3 inherit (config) networking users;
4 inherit (config.services) postfix;
8 postfix/autogeree.net.nix
9 postfix/sourcephile.fr.nix
11 users.groups.acme.members = [ postfix.user ];
12 networking.nftables.ruleset = ''
15 tcp dport { smtp, submissions } counter accept comment "postfix: SMTP"
18 skuid ${postfix.user} tcp dport smtp counter accept comment "postfix: SMTP"
24 networksStyle = "host";
25 hostname = "${networking.hostName}.${networking.domain}";
26 domain = networking.domain;
27 origin = "$myhostname";
30 "localhost.localdomain"
33 postmasterAlias = "root";
34 rootAlias = "root@${networking.domain}";
35 sslKey = "/var/lib/acme/${networking.domain}/key.pem";
36 sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
42 # Parse the extension in email address, eg. contact+extension@
43 recipientDelimiter = "+";
44 #mapFiles.sender_access = postfix/sender_access.clear;
45 #mapFiles.virtual_mailbox_maps = ;
47 debug_peer_level = "4";
49 #"chomsky.autogeree.net"
51 #"mail.sourcephile.fr"
55 # Sending to the world
57 # Appending .domain is the MUA's job
58 append_dot_mydomain = false;
59 smtp_body_checks = "";
60 #smtp_cname_overrides_servername = false;
61 smtp_connect_timeout = "60s";
62 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
63 smtp_mime_header_checks = "";
64 smtp_nested_header_checks = "";
65 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
66 #smtp_tls_fingerprint_digest = "sha1";
67 smtp_tls_loglevel = "1";
68 #smtp_tls_note_starttls_offer = true;
69 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
70 # Only allow TLSv* protocols
71 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
72 #smtp_tls_scert_verifydepth = "5";
73 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
74 smtp_tls_security_level = "may";
75 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
76 #smtp_tls_session_cache_timeout = "3600s";
77 #smtp_tls_verify_cert_match = "hostname";
80 # Receiving from the world
82 message_size_limit = "20480000";
83 maximal_queue_lifetime = "5d";
84 default_extra_recipient_limit = "5000";
85 line_length_limit = "2048";
86 duplicate_filter_limit = "5000";
87 # Stops mail from poorly written software
88 strict_rfc821_envelopes = true;
89 mime_header_checks = [ ];
90 milter_header_checks = [ ];
91 nested_header_checks = [ ];
94 permit_mx_backup_networks = [ ];
95 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
96 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
97 #masquerade_domains = "";
98 #masquerade_exceptions = "root";
100 # Stops some techniques used to harvest email addresses
101 disable_vrfy_command = true;
102 enable_long_queue_ids = false;
103 # Useful to test restrictions
104 smtpd_authorized_xclient_hosts = "127.0.0.1";
105 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
106 smtpd_client_connection_count_limit = "50";
107 smtpd_client_connection_rate_limit = "0";
108 smtpd_client_event_limit_exceptions = "$mynetworks";
109 smtpd_client_message_rate_limit = "0";
110 smtpd_client_new_tls_session_rate_limit = "0";
111 smtpd_client_port_logging = false;
112 smtpd_client_recipient_rate_limit = "0";
114 smtpd_error_sleep_time = "5";
115 # Needed to enforce reject_unknown_helo_hostname
116 smtpd_helo_required = true;
117 smtpd_helo_restrictions = [
118 "reject_invalid_helo_hostname"
119 "reject_non_fqdn_helo_hostname"
120 # Don't talk to mail systems that don't know their own hostname.
121 "reject_unknown_helo_hostname"
124 smtpd_client_restrictions = [
126 # Set in postfix/*.nix and used in submissions/smptd
127 # with reject_sender_login_mismatch
128 smtpd_sender_login_maps = [ ];
129 smtpd_sender_restrictions = [
130 "reject_non_fqdn_sender"
131 "check_sender_access hash:/etc/postfix/sender_access"
134 smtpd_reject_unlisted_recipient = true;
135 # Check the RCPT TO, before smtpd_recipient_restrictions
136 # Restrictions based on what is allowed or not,
137 # these are applied before smtpd_recipient_restrictions
138 smtpd_relay_restrictions = [
140 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
141 "permit_auth_destination"
142 # The world is only authorized to use our relay for the above destinations.
