]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/postfix.nix
dovecot: no longer use auth_bind=no
[sourcephile-nix.git] / servers / mermet / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames concatStringsSep readFile toPath;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
7 inherit (config) networking users;
8 inherit (config.services) postfix dovecot2 openldap;
9 in
10 {
11 imports = [
12 postfix/sourcephile.fr.nix
13 ];
14 options = {
15 services.postfix.submissions.smtpd_sender_login_maps = lib.mkOption {
16 type = types.listOf types.str;
17 default = [];
18 };
19 };
20 config = {
21 systemd.services.postfix.after = [
22 "openldap.service"
23 ];
24 services.postfix = {
25 enable = true;
26 networksStyle = "host";
27 hostname = "localhost";
28 origin = "localhost";
29 domain = "localhost";
30 destination = [
31 postfix.hostname
32 "${postfix.hostname}.${postfix.domain}"
33 ];
34 sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
35 sslKey = "/run/keys/${networking.domain}.key.pem";
36 networks = [
37 "127.0.0.0/8"
38 "[::1]/128"
39 ];
40 # Parse the extension in email address, eg. contact+extension@
41 recipientDelimiter = "+";
42 config = {
43 # Appending .domain is the MUA's job
44 append_dot_mydomain = false;
45 # No console bell on new mail
46 biff = false;
47 body_checks = "";
48 #content_filter = "amavisfeed:[127.0.0.1]:10024";
49 #debug_peer_level = 4;
50 #debug_peer_list = ".$myhostname";
51 default_extra_recipient_limit = "5000";
52 # Uncomment the next line to generate "delayed mail" warnings
53 #delay_warning_time = "4h";
54 # Stops some techniques used to harvest email addresses
55 disable_vrfy_command = true;
56 duplicate_filter_limit = "5000";
57 enable_long_queue_ids = false;
58 forward_path = [
59 ''$home/.forward''${recipient_delimiter}''${extension}''
60 "$home/.forward"
61 ];
62 #header_checks = "regexp:/var/lib/postfix/conf/header_checks";
63 #inet_interfaces = "all";
64 line_length_limit = "2048";
65
66 # Let $fallback_transport check existence of recipients
67 local_recipient_maps = "";
68 #mail_spool_directory = "/var/spool/mail";
69 #local_header_rewrite_clients = "";
70 #home_mailbox = "Maildir/";
71 #mailbox_command = ''
72 # ${pkgs.procmail}/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/.procmailrc"
73 #'';
74
75 masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
76 masquerade_domains = "";
77 masquerade_exceptions = "root";
78 maximal_queue_lifetime = "5d";
79 message_size_limit = "20480000";
80 mailbox_size_limit = "204800000";
81 mime_header_checks = "";
82 milter_header_checks = "";
83 nested_header_checks = "";
84 #non_smtpd_milters = "";
85 parent_domain_matches_subdomains = [
86 #"debug_peer_list"
87 #"fast_flush_domains"
88 #"mynetworks"
89 #"permit_mx_backup_networks"
90 #"qmqpd_authorized_clients"
91 #"smtpd_access_maps"
92 ];
93 permit_mx_backup_networks = "";
94 #policy-spf_time_limit = "3600s";
95 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
96 queue_minfree = "0";
97 #receive_override_options = "no_address_mappings";
98 # no_unknown_recipient_checks
99 # Do not try to reject unknown recipients (SMTP server only).
100 # This is typically specified AFTER an external content filter.
101 # no_address_mappings
102 # Disable canonical address mapping, virtual alias map expansion,
103 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
104 # This is typically specified BEFORE an external content filter (eg. amavis).
105 # no_header_body_checks
106 # Disable header/body_checks. This is typically specified AFTER
107 # an external content filter.
108 # no_milters
109 # Disable Milter (mail filter) applications.
110 # This is typically specified AFTER an external content filter.
