nixos/modules/services/mail/postfix.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config.services) postfix;
   5 in
   6 {
   7   options = {
   8     services.postfix = {
   9       tls_server_sni_maps = lib.mkOption {
  10         type = types.attrsOf (types.listOf types.path);
  11         default = { };
  12         apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList
  13           (domain: x509: ''
  14             ${domain} ${lib.concatStringsSep " " x509}
  15           '')
  16           m));
  17       };
  18     };
  19   };
  20   config = {
  21     systemd.services.postfix = {
  22       preStart = ''
  23         install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/postfix/postfix-sni
  24         ${pkgs.postfix}/bin/postmap -F hash:/run/postfix/postfix-sni
  25       '';
  26       serviceConfig = {
  27         RuntimeDirectory = [ "postfix" ];
  28       };
  29     };
  30     services.postfix = {
  31       masterConfig = {
  32         submissions-header-cleanup = {
  33           type = "unix";
  34           private = false;
  35           maxproc = 0;
  36           command = "cleanup";
  37           args = [
  38             "-o"
  39             ("header_checks=pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
  40               # Removes sensitive headers from mails handed in via the submission or smtps port.
  41               # See https://thomas-leister.de/mailserver-debian-stretch/
  42               # Uses "pcre" style regex.
  43
  44               /^Received:/         IGNORE
  45               /^User-Agent:/       IGNORE
  46               /^X-Enigmail:/       IGNORE
  47               /^X-Mailer:/         IGNORE
  48               /^X-Originating-IP:/ IGNORE
  49             '')
  50           ];
  51         };
  52       };
  53     };
  54   };
  55 }