]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/postfix.nix
sourcehut: use service.nix for all systemd services
[sourcephile-nix.git] / hosts / mermet / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames readFile toPath;
4 inherit (lib) types;
5 inherit (config) networking users;
6 inherit (config.services) postfix dovecot2 openldap;
7 in
8 {
9 imports = [
10 postfix/autogeree.net.nix
11 postfix/sourcephile.fr.nix
12 ];
13 users.groups.acme.members = [ postfix.user ];
14 networking.nftables.ruleset = ''
15 add rule inet filter net2fw tcp dport 25 counter accept comment "SMTP"
16 add rule inet filter net2fw tcp dport 465 counter accept comment "submissions"
17 add rule inet filter fw2net meta skuid ${postfix.user} tcp dport 25 counter accept comment "SMTP"
18 '';
19 services.postfix = {
20 enable = true;
21 networksStyle = "host";
22 hostname ="${networking.hostName}.${networking.domain}";
23 domain = networking.domain;
24 origin = "$myhostname";
25 destination = [
26 "localhost"
27 "localhost.localdomain"
28 "$myhostname"
29 ];
30 postmasterAlias = "root";
31 rootAlias = "root@${networking.domain}";
32 sslKey = "/var/lib/acme/${networking.domain}/key.pem";
33 sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
34 networks = [
35 "127.0.0.0/8"
36 "[::1]/128"
37 ];
38 setSendmail = true;
39 # Parse the extension in email address, eg. contact+extension@
40 recipientDelimiter = "+";
41 config = {
42 debug_peer_level = "4";
43 debug_peer_list = [
44 #"chomsky.autogeree.net"
45 #"localhost"
46 #"mail.sourcephile.fr"
47 ];
48
49 #
50 # Sending to the world
51 #
52 # Appending .domain is the MUA's job
53 append_dot_mydomain = false;
54 smtp_body_checks = "";
55 #smtp_cname_overrides_servername = false;
56 smtp_connect_timeout = "60s";
57 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
58 smtp_mime_header_checks = "";
59 smtp_nested_header_checks = "";
60 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
61 #smtp_tls_fingerprint_digest = "sha1";
62 smtp_tls_loglevel = "1";
63 #smtp_tls_note_starttls_offer = true;
64 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
65 # Only allow TLSv* protocols
66 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
67 #smtp_tls_scert_verifydepth = "5";
68 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
69 smtp_tls_security_level = "may";
70 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
71 #smtp_tls_session_cache_timeout = "3600s";
72 #smtp_tls_verify_cert_match = "hostname";
73
74 #
75 # Receiving from the world
76 #
77 message_size_limit = "20480000";
78 maximal_queue_lifetime = "5d";
79 default_extra_recipient_limit = "5000";
80 line_length_limit = "2048";
81 duplicate_filter_limit = "5000";
82 # Stops mail from poorly written software
83 strict_rfc821_envelopes = true;
84 mime_header_checks = [];
85 milter_header_checks = [];
86 nested_header_checks = [];
87 body_checks = [];
88 content_filter = "";
89 permit_mx_backup_networks = [];
90 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
91 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
92 #masquerade_domains = "";
93 #masquerade_exceptions = "root";
94 queue_minfree = "0";
95 # Stops some techniques used to harvest email addresses
96 disable_vrfy_command = true;
97 enable_long_queue_ids = false;
98 # Useful to test restrictions
99 smtpd_authorized_xclient_hosts = "127.0.0.1";
100 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
101 smtpd_client_connection_count_limit = "50";
102 smtpd_client_connection_rate_limit = "0";
103 smtpd_client_event_limit_exceptions = "$mynetworks";
104 smtpd_client_message_rate_limit = "0";
105 smtpd_client_new_tls_session_rate_limit = "0";
106 smtpd_client_port_logging = false;
107 smtpd_client_recipient_rate_limit = "0";
108 # Ban 5 sec on error
109 smtpd_error_sleep_time = "5";
110 # Needed to enforce reject_unknown_helo_hostname
111 smtpd_helo_required = true;
112 smtpd_helo_restrictions = [
113 "reject_invalid_helo_hostname"
114 "reject_non_fqdn_helo_hostname"
115 # Don't talk to mail systems that don't know their own hostname.
116 "reject_unknown_helo_hostname"
117 "permit"
118 ];
119 smtpd_client_restrictions = [
120 ];
121 # Set in postfix/*.nix and used in submissions/smptd
122 # with reject_sender_login_mismatch
123 smtpd_sender_login_maps = [];
124 smtpd_sender_restrictions = [
125 "reject_non_fqdn_sender"
126 "permit"
127 ];
128 smtpd_reject_unlisted_recipient = true;
129 # Check the RCPT TO, before smtpd_recipient_restrictions
130 # Restrictions based on what is allowed or not,
131 # these are applied before smtpd_recipient_restrictions
132 smtpd_relay_restrictions = [
133 "permit_mynetworks"
134 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
135 "permit_auth_destination"
136 # The world is only authorized to use our relay for the above destinations.
