servers/mermet/postfix.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) attrNames concatStringsSep readFile toPath;
   4   inherit (builtins.extraBuiltins) pass;
   5   inherit (lib) types;
   6   inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
   7   inherit (config) networking users;
   8   inherit (config.services) postfix dovecot2 openldap;
   9 in
  10 {
  11 imports = [
  12   postfix/sourcephile.fr.nix
  13 ];
  14 config = {
  15 systemd.services.postfix.after = [
  16   "openldap.service"
  17 ];
  18 services.postfix = {
  19   enable = true;
  20   networksStyle = "host";
  21   hostname ="${networking.hostName}.${networking.domain}";
  22   domain = networking.domain;
  23   origin = "$myhostname";
  24   destination = [
  25     "localhost"
  26     "localhost.localdomain"
  27     "$myhostname"
  28   ];
  29   postmasterAlias = "root";
  30   rootAlias = "root@${networking.domain}";
  31   sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
  32   sslKey = "/run/keys/${networking.domain}.key.pem";
  33   networks = [
  34     "127.0.0.0/8"
  35     "[::1]/128"
  36   ];
  37   # Parse the extension in email address, eg. contact+extension@
  38   recipientDelimiter = "+";
  39   config = {
  40     debug_peer_level = "4";
  41     debug_peer_list = [
  42       #"chomsky.autogeree.net"
  43       #"localhost"
  44     ];
  45
  46     #
  47     # Sending to the world
  48     #
  49     # Appending .domain is the MUA's job
  50     append_dot_mydomain = false;
  51     smtp_body_checks = "";
  52     #smtp_cname_overrides_servername = false;
  53     smtp_connect_timeout = "60s";
  54     #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
  55     smtp_mime_header_checks = "";
  56     smtp_nested_header_checks = "";
  57     smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
  58     #smtp_tls_fingerprint_digest = "sha1";
  59     smtp_tls_loglevel = "1";
  60     #smtp_tls_note_starttls_offer = true;
  61     #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
  62     # Only allow TLSv* protocols
  63     smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
  64     #smtp_tls_scert_verifydepth = "5";
  65     #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
  66     smtp_tls_security_level = "may";
  67     smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
  68     #smtp_tls_session_cache_timeout = "3600s";
  69     #smtp_tls_verify_cert_match = "hostname";
  70
  71     #
  72     # Receiving from the world
  73     #
  74     message_size_limit = "20480000";
  75     maximal_queue_lifetime = "5d";
  76     default_extra_recipient_limit = "5000";
  77     line_length_limit = "2048";
  78     duplicate_filter_limit = "5000";
  79     # Stops mail from poorly written software
  80     strict_rfc821_envelopes = true;
  81     mime_header_checks = [];
  82     milter_header_checks = [];
  83     nested_header_checks = [];
  84     body_checks = [];
  85     content_filter = "";
  86     permit_mx_backup_networks = [];
  87     propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
  88     #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
  89     #masquerade_domains = "";
  90     #masquerade_exceptions = "root";
  91     queue_minfree = "0";
  92     # Stops some techniques used to harvest email addresses
  93     disable_vrfy_command = true;
  94     enable_long_queue_ids = false;
  95     # Useful to test restrictions
  96     smtpd_authorized_xclient_hosts = "127.0.0.1";
  97     smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
  98     smtpd_client_connection_count_limit = "50";
  99     smtpd_client_connection_rate_limit = "0";
 100     smtpd_client_event_limit_exceptions = "$mynetworks";
 101     smtpd_client_message_rate_limit = "0";
 102     smtpd_client_new_tls_session_rate_limit = "0";
 103     smtpd_client_port_logging = false;
 104     smtpd_client_recipient_rate_limit = "0";
 105     # Ban 5 sec on error
 106     smtpd_error_sleep_time = "5";
 107     # Needed to enforce reject_unknown_helo_hostname
 108     smtpd_helo_required = true;
 109     smtpd_helo_restrictions = [
 110       "reject_invalid_helo_hostname"
 111       "reject_non_fqdn_helo_hostname"
 112       # Don't talk to mail systems that don't know their own hostname.