111
112
113 smtp_body_checks = "";
114 #smtp_cname_overrides_servername = false;
115 smtp_connect_timeout = "60s";
116 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
117 smtp_mime_header_checks = "";
118 smtp_nested_header_checks = "";
119 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
120 #smtp_tls_fingerprint_digest = "sha1";
121 smtp_tls_loglevel = "1";
122 #smtp_tls_note_starttls_offer = true;
123 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
124 # Only allow TLSv* protocols
125 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
126 smtp_tls_scert_verifydepth = "5";
127 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
128 smtp_tls_security_level = "may";
129 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
130 #smtp_tls_session_cache_timeout = "3600s";
131 #smtp_tls_verify_cert_match = "hostname";
132
133
134 # Useful to test restrictions
135 smtpd_authorized_xclient_hosts = "127.0.0.1";
136 smtpd_banner = "${networking.hostName} ESMTP $mail_name (NixOS)";
137 smtpd_client_connection_count_limit = "50";
138 smtpd_client_connection_rate_limit = "0";
139 smtpd_client_event_limit_exceptions = "$mynetworks";
140 smtpd_client_message_rate_limit = "0";
141 smtpd_client_new_tls_session_rate_limit = "0";
142 smtpd_client_port_logging = false;
143 smtpd_client_recipient_rate_limit = "0";
144 ## Disable opportunistic encryption
145 #smtpd_discard_ehlo_keywords = "starttls";
146 # Ban 5 sec on error
147 smtpd_error_sleep_time = "5";
148 smtpd_helo_required = true;
149 smtpd_helo_restrictions = [
150 "reject_invalid_helo_hostname"
151 "reject_non_fqdn_helo_hostname"
152 # Don't talk to mail systems that don't know their own hostname.
153 "reject_unknown_helo_hostname"
154 "permit"
155 ];
156 smtpd_sender_restrictions = [
157 "reject_non_fqdn_sender"
158 "permit"
159 ];
160 smtpd_recipient_restrictions = [
161 "reject_non_fqdn_recipient"
162 "reject_unknown_recipient_domain"
163 "permit_mynetworks"
164 # $fallback_transport is responsible of checking the existence of the recipient
165 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
166 # postmap -s btree:/var/lib/postfix/data/verify_cache
167 "reject_unverified_recipient"
168 "permit_auth_destination"
169 "reject"
170 ];
171 smtpd_client_restrictions = [
172 "reject"
173 ];
174 smtpd_data_restrictions = [
175 # Force the smtpd's client to wait OK before sending
176 "reject_unauth_pipelining"
177 "permit"
178 ];
179 smtpd_end_of_data_restrictions = [
180 # Enforce mail volume quota via policy service callouts.
181 #check_policy_service unix:private/policy
182 ];
183 #smtpd_milters = "";
184 smtpd_peername_lookup = true;
185 smtpd_recipient_limit = "5000";
186 smtpd_recipient_overshoot_limit = "5000";
187 #smtpd_restriction_classes = "";
188 smtpd_sasl_authenticated_header = false;
189 broken_sasl_auth_clients = false;
190 #smtpd_sasl_auth_enable = true;
191 #smtpd_sasl_path = "private/auth";
192 #smtpd_sasl_security_options = "noanonymous";
193 #smtpd_sasl_type = "dovecot";
194 smtpd_starttls_timeout = "300s";
195 #smtpd_tls_always_issue_session_ids = true;
196 # No SASL AUTH without TLS
197 smtpd_tls_auth_only = true;
198 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
199 smtpd_tls_ask_ccert = false;
200 #smtpd_tls_ccert_verifydepth = "5";
201 smtpd_tls_ciphers = "high";
202 smtpd_tls_eecdh_grade = "ultra";
203 # Disable weak ciphers as reported by https://ssl-tools.net
204 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
205 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
206 smtpd_tls_fingerprint_digest = "sha512";
207 # Log only a summary message on TLS handshake completion
208 smtpd_tls_loglevel = "1";
209 smtpd_tls_mandatory_ciphers = "high";
210 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
211 # Only allow TLSv*
212 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
213 #smtpd_tls_received_header = false;
214 smtpd_tls_req_ccert = false;
215 # Postfix 2.3 and later
216 # encrypt
217 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
218 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
219 # SMTP server. Instead, this option should be used only on dedicated servers.
