]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/postfix.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
postfix: fix mail submission check
[sourcephile-nix.git] / servers / mermet / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames concatStringsSep readFile toPath;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
7 inherit (config) networking users;
8 inherit (config.services) postfix dovecot2 openldap;
9 in
10 {
11 imports = [
12 postfix/sourcephile.fr.nix
13 postfix/autogeree.net.nix
14 ];
15 options = {
16 services.postfix = {
17 tls_server_sni_maps = lib.mkOption {
18 type = types.attrsOf (types.listOf types.path);
19 default = {};
20 apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: x509: ''
21 ${domain} ${unwords x509}
22 '') m));
23 };
24 };
25 };
26 config = {
27 users.groups.acme.members = [ postfix.user ];
28 systemd.services.postfix = {
29 after = ["openldap.service"];
30 preStart = ''
31 install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/keys/postfix-sni
32 ${pkgs.postfix}/bin/postmap -F hash:/run/keys/postfix-sni
33 '';
34 };
35 services.postfix = {
36 enable = true;
37 networksStyle = "host";
38 hostname ="${networking.hostName}.${networking.domain}";
39 domain = networking.domain;
40 origin = "$myhostname";
41 destination = [
42 "localhost"
43 "localhost.localdomain"
44 "$myhostname"
45 ];
46 postmasterAlias = "root";
47 rootAlias = "root@${networking.domain}";
48 sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
49 sslKey = "/run/keys/${networking.domain}.key.pem";
50 networks = [
51 "127.0.0.0/8"
52 "[::1]/128"
53 ];
54 setSendmail = true;
55 # Parse the extension in email address, eg. contact+extension@
56 recipientDelimiter = "+";
57 config = {
58 debug_peer_level = "4";
59 debug_peer_list = [
60 #"chomsky.autogeree.net"
61 #"localhost"
62 #"mail.sourcephile.fr"
63 ];
64
65 #
66 # Sending to the world
67 #
68 # Appending .domain is the MUA's job
69 append_dot_mydomain = false;
70 smtp_body_checks = "";
71 #smtp_cname_overrides_servername = false;
72 smtp_connect_timeout = "60s";
73 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
74 smtp_mime_header_checks = "";
75 smtp_nested_header_checks = "";
76 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
77 #smtp_tls_fingerprint_digest = "sha1";
78 smtp_tls_loglevel = "1";
79 #smtp_tls_note_starttls_offer = true;
80 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
81 # Only allow TLSv* protocols
82 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
83 #smtp_tls_scert_verifydepth = "5";
84 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
85 smtp_tls_security_level = "may";
86 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
87 #smtp_tls_session_cache_timeout = "3600s";
88 #smtp_tls_verify_cert_match = "hostname";
89
90 #
91 # Receiving from the world
92 #
93 message_size_limit = "20480000";
94 maximal_queue_lifetime = "5d";
95 default_extra_recipient_limit = "5000";
96 line_length_limit = "2048";
97 duplicate_filter_limit = "5000";
98 # Stops mail from poorly written software
99 strict_rfc821_envelopes = true;
100 mime_header_checks = [];
101 milter_header_checks = [];
102 nested_header_checks = [];
103 body_checks = [];
104 content_filter = "";
105 permit_mx_backup_networks = [];
106 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
107 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
108 #masquerade_domains = "";
109 #masquerade_exceptions = "root";
110 queue_minfree = "0";
111 # Stops some techniques used to harvest email addresses
112 disable_vrfy_command = true;
113 enable_long_queue_ids = false;
114 # Useful to test restrictions
115 smtpd_authorized_xclient_hosts = "127.0.0.1";
116 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
117 smtpd_client_connection_count_limit = "50";
118 smtpd_client_connection_rate_limit = "0";
119 smtpd_client_event_limit_exceptions = "$mynetworks";
120 smtpd_client_message_rate_limit = "0";
121 smtpd_client_new_tls_session_rate_limit = "0";
122 smtpd_client_port_logging = false;
123 smtpd_client_recipient_rate_limit = "0";
124 # Ban 5 sec on error
125 smtpd_error_sleep_time = "5";
126 # Needed to enforce reject_unknown_helo_hostname
127 smtpd_helo_required = true;
128 smtpd_helo_restrictions = [
129 "reject_invalid_helo_hostname"
130 "reject_non_fqdn_helo_hostname"
131 # Don't talk to mail systems that don't know their own hostname.