145 # Restrictions based on what is working or not
146 smtpd_recipient_restrictions = [
147 # Reject if the domain is not fully qualified
148 "reject_non_fqdn_recipient"
149 # Reject if the domain is not working, even before bothering to check the address
150 "reject_unknown_recipient_domain"
151 # Reject if the address is not working
152 # WARNING: this does not work if the recipient is greylisting.
153 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
154 # postmap -s btree:/var/lib/postfix/data/verify_cache
155 #"reject_unverified_recipient"
158 # Trust the verify database
159 #unverified_recipient_reject_code = "550";
160 smtpd_data_restrictions = [
161 # Force the smtpd's client to wait OK before sending
162 "reject_unauth_pipelining"
165 smtpd_end_of_data_restrictions = [
166 # Enforce mail volume quota via policy service callouts.
167 #check_policy_service unix:private/policy
170 smtpd_peername_lookup = true;
171 smtpd_recipient_limit = "5000";
172 smtpd_recipient_overshoot_limit = "5000";
173 #smtpd_restriction_classes = "";
174 #smtpd_sasl_auth_enable = true;
175 #smtpd_sasl_path = "private/auth";
176 #smtpd_sasl_security_options = "noanonymous";
177 #smtpd_sasl_type = "dovecot";
178 smtpd_starttls_timeout = "300s";
179 #smtpd_tls_always_issue_session_ids = true;
180 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
181 smtpd_tls_ask_ccert = false;
182 #smtpd_tls_ccert_verifydepth = "5";
183 smtpd_tls_ciphers = "high";
184 smtpd_tls_eecdh_grade = "auto";
185 # Disable weak ciphers as reported by https://ssl-tools.net
186 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
187 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
188 smtpd_tls_fingerprint_digest = "sha512";
189 # Log only a summary message on TLS handshake completion
190 smtpd_tls_loglevel = "1";
191 smtpd_tls_mandatory_ciphers = "high";
192 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
194 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
195 #smtpd_tls_received_header = false;
196 smtpd_tls_req_ccert = false;
197 # Postfix 2.3 and later
199 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
200 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
201 # SMTP server. Instead, this option should be used only on dedicated servers.
202 smtpd_tls_security_level = "may";
203 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
204 #smtpd_tls_session_cache_timeout = "3600s";
205 #smtpd_tls_chain_files =
208 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
209 # This is where to put backup MX domains
211 relay_recipient_maps = [ ];
213 # Use a non blocking source of randomness
214 tls_random_source = "dev:/dev/urandom";
215 # Map each domain to a specific X.509 certificate
216 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
218 # Only explicitely aliased accounts have a mail, not all the passwd
219 #local_recipient_maps = "$alias_maps";
220 # Note that the local transport rewrites the envelope recipient
221 # according to the alias_maps, and thus the aliasing is transparent
222 # to the nexthop (eg. dovecot)
223 #local_transport = local:$myhostname
224 # No console bell on new mail
228 "$home/.forward''${recipient_delimiter}''${extension}"
233 # Filled by the postfix/*.nix
234 virtual_mailbox_domains = [ ];
235 # Completed by the postfix/*.nix
236 virtual_mailbox_maps = [
237 # Is it necessary because it's already in virtual_alias_maps
238 "hash:/etc/postfix/virtual"
240 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
242 dovecot_destination_recipient_limit = "1";
243 virtual_transport = "dovecot";
246 # There is no fallback
247 fallback_transport = "";
249 virtualMapType = "hash";
254 then lib.concatStringsSep "," value
256 if value == true then "yes"
257 else if value == false then "no"
259 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
260 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
265 cleanup_service_name = "submissions-header-cleanup";
268 # Implicit TLS on port 465
269 # https://tools.ietf.org/html/rfc8314#section-3.3
275 syslog_name = "postfix/submissions";
276 # Implicit TLS, not STARTTLS
277 smtpd_tls_wrappermode = true;
278 smtpd_tls_mandatory_protocols = [
280 # FIXME: to be removed when K-9 Mail will support TLSv1.3,
281 # K-9 Mail 5.600 does not.