220 smtpd_tls_security_level = "may";
221 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
222 #smtpd_tls_session_cache_timeout = "3600s";
223
224
225 relayhost = "";
226 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
227 # This is where to put backup MX domains
228 relay_domains = "$mydestination";
229 relay_recipient_maps = "";
230 smtpd_relay_restrictions = [
231 # Local clients may specify any destination domain.
232 "permit_mynetworks"
233 # Reject messages with recipients at domains that are not hosted locally
234 # or that we serve as a backup server for.
235 "reject_unauth_destination"
236 "reject"
237 ];
238
239
240 # Stops mail from poorly written software
241 strict_rfc821_envelopes = true;
242 #sympa_destination_recipient_limit = "1";
243 #sympabounce_destination_recipient_limit = "1";
244 # postconf(5) discourages to change this
245 #tls_high_cipherlist = "AES256-SHA";
246 #tls_random_bytes = "32";
247 # Must not be in a chroot
248 #tls_random_exchange_name = "$data_directory/prng_exch";
249 #tls_random_prng_update_period = "3600s";
250 #tls_random_reseed_period = "3600s";
251 # Use a non blocking source of randomness
252 tls_random_source = "dev:/dev/urandom";
253 # Do not specify virtual alias domain names in mydestination
254 # or relay_domains configuration parameters
255 #
256 # With a virtual alias domain, the Postfix SMTP server
257 # accepts mail for known-user@virtual-alias.domain, and
258 # rejects mail for unknown-user@virtual-alias.domain as
259 # undeliverable.
260 virtual_alias_domains = [];
261 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
262 # Pass unexisting $mydestination recipients to dovecot
263 fallback_transport = "lmtp:unix:private/dovecot-lmtp";
264 # Rejects immediately what $fallback_transport rejects
265 unverified_recipient_reject_code = "550";
266 };
267 virtualMapType = "hash";
268 masterConfig =
269 let
270 mkVal = value:
271 if lib.isList value
272 then concatStringsSep "," value
273 else
274 if value == true then "yes"
275 else if value == false then "no"
276 else toString value;
277 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
278 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
279 in {
280 # Implicit TLS on port 465
281 # https://tools.ietf.org/html/rfc8314#section-3.3
282 submissions = {
283 type = "inet";
284 private = false;
285 command = "smtpd";
286 args = mkArgs {
287 syslog_name = "postfix/submissions";
288 milter_macro_daemon_name = "ORIGINATING";
289 cleanup_service_name = "submissions-header-cleanup";
290 smtpd_client_restrictions = ["permit_sasl_authenticated" "reject"];
291 smtpd_relay_restrictions = [
292 "reject_non_fqdn_recipient"
293 "reject_unknown_recipient_domain"
294 "permit_sasl_authenticated"
295 "reject"
296 ];
297 smtpd_sasl_auth_enable = true;
298 smtpd_sasl_local_domain = "$myhostname";
299 smtpd_sasl_path = "private/auth";
300 smtpd_sasl_security_options = "noanonymous";
301 smtpd_sasl_type = "dovecot";
302 smtpd_sender_login_maps = postfix.submissions.smtpd_sender_login_maps;
303 smtpd_sender_restrictions = [
304 "reject_non_fqdn_sender"
305 "reject_sender_login_mismatch"
306 "permit_sasl_authenticated"
307 "reject"
308 ];
309 smtpd_tls_ask_ccert = false;
310 smtpd_tls_auth_only = true;
311 smtpd_tls_ccert_verifydepth = 0;
312 smtpd_tls_loglevel = 1;
313 smtpd_tls_req_ccert = false;
314 smtpd_tls_security_level = "encrypt";
315 smtpd_tls_wrappermode = true;
316 };
317 };
318 submissions-header-cleanup = {
319 type = "unix";
320 private = false;
321 maxproc = 0;
322 command = "cleanup";
323 args = mkArgs {
324 header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
325 # Removes sensitive headers from mails handed in via the submission or smtps port.
