trust the verify database
172 #unverified_recipient_reject_code = "550";
173 smtpd_data_restrictions = [
174 # Force the smtpd's client to wait OK before sending
175 "reject_unauth_pipelining"
176 "permit"
177 ];
178 smtpd_end_of_data_restrictions = [
179 # Enforce mail volume quota via policy service callouts.
180 #check_policy_service unix:private/policy
181 ];
182 #smtpd_milters = "";
183 smtpd_peername_lookup = true;
184 smtpd_recipient_limit = "5000";
185 smtpd_recipient_overshoot_limit = "5000";
186 #smtpd_restriction_classes = "";
187 #smtpd_sasl_auth_enable = true;
188 #smtpd_sasl_path = "private/auth";
189 #smtpd_sasl_security_options = "noanonymous";
190 #smtpd_sasl_type = "dovecot";
191 smtpd_starttls_timeout = "300s";
192 #smtpd_tls_always_issue_session_ids = true;
193 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
194 smtpd_tls_ask_ccert = false;
195 #smtpd_tls_ccert_verifydepth = "5";
196 smtpd_tls_ciphers = "high";
197 smtpd_tls_eecdh_grade = "auto";
198 # Disable weak ciphers as reported by https://ssl-tools.net
199 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
200 smtpd_tls_exclude_ciphers = [
201 "ADH"
202 "MD5"
203 "CAMELLIA"
204 "SEED"
205 "3DES"
206 "DES"
207 "RC4"
208 "eNULL"
209 "aNULL"
210 ];
211 smtpd_tls_fingerprint_digest = "sha512";
212 # Log only a summary message on TLS handshake completion
213 smtpd_tls_loglevel = "1";
214 smtpd_tls_mandatory_ciphers = "high";
215 smtpd_tls_mandatory_protocols = [
216 "!SSLv2"
217 "!SSLv3"
218 ];
219 # Only allow TLSv*
220 smtpd_tls_protocols = [
221 "!SSLv2"
222 "!SSLv3"
223 ];
224 #smtpd_tls_received_header = false;
225 smtpd_tls_req_ccert = false;
226 # Postfix 2.3 and later
227 # encrypt
228 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
229 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
230 # SMTP server. Instead, this option should be used only on dedicated servers.
231 smtpd_tls_security_level = "may";
232 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
233 #smtpd_tls_session_cache_timeout = "3600s";
234 #smtpd_tls_chain_files =
235
236 relayhost = [ ];
237 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
238 # This is where to put backup MX domains
239 relay_domains = [ ];
240 relay_recipient_maps = [ ];
241
242 # Use a non blocking source of randomness
243 tls_random_source = "dev:/dev/urandom";
244 # Map each domain to a specific X.509 certificate
245 tls_server_sni_maps = "hash:/run/postfix/postfix-sni";
246
247 # Only explicitely aliased accounts have a mail, not all the passwd
248 #local_recipient_maps = "$alias_maps";
249 # Note that the local transport rewrites the envelope recipient
250 # according to the alias_maps, and thus the aliasing is transparent
251 # to the nexthop (eg. dovecot)
252 local_transport = "local:$myhostname";
253 # No console bell on new mail
254 biff = false;
255 forward_path = [
256 # "$home/.forward''${recipient_delimiter}''${extension}"
257 "$home/.forward"
258 ];
259
260 # Filled by the postfix/*.nix
261 virtual_mailbox_domains = [ ];
262 # Completed by the postfix/*.nix
263 virtual_mailbox_maps = [
264 #"hash:/etc/postfix/virtual"
265 ];
266 #virtual_transport = "lmtp:unix:private/dovecot-lmtp";
267 /*
268 dovecot_destination_recipient_limit = "1";
269 virtual_transport = "dovecot";
270 */
271
272 # There is no fallback
273 fallback_transport = "";
274 };
275 transport = ''
276 sourcephile.wg local:losurdo
277 '';
278 virtualMapType = "hash";
279 masterConfig =
280 let
281 mkVal =
282 value:
283 if lib.isList value then
284 lib.concatStringsSep "," value
285 else if value == true then
286 "yes"
287 else if value == false then
288 "no"
289 else
290 toString value;
291 mkKeyVal = opt: val: [
292 "-o"
293 (opt + "=" + mkVal val)
294 ];
295 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
296 in
297 {
298 pickup = {
299 args = mkArgs {
300 cleanup_service_name = "submissions-header-cleanup";
301 };
302 };
303 /*
304 # Implicit TLS on port 465
305 # https://tools.ietf.org/html/rfc8314#section-3.3
306 submissions = {
307 type = "inet";
308 private = false;
309 command = "smtpd";
310 args = mkArgs {
311 syslog_name = "postfix/submissions";
312 # Implicit TLS, not STARTTLS
313 smtpd_tls_wrappermode = true;
314 smtpd_tls_mandatory_protocols = [
315 "TLSv1.3"
316 # FIXME: to be removed when K-9 Mail will support TLSv1.3,
317 # K-9 Mail 5.600 does not.
318 "TLSv1.2"
319 ];
320 milter_macro_daemon_name = "ORIGINATING";
321 smtpd_helo_restrictions = [
322 "permit_sasl_authenticated"
323 ] ++ postfix.config.smtpd_helo_restrictions;
324 smtpd_relay_restrictions = [
325 # SASL authorizes to send to the world
326 "permit_sasl_authenticated"
327 "reject"
328 ];
329 smtpd_sasl_auth_enable = true;
330 smtpd_sasl_type = "dovecot";
331 smtpd_sasl_path = "private/auth";
332 smtpd_sasl_local_domain = "";
333 # Offer SASL authentication only after a TLS-encrypted session has been established
334 smtpd_tls_auth_only = true;
335 smtpd_sasl_tls_security_options = [ "noanonymous" ];
336 # Do not put SASL logins in mail headers
337 smtpd_sasl_authenticated_header = false;
338 # Who cares about (old) Outlook
339 broken_sasl_auth_clients = false;
340 smtpd_sender_restrictions = [
341 "reject_non_fqdn_sender"
342 # Check that the SASL user is using only its own
343 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
344 "reject_sender_login_mismatch"
345 "permit"
346 ];
347 # No X.509 certificates for users, for now
348 smtpd_tls_ask_ccert = false;
349 smtpd_tls_ccert_verifydepth = 0;
350 smtpd_tls_loglevel = 1;
351 smtpd_tls_req_ccert = false;
352 cleanup_service_name = "submissions-header-cleanup";
353 };
354 };
355 */
356 };
357 extraMasterConf = "";
358 settings = {
359 main = {
360 # Warning(maint/update):
361 # storing a key and its associated certificate chain in separate files is not recommended,
362 # because this is prone to race conditions during key rollover,
363 # as there is no way to update multiple files atomically.
364 smtpd_tls_chain_files = [
365 "/var/lib/acme/${networking.domain}/key.pem"
366 "/var/lib/acme/${networking.domain}/fullchain.pem"
367 ];
368 };
369 };
370 };
371 }
NixOS configurations for Sourcephile's infrastructure