132 "reject_unknown_helo_hostname"
133 "permit"
134 ];
135 smtpd_client_restrictions = [
136 ];
137 # Set in postfix/*.nix and used in submissions/smptd
138 # with reject_sender_login_mismatch
139 smtpd_sender_login_maps = [];
140 smtpd_sender_restrictions = [
141 "reject_non_fqdn_sender"
142 "permit"
143 ];
144 smtpd_reject_unlisted_recipient = true;
145 # Check the RCPT TO, before smtpd_recipient_restrictions
146 # Restrictions based on what is allowed or not,
147 # these are applied before smtpd_recipient_restrictions
148 smtpd_relay_restrictions = [
149 "permit_mynetworks"
150 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
151 "permit_auth_destination"
152 # The world is only authorized to use our relay for the above destinations.
153 "reject"
154 ];
155 # Restrictions based on what is working or not
156 smtpd_recipient_restrictions = [
157 # Reject if the domain is not fully qualified
158 "reject_non_fqdn_recipient"
159 # Reject if the domain is not working, even before bothering to check the address
160 "reject_unknown_recipient_domain"
161 # Reject if the address is not working
162 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
163 # postmap -s btree:/var/lib/postfix/data/verify_cache
164 "reject_unverified_recipient"
165 "permit"
166 ];
167 # Trust the verify database
168 unverified_recipient_reject_code = "550";
169 smtpd_data_restrictions = [
170 # Force the smtpd's client to wait OK before sending
171 "reject_unauth_pipelining"
172 "permit"
173 ];
174 smtpd_end_of_data_restrictions = [
175 # Enforce mail volume quota via policy service callouts.
176 #check_policy_service unix:private/policy
177 ];
178 #smtpd_milters = "";
179 smtpd_peername_lookup = true;
180 smtpd_recipient_limit = "5000";
181 smtpd_recipient_overshoot_limit = "5000";
182 #smtpd_restriction_classes = "";
183 #smtpd_sasl_auth_enable = true;
184 #smtpd_sasl_path = "private/auth";
185 #smtpd_sasl_security_options = "noanonymous";
186 #smtpd_sasl_type = "dovecot";
187 smtpd_starttls_timeout = "300s";
188 #smtpd_tls_always_issue_session_ids = true;
189 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
190 smtpd_tls_ask_ccert = false;
191 #smtpd_tls_ccert_verifydepth = "5";
192 smtpd_tls_ciphers = "high";
193 smtpd_tls_eecdh_grade = "auto";
194 # Disable weak ciphers as reported by https://ssl-tools.net
195 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
196 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
197 smtpd_tls_fingerprint_digest = "sha512";
198 # Log only a summary message on TLS handshake completion
199 smtpd_tls_loglevel = "1";
200 smtpd_tls_mandatory_ciphers = "high";
201 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
202 # Only allow TLSv*
203 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
204 #smtpd_tls_received_header = false;
205 smtpd_tls_req_ccert = false;
206 # Postfix 2.3 and later
207 # encrypt
208 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
209 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
210 # SMTP server. Instead, this option should be used only on dedicated servers.
