]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/postfix.nix
prosody: restarting is needed to reload TLS certificates
[sourcephile-nix.git] / hosts / losurdo / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config) networking users;
5 inherit (config.services) postfix;
6 in
7 {
8 imports = [
9 #postfix/autogeree.net.nix
10 #postfix/sourcephile.fr.nix
11 ];
12 users.groups.acme.members = [ postfix.user ];
13 networking.nftables.ruleset = ''
14 #add rule inet filter net2fw tcp dport 25 counter accept comment "SMTP"
15 #add rule inet filter net2fw tcp dport 465 counter accept comment "submissions"
16 add rule inet filter fw2net meta skuid ${postfix.user} tcp dport 25 counter accept comment "SMTP"
17 '';
18 services.postfix = {
19 enable = true;
20 networksStyle = "host";
21 hostname ="${networking.hostName}.${networking.domain}";
22 domain = networking.domain;
23 origin = "$myhostname";
24 destination = [
25 "localhost"
26 "localhost.localdomain"
27 "$myhostname"
28 ];
29 postmasterAlias = "root";
30 rootAlias = "root@${networking.domain}";
31 sslKey = "/var/lib/acme/${networking.domain}/key.pem";
32 sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
33 networks = [
34 "127.0.0.0/8"
35 "[::1]/128"
36 ];
37 setSendmail = true;
38 # Parse the extension in email address, eg. contact+extension@
39 recipientDelimiter = "+";
40 config = {
41 debug_peer_level = "4";
42 debug_peer_list = [
43 #"chomsky.autogeree.net"
44 #"localhost"
45 #"mail.sourcephile.fr"
46 ];
47
48 #
49 # Sending to the world
50 #
51 # Appending .domain is the MUA's job
52 append_dot_mydomain = false;
53 smtp_body_checks = "";
54 #smtp_cname_overrides_servername = false;
55 smtp_connect_timeout = "60s";
56 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
57 smtp_mime_header_checks = "";
58 smtp_nested_header_checks = "";
59 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
60 #smtp_tls_fingerprint_digest = "sha1";
61 smtp_tls_loglevel = "1";
62 #smtp_tls_note_starttls_offer = true;
63 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
64 # Only allow TLSv* protocols
65 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
66 #smtp_tls_scert_verifydepth = "5";
67 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
68 smtp_tls_security_level = "may";
69 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
70 #smtp_tls_session_cache_timeout = "3600s";
71 #smtp_tls_verify_cert_match = "hostname";
72
73 #
74 # Receiving from the world
75 #
76 message_size_limit = "20480000";
77 maximal_queue_lifetime = "5d";
78 default_extra_recipient_limit = "5000";
79 line_length_limit = "2048";
80 duplicate_filter_limit = "5000";
81 # Stops mail from poorly written software
82 strict_rfc821_envelopes = true;
83 mime_header_checks = [];
84 milter_header_checks = [];
85 nested_header_checks = [];
86 body_checks = [];
87 content_filter = "";
88 permit_mx_backup_networks = [];
89 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
90 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
91 #masquerade_domains = "";
92 #masquerade_exceptions = "root";
93 queue_minfree = "0";
94 # Stops some techniques used to harvest email addresses
95 disable_vrfy_command = true;
96 enable_long_queue_ids = false;
97 # Useful to test restrictions
98 smtpd_authorized_xclient_hosts = "127.0.0.1";
99 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
100 smtpd_client_connection_count_limit = "50";
101 smtpd_client_connection_rate_limit = "0";
102 smtpd_client_event_limit_exceptions = "$mynetworks";
103 smtpd_client_message_rate_limit = "0";
104 smtpd_client_new_tls_session_rate_limit = "0";
105 smtpd_client_port_logging = false;
106 smtpd_client_recipient_rate_limit = "0";
107 # Ban 5 sec on error
108 smtpd_error_sleep_time = "5";
109 # Needed to enforce reject_unknown_helo_hostname
110 smtpd_helo_required = true;
111 smtpd_helo_restrictions = [
112 "reject_invalid_helo_hostname"
113 "reject_non_fqdn_helo_hostname"
114 # Don't talk to mail systems that don't know their own hostname.
115 "reject_unknown_helo_hostname"
116 "permit"
117 ];
118 smtpd_client_restrictions = [
119 ];
120 # Set in postfix/*.nix and used in submissions/smptd
121 # with reject_sender_login_mismatch
122 smtpd_sender_login_maps = [];
123 smtpd_sender_restrictions = [
124 "reject_non_fqdn_sender"
125 "permit"
126 ];
127 smtpd_reject_unlisted_recipient = true;
128 # Check the RCPT TO, before smtpd_recipient_restrictions
129 # Restrictions based on what is allowed or not,
130 # these are applied before smtpd_recipient_restrictions
131 smtpd_relay_restrictions = [
132 "permit_mynetworks"
133 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
134 "permit_auth_destination"
135 # The world is only authorized to use our relay for the above destinations.
136 "reject"
137 ];
138 # Restrictions based on what is working or not
139 smtpd_recipient_restrictions = [
140 # Reject if the domain is not fully qualified
141 "reject_non_fqdn_recipient"
142 # Reject if the domain is not working, even before bothering to check the address
143 "reject_unknown_recipient_domain"
144 # Reject if the address is not working
145 # WARNING: this does not work if the recipient is greylisting.
146 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
147 # postmap -s btree:/var/lib/postfix/data/verify_cache
148 #"reject_unverified_recipient"
149 "permit"
150 ];
151 # Trust the verify database
152 #unverified_recipient_reject_code = "550";
153 smtpd_data_restrictions = [
154 # Force the smtpd's client to wait OK before sending
155 "reject_unauth_pipelining"
156 "permit"
157 ];
158 smtpd_end_of_data_restrictions = [
159 # Enforce mail volume quota via policy service callouts.