 113       "reject_unknown_helo_hostname"
 114       "permit"
 115     ];
 116     smtpd_client_restrictions = [
 117     ];
 118     # Set in postfix/*.nix and used in submissions/smptd
 119     # with reject_sender_login_mismatch
 120     smtpd_sender_login_maps = [];
 121     smtpd_sender_restrictions = [
 122       "reject_non_fqdn_sender"
 123       "permit"
 124     ];
 125     smtpd_reject_unlisted_recipient = true;
 126     # Check the RCPT TO, before smtpd_recipient_restrictions
 127     # Restrictions based on what is allowed or not,
 128     # these are applied before smtpd_recipient_restrictions
 129     smtpd_relay_restrictions = [
 130       "permit_mynetworks"
 131       # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
 132       "permit_auth_destination"
 133       # The world is only authorized to use our relay for the above destinations.
 134       "reject"
 135     ];
 136     # Restrictions based on what is working or not
 137     smtpd_recipient_restrictions = [
 138       # Reject if the domain is not fully qualified
 139       "reject_non_fqdn_recipient"
 140       # Reject if the domain is not working, even before bothering to check the address
 141       "reject_unknown_recipient_domain"
 142       # Reject if the address is not working
 143       # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
 144       # postmap -s btree:/var/lib/postfix/data/verify_cache
 145       "reject_unverified_recipient"
 146       "permit"
 147     ];
 148     # Trust the verify database
 149     unverified_recipient_reject_code = "550";
 150     smtpd_data_restrictions = [
 151       # Force the smtpd's client to wait OK before sending
 152       "reject_unauth_pipelining"
 153       "permit"
 154     ];
 155     smtpd_end_of_data_restrictions = [
 156       # Enforce mail volume quota via policy service callouts.
 157       #check_policy_service unix:private/policy
 158     ];
 159     #smtpd_milters = "";
 160     smtpd_peername_lookup = true;
 161     smtpd_recipient_limit = "5000";
 162     smtpd_recipient_overshoot_limit = "5000";
 163     #smtpd_restriction_classes = "";
 164     #smtpd_sasl_auth_enable = true;
 165     #smtpd_sasl_path = "private/auth";
 166     #smtpd_sasl_security_options = "noanonymous";
 167     #smtpd_sasl_type = "dovecot";
 168     smtpd_starttls_timeout = "300s";
 169     #smtpd_tls_always_issue_session_ids = true;
 170     #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
 171     smtpd_tls_ask_ccert = false;
 172     #smtpd_tls_ccert_verifydepth = "5";
 173     smtpd_tls_ciphers = "high";
 174     smtpd_tls_eecdh_grade = "ultra";
 175     # Disable weak ciphers as reported by https://ssl-tools.net
 176     # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
 177     smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
 178     smtpd_tls_fingerprint_digest = "sha512";
 179     # Log only a summary message on TLS handshake completion
 180     smtpd_tls_loglevel = "1";
 181     smtpd_tls_mandatory_ciphers = "high";
 182     smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
 183     # Only allow TLSv*
 184     smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
 185     #smtpd_tls_received_header = false;
 186     smtpd_tls_req_ccert = false;
 187     # Postfix 2.3 and later
 188     # encrypt
 189     #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
 190     #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
 191     #  SMTP server. Instead, this option should be used only on dedicated servers.