326 # See https://thomas-leister.de/mailserver-debian-stretch/
327 # Uses "pcre" style regex.
328
329 /^Received:/ IGNORE
330 /^User-Agent:/ IGNORE
331 /^X-Enigmail:/ IGNORE
332 /^X-Mailer:/ IGNORE
333 /^X-Originating-IP:/ IGNORE
334 '';
335 };
336 };
337 };
338 extraMasterConf = ''
339 #spfcheck unix - n n - 0 spawn
340 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
341 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
342 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
343 # -o cleanup_service_name=submissions-header-cleanup
344 #spfcheck unix - n n - 0 spawn
345 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
346 #uucp unix - n n - - pipe
347 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
348 #smtp inet n - - - - smtpd
349 # -o cleanup_service_name=pre-cleanup
350 # -o content_filter=amavis:[127.0.0.1]:10024
351 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
352 # -o receive_override_options=no_address_mappings
353 #amavis unix - - n - 2 lmtp
354 # -o lmtp_data_done_timeout=1200
355 # -o lmtp_send_xforward_command=yes
356 # -o lmtp_tls_note_starttls_offer=no
357 #127.0.0.1:10025 inet n - n - - smtpd
358 # -o content_filter=
359 # -o local_header_rewrite_clients=
360 # -o local_recipient_maps=
361 # -o mynetworks=127.0.0.0/8
362 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
363 # -o relay_recipient_maps=
364 # -o smtpd_client_connection_count_limit=0
365 # -o smtpd_client_connection_rate_limit=0
366 # -o smtpd_client_restrictions=permit_mynetworks,reject
367 # -o smtpd_data_restrictions=reject_unauth_pipelining
368 # -o smtpd_delay_reject=no
369 # -o smtpd_end_of_data_restrictions=
370 # -o smtpd_error_sleep_time=0
371 # -o smtpd_hard_error_limit=1000
372 # -o smtpd_helo_restrictions=
373 # -o smtpd_milters=
374 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
375 # -o smtpd_restriction_classes=
376 # -o smtpd_sender_restrictions=
377 # -o smtpd_soft_error_limit=1001
378 # -o strict_rfc821_envelopes=yes
379 #submission inet n - - - - smtpd
380 # -o cleanup_service_name=pre-cleanup
381 # -o content_filter=amavis:[127.0.0.1]:10024
382 # -o milter_macro_daemon_name=ORIGINATING
383 # -o receive_override_options=no_address_mappings
384 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
385 # -o smtpd_tls_ask_ccert=yes
386 # -o smtpd_tls_auth_only=yes
387 # -o smtpd_tls_ccert_verifydepth=2
388 # -o smtpd_tls_loglevel=1
389 # -o smtpd_tls_req_ccert=yes
390 # -o smtpd_tls_security_level=encrypt
391 #smtps inet n - - - - smtpd
392 # -o milter_macro_daemon_name=ORIGINATING
393 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
394 # -o smtpd_sasl_auth_enable=yes
395 # -o smtpd_tls_ask_ccert=yes
396 # -o smtpd_tls_auth_only=yes
397 # -o smtpd_tls_ccert_verifydepth=0
398 # -o smtpd_tls_loglevel=1
399 # -o smtpd_tls_req_ccert=no
400 # -o smtpd_tls_security_level=encrypt
401 # -o smtpd_tls_wrappermode=yes
402 #pickup fifo n - - 60 1 pickup
403 # -o cleanup_service_name=pre-cleanup
404 # -o content_filter=amavis:[127.0.0.1]:10024
405 #pre-cleanup unix n - - - 0 cleanup
406 # -o virtual_alias_maps=
407 #cleanup unix n - - - 0 cleanup
408 # -o mime_header_checks=
409 # -o nested_header_checks=
410 # -o body_checks=
411 # -o header_checks=
412 #-- SYMPA begin
413 #sympa unix - n n - - pipe
414 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
415 #sympabounce unix - n n - - pipe
416 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
417 #-- SYMPA end
418 '';
419 #noclue unix - n n - - pipe
420 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
421 };
422 };
423 }