137 "reject"
138 ];
139 # Restrictions based on what is working or not
140 smtpd_recipient_restrictions = [
141 # Reject if the domain is not fully qualified
142 "reject_non_fqdn_recipient"
143 # Reject if the domain is not working, even before bothering to check the address
144 "reject_unknown_recipient_domain"
145 # Reject if the address is not working
146 # WARNING: this does not work if the recipient is greylisting.
147 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
148 # postmap -s btree:/var/lib/postfix/data/verify_cache
149 #"reject_unverified_recipient"
150 "permit"
151 ];
152 # Trust the verify database
153 #unverified_recipient_reject_code = "550";
154 smtpd_data_restrictions = [
155 # Force the smtpd's client to wait OK before sending
156 "reject_unauth_pipelining"
157 "permit"
158 ];
159 smtpd_end_of_data_restrictions = [
160 # Enforce mail volume quota via policy service callouts.
161 #check_policy_service unix:private/policy
162 ];
163 #smtpd_milters = "";
164 smtpd_peername_lookup = true;
165 smtpd_recipient_limit = "5000";
166 smtpd_recipient_overshoot_limit = "5000";
167 #smtpd_restriction_classes = "";
168 #smtpd_sasl_auth_enable = true;
169 #smtpd_sasl_path = "private/auth";
170 #smtpd_sasl_security_options = "noanonymous";
171 #smtpd_sasl_type = "dovecot";
172 smtpd_starttls_timeout = "300s";
173 #smtpd_tls_always_issue_session_ids = true;
174 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
175 smtpd_tls_ask_ccert = false;
176 #smtpd_tls_ccert_verifydepth = "5";
177 smtpd_tls_ciphers = "high";
178 smtpd_tls_eecdh_grade = "auto";
179 # Disable weak ciphers as reported by https://ssl-tools.net
180 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
181 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
182 smtpd_tls_fingerprint_digest = "sha512";
183 # Log only a summary message on TLS handshake completion
184 smtpd_tls_loglevel = "1";
185 smtpd_tls_mandatory_ciphers = "high";
186 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
187 # Only allow TLSv*
188 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
189 #smtpd_tls_received_header = false;
190 smtpd_tls_req_ccert = false;
191 # Postfix 2.3 and later
192 # encrypt
193 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
194 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
195 # SMTP server. Instead, this option should be used only on dedicated servers.
196 smtpd_tls_security_level = "may";
197 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
198 #smtpd_tls_session_cache_timeout = "3600s";
199 #smtpd_tls_chain_files =
200
201 relayhost = [];
202 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
203 # This is where to put backup MX domains
204 relay_domains = [];
205 relay_recipient_maps = [];
206
207 # Use a non blocking source of randomness
208 tls_random_source = "dev:/dev/urandom";
209 # Map each domain to a specific X.509 certificate
210 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
211
212 # Only explicitely aliased accounts have a mail, not all the passwd
213 local_recipient_maps = "$alias_maps";
214 # Note that the local transport rewrites the envelope recipient
215 # according to the alias_maps, and thus the aliasing is transparent
216 # to the nexthop (eg. dovecot)
217 #local_transport = local:$myhostname
218 # No console bell on new mail
219 biff = false;
220 forward_path = [
221 /*
222 "$home/.forward''${recipient_delimiter}''${extension}"
223 */
224 "$home/.forward"
225 ];
226
227 # Filled by the postfix/*.nix
228 virtual_mailbox_domains = [];
229 # Completed by the postfix/*.nix
230 virtual_mailbox_maps = [
231 "hash:/etc/postfix/virtual"
232 ];
233 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
234 /*
235 dovecot_destination_recipient_limit = "1";
236 virtual_transport = "dovecot";
237 */
238
239 # There is no fallback
240 fallback_transport = "";
241 };
242 virtualMapType = "hash";
243 masterConfig =
244 let
245 mkVal = value:
246 if lib.isList value
247 then lib.concatStringsSep "," value
248 else
249 if value == true then "yes"
250 else if value == false then "no"
251 else toString value;
252 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
253 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
254 in {
255 pickup = {
256 args = mkArgs {
257 cleanup_service_name = "submissions-header-cleanup";
258 };
259 };
260 # Implicit TLS on port 465
261 # https://tools.ietf.org/html/rfc8314#section-3.3
262 submissions = {
263 type = "inet";
264 private = false;
265 command = "smtpd";
266 args = mkArgs {
267 syslog_name = "postfix/submissions";
268 # Implicit TLS, not STARTTLS
269 smtpd_tls_wrappermode = true;
270 smtpd_tls_mandatory_protocols = [
271 "TLSv1.3"
272 # FIXME: to be removed when K-9 Mail will support TLSv1.3,
273 # K-9 Mail 5.600 does not.