211 smtpd_tls_security_level = "may";
212 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
213 #smtpd_tls_session_cache_timeout = "3600s";
214 #smtpd_tls_chain_files =
215
216 relayhost = [];
217 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
218 # This is where to put backup MX domains
219 relay_domains = [];
220 relay_recipient_maps = [];
221
222 # Use a non blocking source of randomness
223 tls_random_source = "dev:/dev/urandom";
224 # Map each domain to a specific X.509 certificate
225 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
226
227 # Only explicitely aliased accounts have a mail, not all the passwd
228 local_recipient_maps = "$alias_maps";
229 # Note that the local transport rewrites the envelope recipient
230 # according to the alias_maps, and thus the aliasing is transparent
231 # to the nexthop (eg. dovecot)
232 #local_transport = local:$myhostname
233 # No console bell on new mail
234 biff = false;
235 forward_path = [
236 /*
237 "$home/.forward''${recipient_delimiter}''${extension}"
238 "$home/.forward"
239 */
240 ];
241
242 # Filled by the postfix/*.nix
243 virtual_mailbox_domains = [];
244 # Completed by the postfix/*.nix
245 virtual_mailbox_maps = [
246 "hash:/etc/postfix/virtual"
247 ];
248 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
249 /*
250 dovecot_destination_recipient_limit = "1";
251 virtual_transport = "dovecot";
252 */
253
254 # There is no fallback
255 fallback_transport = "";
256 };
257 virtualMapType = "hash";
258 masterConfig =
259 let
260 mkVal = value:
261 if lib.isList value
262 then concatStringsSep "," value
263 else
264 if value == true then "yes"
265 else if value == false then "no"
266 else toString value;
267 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
268 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
269 in {
270 pickup = {
271 args = mkArgs {
272 cleanup_service_name = "submissions-header-cleanup";
273 };
274 };
275 # Implicit TLS on port 465
276 # https://tools.ietf.org/html/rfc8314#section-3.3
277 submissions = {
278 type = "inet";
279 private = false;
280 command = "smtpd";
281 args = mkArgs {
282 syslog_name = "postfix/submissions";
283 # Implicit TLS, not STARTTLS
284 smtpd_tls_wrappermode = true;
285 smtpd_tls_mandatory_protocols = [
286 "TLSv1.3"
287 # K-9 Mail 5.600 still requires this..
288 "TLSv1.2"
289 ];
290 milter_macro_daemon_name = "ORIGINATING";
291 smtpd_helo_restrictions = [
292 "permit_sasl_authenticated"
293 ] ++ postfix.config.smtpd_helo_restrictions;
294 smtpd_relay_restrictions = [
295 # SASL authorizes to send to the world
296 "permit_sasl_authenticated"
297 "reject"
298 ];
299 smtpd_sasl_auth_enable = true;
300 smtpd_sasl_type = "dovecot";
301 smtpd_sasl_path = "private/auth";
302 smtpd_sasl_local_domain = "";
303 # Offer SASL authentication only after a TLS-encrypted session has been established
304 smtpd_tls_auth_only = true;
305 smtpd_sasl_tls_security_options = [ "noanonymous" ];
306 # Do not put SASL logins in mail headers
307 smtpd_sasl_authenticated_header = false;
308 # Who cares about (old) Outlook
309 broken_sasl_auth_clients = false;
310 smtpd_sender_restrictions = [
311 "reject_non_fqdn_sender"
312 # Check that the SASL user is using only its own
313 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
314 "reject_sender_login_mismatch"
315 "permit"
316 ];
317 # No X.509 certificates for users, for now
318 smtpd_tls_ask_ccert = false;
319 smtpd_tls_ccert_verifydepth = 0;
320 smtpd_tls_loglevel = 1;
321 smtpd_tls_req_ccert = false;
322 cleanup_service_name = "submissions-header-cleanup";
323 };
324 };
325 submissions-header-cleanup = {
326 type = "unix";
327 private = false;
328 maxproc = 0;
329 command = "cleanup";
330 args = mkArgs {
331 header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
332 # Removes sensitive headers from mails handed in via the submission or smtps port.
333 # See https://thomas-leister.de/mailserver-debian-stretch/
334 # Uses "pcre" style regex.
335
336 /^Received:/ IGNORE
337 /^User-Agent:/ IGNORE
338 /^X-Enigmail:/ IGNORE
339 /^X-Mailer:/ IGNORE
340 /^X-Originating-IP:/ IGNORE
341 '';
342 };
343 };
344 /*
345 dovecot = {
346 type = "unix";
347 privileged = true;
348 chroot = false;
349 command = "pipe";
350 args = let
351 # rspamd could be used as a milter, but then it cannot apply
352 # its checks "per user" (milter is not yet dispatched to
353 # users), so we wrap dovecot-lda inside rspamc per recipient
354 # here.