284 milter_macro_daemon_name = "ORIGINATING";
285 smtpd_helo_restrictions = [
286 "permit_sasl_authenticated"
287 ] ++ postfix.config.smtpd_helo_restrictions;
288 smtpd_relay_restrictions = [
289 # SASL authorizes to send to the world
290 "permit_sasl_authenticated"
293 smtpd_sasl_auth_enable = true;
294 smtpd_sasl_type = "dovecot";
295 smtpd_sasl_path = "private/auth";
296 smtpd_sasl_local_domain = "";
297 # Offer SASL authentication only after a TLS-encrypted session has been established
298 smtpd_tls_auth_only = true;
299 smtpd_sasl_tls_security_options = [ "noanonymous" ];
300 # Do not put SASL logins in mail headers
301 smtpd_sasl_authenticated_header = false;
302 # Who cares about (old) Outlook
303 broken_sasl_auth_clients = false;
304 smtpd_sender_restrictions = [
305 "reject_non_fqdn_sender"
306 # Check that the SASL user is using only its own
307 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
308 "reject_sender_login_mismatch"
311 # No X.509 certificates for users, for now
312 smtpd_tls_ask_ccert = false;
313 smtpd_tls_ccert_verifydepth = 0;
314 smtpd_tls_loglevel = 1;
315 smtpd_tls_req_ccert = false;
316 cleanup_service_name = "submissions-header-cleanup";
321 #spfcheck unix - n n - 0 spawn
322 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
323 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
324 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
325 # -o cleanup_service_name=submissions-header-cleanup
326 #spfcheck unix - n n - 0 spawn
327 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
328 #uucp unix - n n - - pipe
329 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
330 #smtp inet n - - - - smtpd
331 # -o cleanup_service_name=pre-cleanup
332 # -o content_filter=amavis:[127.0.0.1]:10024
333 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
334 # -o receive_override_options=no_address_mappings
335 #amavis unix - - n - 2 lmtp
336 # -o lmtp_data_done_timeout=1200
337 # -o lmtp_send_xforward_command=yes
338 # -o lmtp_tls_note_starttls_offer=no
339 #127.0.0.1:10025 inet n - n - - smtpd
341 # -o local_header_rewrite_clients=
342 # -o local_recipient_maps=
343 # -o mynetworks=127.0.0.0/8
344 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
345 # -o relay_recipient_maps=
346 # -o smtpd_client_connection_count_limit=0
347 # -o smtpd_client_connection_rate_limit=0
348 # -o smtpd_client_restrictions=permit_mynetworks,reject
349 # -o smtpd_data_restrictions=reject_unauth_pipelining
350 # -o smtpd_delay_reject=no
351 # -o smtpd_end_of_data_restrictions=
352 # -o smtpd_error_sleep_time=0
353 # -o smtpd_hard_error_limit=1000
354 # -o smtpd_helo_restrictions=
356 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
357 # -o smtpd_restriction_classes=
358 # -o smtpd_sender_restrictions=
359 # -o smtpd_soft_error_limit=1001
360 # -o strict_rfc821_envelopes=yes
361 #submission inet n - - - - smtpd
362 # -o cleanup_service_name=pre-cleanup
363 # -o content_filter=amavis:[127.0.0.1]:10024
364 # -o milter_macro_daemon_name=ORIGINATING
365 # -o receive_override_options=no_address_mappings
366 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
367 # -o smtpd_tls_ask_ccert=yes
368 # -o smtpd_tls_auth_only=yes
369 # -o smtpd_tls_ccert_verifydepth=2
370 # -o smtpd_tls_loglevel=1
371 # -o smtpd_tls_req_ccert=yes
372 # -o smtpd_tls_security_level=encrypt
373 #smtps inet n - - - - smtpd
374 # -o milter_macro_daemon_name=ORIGINATING
375 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
376 # -o smtpd_sasl_auth_enable=yes
377 # -o smtpd_tls_ask_ccert=yes
378 # -o smtpd_tls_auth_only=yes
379 # -o smtpd_tls_ccert_verifydepth=0
380 # -o smtpd_tls_loglevel=1
381 # -o smtpd_tls_req_ccert=no
382 # -o smtpd_tls_security_level=encrypt
383 # -o smtpd_tls_wrappermode=yes
384 #pickup fifo n - - 60 1 pickup
385 # -o cleanup_service_name=pre-cleanup
386 # -o content_filter=amavis:[127.0.0.1]:10024
387 #pre-cleanup unix n - - - 0 cleanup
388 # -o virtual_alias_maps=
389 #cleanup unix n - - - 0 cleanup
390 # -o mime_header_checks=
391 # -o nested_header_checks=
395 #sympa unix - n n - - pipe
396 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
397 #sympabounce unix - n n - - pipe
398 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
401 #noclue unix - n n - - pipe
402 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}