 192     smtpd_tls_security_level = "may";
 193     smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
 194     #smtpd_tls_session_cache_timeout = "3600s";
 195
 196     relayhost = [];
 197     #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
 198     # This is where to put backup MX domains
 199     relay_domains = [];
 200     relay_recipient_maps = [];
 201
 202     # postconf(5) discourages to change this
 203     #tls_high_cipherlist = "AES256-SHA";
 204     #tls_random_bytes = "32";
 205     # Must not be in a chroot
 206     #tls_random_exchange_name = "$data_directory/prng_exch";
 207     #tls_random_prng_update_period = "3600s";
 208     #tls_random_reseed_period = "3600s";
 209     # Use a non blocking source of randomness
 210     tls_random_source = "dev:/dev/urandom";
 211
 212     # Only explicitely aliased accounts have a mail, not all the passwd
 213     local_recipient_maps = "$alias_maps";
 214     # Note that the local transport rewrites the envelope recipient
 215     # according to the alias_maps, and thus the aliasing is transparent
 216     # to the nexthop (eg. dovecot)
 217     #local_transport = local:$myhostname
 218     # No console bell on new mail
 219     biff = false;
 220     forward_path = [
 221       /*
 222       "$home/.forward''${recipient_delimiter}''${extension}"
 223       "$home/.forward"
 224       */
 225     ];
 226
 227     # Filled by the postfix/*.nix
 228     virtual_mailbox_domains = [];
 229     # Completed by the postfix/*.nix
 230     virtual_mailbox_maps = [
 231       "hash:/etc/postfix/virtual"
 232     ];
 233     virtual_transport = "lmtp:unix:private/dovecot-lmtp";
 234
 235     # There is no fallback
 236     fallback_transport = "";
 237   };
 238   virtualMapType = "hash";
 239   masterConfig =
 240     let
 241       mkVal = value:
 242         if lib.isList value
 243         then concatStringsSep "," value
 244         else
 245           if value == true then "yes"
 246           else if value == false then "no"
 247           else toString value;
 248       mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
 249       mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
 250     in {
 251     # Implicit TLS on port 465
 252     # https://tools.ietf.org/html/rfc8314#section-3.3
 253     submissions = {
 254       type = "inet";
 255       private = false;
 256       command = "smtpd";
 257       args = mkArgs {
 258         syslog_name = "postfix/submissions";
 259         # Implicit TLS, not STARTTLS
 260         smtpd_tls_wrappermode = true;
 261         smtpd_tls_mandatory_protocols = [
 262           "TLSv1.3"
 263           # K-9 Mail 5.600 still requires this..
 264           "TLSv1.2"
 265         ];
 266         milter_macro_daemon_name = "ORIGINATING";
 267         smtpd_relay_restrictions = [
 268           # SASL authorizes to send to the world
 269           "permit_sasl_authenticated"
 270           "reject"
 271         ];
 272         smtpd_sasl_auth_enable = true;
 273         smtpd_sasl_type = "dovecot";
 274         smtpd_sasl_path = "private/auth";
 275         smtpd_sasl_local_domain = "";
 276         # Offer SASL authentication only after a TLS-encrypted session has been established
 277         smtpd_tls_auth_only = true;
 278         smtpd_sasl_tls_security_options = [ "noanonymous" ];
 279         # Do not put SASL logins in mail headers
 280         smtpd_sasl_authenticated_header = false;
 281         # Who cares about (old) Outlook
 282         broken_sasl_auth_clients = false;
 283         smtpd_sender_restrictions = [
 284           "reject_non_fqdn_sender"
 285           # Check that the SASL user is using only its own
 286           # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
 287           "reject_sender_login_mismatch"
 288           "permit"
 289         ];
 290         # No X.509 certificates for users, for now
 291         smtpd_tls_ask_ccert = false;
 292         smtpd_tls_ccert_verifydepth = 0;
 293         smtpd_tls_loglevel = 1;
 294         smtpd_tls_req_ccert = false;
 295         cleanup_service_name = "submissions-header-cleanup";
 296       };
 297     };
 298     submissions-header-cleanup = {
 299       type = "unix";
 300       private = false;
 301       maxproc = 0;
 302       command = "cleanup";
 303       args = mkArgs {
 304         header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
 305           # Removes sensitive headers from mails handed in via the submission or smtps port.
 306           # See https://thomas-leister.de/mailserver-debian-stretch/
 307           # Uses "pcre" style regex.