160 #check_policy_service unix:private/policy
161 ];
162 #smtpd_milters = "";
163 smtpd_peername_lookup = true;
164 smtpd_recipient_limit = "5000";
165 smtpd_recipient_overshoot_limit = "5000";
166 #smtpd_restriction_classes = "";
167 #smtpd_sasl_auth_enable = true;
168 #smtpd_sasl_path = "private/auth";
169 #smtpd_sasl_security_options = "noanonymous";
170 #smtpd_sasl_type = "dovecot";
171 smtpd_starttls_timeout = "300s";
172 #smtpd_tls_always_issue_session_ids = true;
173 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
174 smtpd_tls_ask_ccert = false;
175 #smtpd_tls_ccert_verifydepth = "5";
176 smtpd_tls_ciphers = "high";
177 smtpd_tls_eecdh_grade = "auto";
178 # Disable weak ciphers as reported by https://ssl-tools.net
179 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
180 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
181 smtpd_tls_fingerprint_digest = "sha512";
182 # Log only a summary message on TLS handshake completion
183 smtpd_tls_loglevel = "1";
184 smtpd_tls_mandatory_ciphers = "high";
185 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
186 # Only allow TLSv*
187 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
188 #smtpd_tls_received_header = false;
189 smtpd_tls_req_ccert = false;
190 # Postfix 2.3 and later
191 # encrypt
192 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
193 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
194 # SMTP server. Instead, this option should be used only on dedicated servers.
195 smtpd_tls_security_level = "may";
196 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
197 #smtpd_tls_session_cache_timeout = "3600s";
198 #smtpd_tls_chain_files =
199
200 relayhost = [];
201 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
202 # This is where to put backup MX domains
203 relay_domains = [];
204 relay_recipient_maps = [];
205
206 # Use a non blocking source of randomness
207 tls_random_source = "dev:/dev/urandom";
208 # Map each domain to a specific X.509 certificate
209 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
210
211 # Only explicitely aliased accounts have a mail, not all the passwd
212 #local_recipient_maps = "$alias_maps";
213 # Note that the local transport rewrites the envelope recipient
214 # according to the alias_maps, and thus the aliasing is transparent
215 # to the nexthop (eg. dovecot)
216 local_transport = "local:$myhostname";
217 # No console bell on new mail
218 biff = false;
219 forward_path = [
220 /*
221 "$home/.forward''${recipient_delimiter}''${extension}"
222 */
223 "$home/.forward"
224 ];
225
226 # Filled by the postfix/*.nix
227 virtual_mailbox_domains = [];
228 # Completed by the postfix/*.nix
229 virtual_mailbox_maps = [
230 #"hash:/etc/postfix/virtual"
231 ];
232 #virtual_transport = "lmtp:unix:private/dovecot-lmtp";
233 /*
234 dovecot_destination_recipient_limit = "1";
235 virtual_transport = "dovecot";
236 */
237
238 # There is no fallback
239 fallback_transport = "";
240 };
241 transport = ''
242 sourcephile.wg local:losurdo
243 '';
244 virtualMapType = "hash";
245 masterConfig =
246 let
247 mkVal = value:
248 if lib.isList value
249 then lib.concatStringsSep "," value
250 else
251 if value == true then "yes"
252 else if value == false then "no"
253 else toString value;
254 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
255 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
256 in {
257 pickup = {
258 args = mkArgs {
259 cleanup_service_name = "submissions-header-cleanup";
260 };
261 };
262 /*
263 # Implicit TLS on port 465
264 # https://tools.ietf.org/html/rfc8314#section-3.3
265 submissions = {
266 type = "inet";
267 private = false;
268 command = "smtpd";
269 args = mkArgs {
270 syslog_name = "postfix/submissions";
271 # Implicit TLS, not STARTTLS
272 smtpd_tls_wrappermode = true;
273 smtpd_tls_mandatory_protocols = [
274 "TLSv1.3"
275 # FIXME: to be removed when K-9 Mail will support TLSv1.3,
276 # K-9 Mail 5.600 does not.
277 "TLSv1.2"
278 ];
279 milter_macro_daemon_name = "ORIGINATING";
280 smtpd_helo_restrictions = [
281 "permit_sasl_authenticated"
282 ] ++ postfix.config.smtpd_helo_restrictions;
283 smtpd_relay_restrictions = [
284 # SASL authorizes to send to the world
285 "permit_sasl_authenticated"
286 "reject"
287 ];
288 smtpd_sasl_auth_enable = true;
289 smtpd_sasl_type = "dovecot";
290 smtpd_sasl_path = "private/auth";
291 smtpd_sasl_local_domain = "";
292 # Offer SASL authentication only after a TLS-encrypted session has been established
293 smtpd_tls_auth_only = true;
294 smtpd_sasl_tls_security_options = [ "noanonymous" ];
295 # Do not put SASL logins in mail headers
296 smtpd_sasl_authenticated_header = false;
297 # Who cares about (old) Outlook
298 broken_sasl_auth_clients = false;
299 smtpd_sender_restrictions = [
300 "reject_non_fqdn_sender"
301 # Check that the SASL user is using only its own
302 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
303 "reject_sender_login_mismatch"
304 "permit"
305 ];
306 # No X.509 certificates for users, for now
307 smtpd_tls_ask_ccert = false;
308 smtpd_tls_ccert_verifydepth = 0;
309 smtpd_tls_loglevel = 1;
310 smtpd_tls_req_ccert = false;
311 cleanup_service_name = "submissions-header-cleanup";
312 };
313 };
314 */
315 };
316 extraMasterConf = ''
317 '';
318 };
319 }