]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/postfix.nix
openldap: use PR#79286
[sourcephile-nix.git] / servers / mermet / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames concatStringsSep readFile toPath;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
7 inherit (config) networking users;
8 inherit (config.services) postfix dovecot2 openldap;
9 in
10 {
11 imports = [
12 postfix/sourcephile.fr.nix
13 ];
14 config = {
15 systemd.services.postfix.after = [
16 "openldap.service"
17 ];
18 services.postfix = {
19 enable = true;
20 networksStyle = "host";
21 hostname ="${networking.hostName}.${networking.domain}";
22 domain = networking.domain;
23 origin = "$myhostname";
24 destination = [
25 "localhost"
26 "localhost.localdomain"
27 "$myhostname"
28 ];
29 postmasterAlias = "root";
30 rootAlias = "root@${networking.domain}";
31 sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
32 sslKey = "/run/keys/${networking.domain}.key.pem";
33 networks = [
34 "127.0.0.0/8"
35 "[::1]/128"
36 ];
37 # Parse the extension in email address, eg. contact+extension@
38 recipientDelimiter = "+";
39 config = {
40 debug_peer_level = "4";
41 debug_peer_list = [
42 #"chomsky.autogeree.net"
43 #"localhost"
44 ];
45
46 #
47 # Sending to the world
48 #
49 # Appending .domain is the MUA's job
50 append_dot_mydomain = false;
51 smtp_body_checks = "";
52 #smtp_cname_overrides_servername = false;
53 smtp_connect_timeout = "60s";
54 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
55 smtp_mime_header_checks = "";
56 smtp_nested_header_checks = "";
57 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
58 #smtp_tls_fingerprint_digest = "sha1";
59 smtp_tls_loglevel = "1";
60 #smtp_tls_note_starttls_offer = true;
61 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
62 # Only allow TLSv* protocols
63 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
64 #smtp_tls_scert_verifydepth = "5";
65 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
66 smtp_tls_security_level = "may";
67 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
68 #smtp_tls_session_cache_timeout = "3600s";
69 #smtp_tls_verify_cert_match = "hostname";
70
71 #
72 # Receiving from the world
73 #
74 message_size_limit = "20480000";
75 maximal_queue_lifetime = "5d";
76 default_extra_recipient_limit = "5000";
77 line_length_limit = "2048";
78 duplicate_filter_limit = "5000";
79 # Stops mail from poorly written software
80 strict_rfc821_envelopes = true;
81 mime_header_checks = [];
82 milter_header_checks = [];
83 nested_header_checks = [];
84 body_checks = [];
85 content_filter = "";
86 permit_mx_backup_networks = [];
87 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
88 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
89 #masquerade_domains = "";
90 #masquerade_exceptions = "root";
91 queue_minfree = "0";
92 # Stops some techniques used to harvest email addresses
93 disable_vrfy_command = true;
94 enable_long_queue_ids = false;
95 # Useful to test restrictions
96 smtpd_authorized_xclient_hosts = "127.0.0.1";
97 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
98 smtpd_client_connection_count_limit = "50";
99 smtpd_client_connection_rate_limit = "0";
100 smtpd_client_event_limit_exceptions = "$mynetworks";
101 smtpd_client_message_rate_limit = "0";
102 smtpd_client_new_tls_session_rate_limit = "0";
103 smtpd_client_port_logging = false;
104 smtpd_client_recipient_rate_limit = "0";
105 # Ban 5 sec on error
106 smtpd_error_sleep_time = "5";
107 # Needed to enforce reject_unknown_helo_hostname
108 smtpd_helo_required = true;
109 smtpd_helo_restrictions = [
110 "reject_invalid_helo_hostname"
111 "reject_non_fqdn_helo_hostname"
112 # Don't talk to mail systems that don't know their own hostname.
113 "reject_unknown_helo_hostname"
114 "permit"
115 ];
116 smtpd_client_restrictions = [
117 ];
118 # Set in postfix/*.nix and used in submissions/smptd
119 # with reject_sender_login_mismatch
120 smtpd_sender_login_maps = [];
121 smtpd_sender_restrictions = [
122 "reject_non_fqdn_sender"
123 "permit"
124 ];
125 smtpd_reject_unlisted_recipient = true;
126 # Check the RCPT TO, before smtpd_recipient_restrictions
127 # Restrictions based on what is allowed or not,
128 # these are applied before smtpd_recipient_restrictions
129 smtpd_relay_restrictions = [
130 "permit_mynetworks"
131 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
132 "permit_auth_destination"
133 # The world is only authorized to use our relay for the above destinations.