274 "TLSv1.2"
275 ];
276 milter_macro_daemon_name = "ORIGINATING";
277 smtpd_helo_restrictions = [
278 "permit_sasl_authenticated"
279 ] ++ postfix.config.smtpd_helo_restrictions;
280 smtpd_relay_restrictions = [
281 # SASL authorizes to send to the world
282 "permit_sasl_authenticated"
283 "reject"
284 ];
285 smtpd_sasl_auth_enable = true;
286 smtpd_sasl_type = "dovecot";
287 smtpd_sasl_path = "private/auth";
288 smtpd_sasl_local_domain = "";
289 # Offer SASL authentication only after a TLS-encrypted session has been established
290 smtpd_tls_auth_only = true;
291 smtpd_sasl_tls_security_options = [ "noanonymous" ];
292 # Do not put SASL logins in mail headers
293 smtpd_sasl_authenticated_header = false;
294 # Who cares about (old) Outlook
295 broken_sasl_auth_clients = false;
296 smtpd_sender_restrictions = [
297 "reject_non_fqdn_sender"
298 # Check that the SASL user is using only its own
299 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
300 "reject_sender_login_mismatch"
301 "permit"
302 ];
303 # No X.509 certificates for users, for now
304 smtpd_tls_ask_ccert = false;
305 smtpd_tls_ccert_verifydepth = 0;
306 smtpd_tls_loglevel = 1;
307 smtpd_tls_req_ccert = false;
308 cleanup_service_name = "submissions-header-cleanup";
309 };
310 };
311 };
312 extraMasterConf = ''
313 #spfcheck unix - n n - 0 spawn
314 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
315 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
316 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
317 # -o cleanup_service_name=submissions-header-cleanup
318 #spfcheck unix - n n - 0 spawn
319 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
320 #uucp unix - n n - - pipe
321 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
322 #smtp inet n - - - - smtpd
323 # -o cleanup_service_name=pre-cleanup
324 # -o content_filter=amavis:[127.0.0.1]:10024
325 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
326 # -o receive_override_options=no_address_mappings
327 #amavis unix - - n - 2 lmtp
328 # -o lmtp_data_done_timeout=1200
329 # -o lmtp_send_xforward_command=yes
330 # -o lmtp_tls_note_starttls_offer=no
331 #127.0.0.1:10025 inet n - n - - smtpd
332 # -o content_filter=
333 # -o local_header_rewrite_clients=
334 # -o local_recipient_maps=
335 # -o mynetworks=127.0.0.0/8
336 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
337 # -o relay_recipient_maps=
338 # -o smtpd_client_connection_count_limit=0
339 # -o smtpd_client_connection_rate_limit=0
340 # -o smtpd_client_restrictions=permit_mynetworks,reject
341 # -o smtpd_data_restrictions=reject_unauth_pipelining
342 # -o smtpd_delay_reject=no
343 # -o smtpd_end_of_data_restrictions=
344 # -o smtpd_error_sleep_time=0
345 # -o smtpd_hard_error_limit=1000
346 # -o smtpd_helo_restrictions=
347 # -o smtpd_milters=
348 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
349 # -o smtpd_restriction_classes=
350 # -o smtpd_sender_restrictions=
351 # -o smtpd_soft_error_limit=1001
352 # -o strict_rfc821_envelopes=yes
353 #submission inet n - - - - smtpd
354 # -o cleanup_service_name=pre-cleanup
355 # -o content_filter=amavis:[127.0.0.1]:10024
356 # -o milter_macro_daemon_name=ORIGINATING
357 # -o receive_override_options=no_address_mappings
358 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
359 # -o smtpd_tls_ask_ccert=yes
360 # -o smtpd_tls_auth_only=yes
361 # -o smtpd_tls_ccert_verifydepth=2
362 # -o smtpd_tls_loglevel=1
363 # -o smtpd_tls_req_ccert=yes
364 # -o smtpd_tls_security_level=encrypt
365 #smtps inet n - - - - smtpd
366 # -o milter_macro_daemon_name=ORIGINATING
367 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
368 # -o smtpd_sasl_auth_enable=yes
369 # -o smtpd_tls_ask_ccert=yes
370 # -o smtpd_tls_auth_only=yes
371 # -o smtpd_tls_ccert_verifydepth=0
372 # -o smtpd_tls_loglevel=1
373 # -o smtpd_tls_req_ccert=no
374 # -o smtpd_tls_security_level=encrypt
375 # -o smtpd_tls_wrappermode=yes
376 #pickup fifo n - - 60 1 pickup
377 # -o cleanup_service_name=pre-cleanup
378 # -o content_filter=amavis:[127.0.0.1]:10024
379 #pre-cleanup unix n - - - 0 cleanup
380 # -o virtual_alias_maps=
381 #cleanup unix n - - - 0 cleanup
382 # -o mime_header_checks=
383 # -o nested_header_checks=
384 # -o body_checks=
385 # -o header_checks=
386 #-- SYMPA begin
387 #sympa unix - n n - - pipe
388 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
389 #sympabounce unix - n n - - pipe
390 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
391 #-- SYMPA end
392 '';
393 #noclue unix - n n - - pipe
394 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
395 };
396 }