355 rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
356 #!${pkgs.stdenv.shell}
357 sender="$1"
358 original_recipient="$2"
359 user="$3"
360 ${pkgs.coreutils}/bin/cat - | \
361 (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
362 ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
363 '';
364 in [
365 "flags=DRhu" "user=vhost:vhost"
366 "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
367 ];
368 };
369 */
370 };
371 extraMasterConf = ''
372 #spfcheck unix - n n - 0 spawn
373 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
374 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
375 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
376 # -o cleanup_service_name=submissions-header-cleanup
377 #spfcheck unix - n n - 0 spawn
378 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
379 #uucp unix - n n - - pipe
380 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
381 #smtp inet n - - - - smtpd
382 # -o cleanup_service_name=pre-cleanup
383 # -o content_filter=amavis:[127.0.0.1]:10024
384 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
385 # -o receive_override_options=no_address_mappings
386 #amavis unix - - n - 2 lmtp
387 # -o lmtp_data_done_timeout=1200
388 # -o lmtp_send_xforward_command=yes
389 # -o lmtp_tls_note_starttls_offer=no
390 #127.0.0.1:10025 inet n - n - - smtpd
391 # -o content_filter=
392 # -o local_header_rewrite_clients=
393 # -o local_recipient_maps=
394 # -o mynetworks=127.0.0.0/8
395 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
396 # -o relay_recipient_maps=
397 # -o smtpd_client_connection_count_limit=0
398 # -o smtpd_client_connection_rate_limit=0
399 # -o smtpd_client_restrictions=permit_mynetworks,reject
400 # -o smtpd_data_restrictions=reject_unauth_pipelining
401 # -o smtpd_delay_reject=no
402 # -o smtpd_end_of_data_restrictions=
403 # -o smtpd_error_sleep_time=0
404 # -o smtpd_hard_error_limit=1000
405 # -o smtpd_helo_restrictions=
406 # -o smtpd_milters=
407 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
408 # -o smtpd_restriction_classes=
409 # -o smtpd_sender_restrictions=
410 # -o smtpd_soft_error_limit=1001
411 # -o strict_rfc821_envelopes=yes
412 #submission inet n - - - - smtpd
413 # -o cleanup_service_name=pre-cleanup
414 # -o content_filter=amavis:[127.0.0.1]:10024
415 # -o milter_macro_daemon_name=ORIGINATING
416 # -o receive_override_options=no_address_mappings
417 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
418 # -o smtpd_tls_ask_ccert=yes
419 # -o smtpd_tls_auth_only=yes
420 # -o smtpd_tls_ccert_verifydepth=2
421 # -o smtpd_tls_loglevel=1
422 # -o smtpd_tls_req_ccert=yes
423 # -o smtpd_tls_security_level=encrypt
424 #smtps inet n - - - - smtpd
425 # -o milter_macro_daemon_name=ORIGINATING
426 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
427 # -o smtpd_sasl_auth_enable=yes
428 # -o smtpd_tls_ask_ccert=yes
429 # -o smtpd_tls_auth_only=yes
430 # -o smtpd_tls_ccert_verifydepth=0
431 # -o smtpd_tls_loglevel=1
432 # -o smtpd_tls_req_ccert=no
433 # -o smtpd_tls_security_level=encrypt
434 # -o smtpd_tls_wrappermode=yes
435 #pickup fifo n - - 60 1 pickup
436 # -o cleanup_service_name=pre-cleanup
437 # -o content_filter=amavis:[127.0.0.1]:10024
438 #pre-cleanup unix n - - - 0 cleanup
439 # -o virtual_alias_maps=
440 #cleanup unix n - - - 0 cleanup
441 # -o mime_header_checks=
442 # -o nested_header_checks=
443 # -o body_checks=
444 # -o header_checks=
445 #-- SYMPA begin
446 #sympa unix - n n - - pipe
447 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
448 #sympabounce unix - n n - - pipe
449 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
450 #-- SYMPA end
451 '';
452 #noclue unix - n n - - pipe
453 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
454 };
455 };
456 }
NixOS configurations for Sourcephile's infrastructure