 308
 309           /^Received:/         IGNORE
 310           /^User-Agent:/       IGNORE
 311           /^X-Enigmail:/       IGNORE
 312           /^X-Mailer:/         IGNORE
 313           /^X-Originating-IP:/ IGNORE
 314         '';
 315       };
 316     };
 317   };
 318   extraMasterConf = ''
 319     #spfcheck    unix  -        n       n       -        0        spawn
 320     #  user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
 321     # -o smtpd_sender_restrictions=reject_sender_login_mismatch
 322     # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
 323     # -o cleanup_service_name=submissions-header-cleanup
 324     #spfcheck  unix  -       n       n       -       0       spawn
 325     #  user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
 326     #uucp      unix  -       n       n       -       -       pipe
 327     #  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 328     #smtp      inet  n       -       -       -       -       smtpd
 329     #  -o cleanup_service_name=pre-cleanup
 330     #  -o content_filter=amavis:[127.0.0.1]:10024
 331     #  -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
 332     #  -o receive_override_options=no_address_mappings
 333     #amavis    unix  -       -       n        -      2       lmtp
 334     #  -o lmtp_data_done_timeout=1200
 335     #  -o lmtp_send_xforward_command=yes
 336     #  -o lmtp_tls_note_starttls_offer=no
 337     #127.0.0.1:10025 inet n  -       n       -       -       smtpd
 338     #  -o content_filter=
 339     #  -o local_header_rewrite_clients=
 340     #  -o local_recipient_maps=
 341     #  -o mynetworks=127.0.0.0/8
 342     #  -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
 343     #  -o relay_recipient_maps=
 344     #  -o smtpd_client_connection_count_limit=0
 345     #  -o smtpd_client_connection_rate_limit=0
 346     #  -o smtpd_client_restrictions=permit_mynetworks,reject
 347     #  -o smtpd_data_restrictions=reject_unauth_pipelining
 348     #  -o smtpd_delay_reject=no
 349     #  -o smtpd_end_of_data_restrictions=
 350     #  -o smtpd_error_sleep_time=0
 351     #  -o smtpd_hard_error_limit=1000
 352     #  -o smtpd_helo_restrictions=
 353     #  -o smtpd_milters=
 354     #  -o smtpd_recipient_restrictions=permit_mynetworks,reject
 355     #  -o smtpd_restriction_classes=
 356     #  -o smtpd_sender_restrictions=
 357     #  -o smtpd_soft_error_limit=1001
 358     #  -o strict_rfc821_envelopes=yes
 359     #submission inet n       -       -       -       -       smtpd
 360     #  -o cleanup_service_name=pre-cleanup
 361     #  -o content_filter=amavis:[127.0.0.1]:10024
 362     #  -o milter_macro_daemon_name=ORIGINATING
 363     #  -o receive_override_options=no_address_mappings
 364     #  -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
 365     #  -o smtpd_tls_ask_ccert=yes
 366     #  -o smtpd_tls_auth_only=yes
 367     #  -o smtpd_tls_ccert_verifydepth=2
 368     #  -o smtpd_tls_loglevel=1
 369     #  -o smtpd_tls_req_ccert=yes
 370     #  -o smtpd_tls_security_level=encrypt
 371     #smtps     inet  n       -       -       -       -       smtpd
 372     #  -o milter_macro_daemon_name=ORIGINATING
 373     #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 374     #  -o smtpd_sasl_auth_enable=yes
 375     #  -o smtpd_tls_ask_ccert=yes
 376     #  -o smtpd_tls_auth_only=yes
 377     #  -o smtpd_tls_ccert_verifydepth=0
 378     #  -o smtpd_tls_loglevel=1
 379     #  -o smtpd_tls_req_ccert=no
 380     #  -o smtpd_tls_security_level=encrypt
 381     #  -o smtpd_tls_wrappermode=yes
 382     #pickup    fifo  n       -       -       60      1       pickup
 383     #  -o cleanup_service_name=pre-cleanup
 384     #  -o content_filter=amavis:[127.0.0.1]:10024
 385     #pre-cleanup unix n      -       -       -       0       cleanup
 386     #  -o virtual_alias_maps=
 387     #cleanup   unix  n       -       -       -       0       cleanup
 388     #  -o mime_header_checks=
 389     #  -o nested_header_checks=
 390     #  -o body_checks=
 391     #  -o header_checks=
 392     #-- SYMPA begin
 393     #sympa unix - n n - - pipe
 394     #  flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
 395     #sympabounce unix - n n - - pipe
 396     #  flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
 397     #-- SYMPA end
 398   '';
 399    #noclue    unix  -       n       n       -       -       pipe
 400    #  flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
 401 };
 402 };
 403 }