134 "reject"
135 ];
136 # Restrictions based on what is working or not
137 smtpd_recipient_restrictions = [
138 # Reject if the domain is not fully qualified
139 "reject_non_fqdn_recipient"
140 # Reject if the domain is not working, even before bothering to check the address
141 "reject_unknown_recipient_domain"
142 # Reject if the address is not working
143 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
144 # postmap -s btree:/var/lib/postfix/data/verify_cache
145 "reject_unverified_recipient"
146 "permit"
147 ];
148 # Trust the verify database
149 unverified_recipient_reject_code = "550";
150 smtpd_data_restrictions = [
151 # Force the smtpd's client to wait OK before sending
152 "reject_unauth_pipelining"
153 "permit"
154 ];
155 smtpd_end_of_data_restrictions = [
156 # Enforce mail volume quota via policy service callouts.
157 #check_policy_service unix:private/policy
158 ];
159 #smtpd_milters = "";
160 smtpd_peername_lookup = true;
161 smtpd_recipient_limit = "5000";
162 smtpd_recipient_overshoot_limit = "5000";
163 #smtpd_restriction_classes = "";
164 #smtpd_sasl_auth_enable = true;
165 #smtpd_sasl_path = "private/auth";
166 #smtpd_sasl_security_options = "noanonymous";
167 #smtpd_sasl_type = "dovecot";
168 smtpd_starttls_timeout = "300s";
169 #smtpd_tls_always_issue_session_ids = true;
170 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
171 smtpd_tls_ask_ccert = false;
172 #smtpd_tls_ccert_verifydepth = "5";
173 smtpd_tls_ciphers = "high";
174 smtpd_tls_eecdh_grade = "ultra";
175 # Disable weak ciphers as reported by https://ssl-tools.net
176 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
177 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
178 smtpd_tls_fingerprint_digest = "sha512";
179 # Log only a summary message on TLS handshake completion
180 smtpd_tls_loglevel = "1";
181 smtpd_tls_mandatory_ciphers = "high";
182 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
183 # Only allow TLSv*
184 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
185 #smtpd_tls_received_header = false;
186 smtpd_tls_req_ccert = false;
187 # Postfix 2.3 and later
188 # encrypt
189 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
190 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
191 # SMTP server. Instead, this option should be used only on dedicated servers.
192 smtpd_tls_security_level = "may";
193 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
194 #smtpd_tls_session_cache_timeout = "3600s";
195
196 relayhost = [];
197 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
198 # This is where to put backup MX domains
199 relay_domains = [];
200 relay_recipient_maps = [];
201
202 # postconf(5) discourages to change this
203 #tls_high_cipherlist = "AES256-SHA";
204 #tls_random_bytes = "32";
205 # Must not be in a chroot
206 #tls_random_exchange_name = "$data_directory/prng_exch";
207 #tls_random_prng_update_period = "3600s";
208 #tls_random_reseed_period = "3600s";
209 # Use a non blocking source of randomness
210 tls_random_source = "dev:/dev/urandom";
211
212 # Only explicitely aliased accounts have a mail, not all the passwd
213 local_recipient_maps = "$alias_maps";
214 # Note that the local transport rewrites the envelope recipient
215 # according to the alias_maps, and thus the aliasing is transparent
216 # to the nexthop (eg. dovecot)
217 #local_transport = local:$myhostname
218 # No console bell on new mail
219 biff = false;
220 forward_path = [
221 /*
222 "$home/.forward''${recipient_delimiter}''${extension}"
223 "$home/.forward"
224 */
225 ];
226
227 # Filled by the postfix/*.nix
228 virtual_mailbox_domains = [];
229 # Completed by the postfix/*.nix
230 virtual_mailbox_maps = [
231 "hash:/etc/postfix/virtual"
232 ];
233 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
234
235 # There is no fallback
236 fallback_transport = "";
237 };
238 virtualMapType = "hash";
239 masterConfig =
240 let
241 mkVal = value:
242 if lib.isList value
243 then concatStringsSep "," value
244 else
245 if value == true then "yes"
246 else if value == false then "no"
247 else toString value;
248 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
249 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
250 in {
251 # Implicit TLS on port 465
252 # https://tools.ietf.org/html/rfc8314#section-3.3
253 submissions = {
254 type = "inet";
255 private = false;
256 command = "smtpd";
257 args = mkArgs {
258 syslog_name = "postfix/submissions";
259 # Implicit TLS, not STARTTLS
260 smtpd_tls_wrappermode = true;
261 smtpd_tls_mandatory_protocols = [
262 "TLSv1.3"
263 # K-9 Mail 5.600 still requires this..
264 "TLSv1.2"
265 ];
266 milter_macro_daemon_name = "ORIGINATING";
267 smtpd_relay_restrictions = [
268 # SASL authorizes to send to the world
269 "permit_sasl_authenticated"
270 "reject"
271 ];
272 smtpd_sasl_auth_enable = true;
273 smtpd_sasl_type = "dovecot";
274 smtpd_sasl_path = "private/auth";
275 smtpd_sasl_local_domain = "";
276 # Offer SASL authentication only after a TLS-encrypted session has been established
277 smtpd_tls_auth_only = true;
278 smtpd_sasl_tls_security_options = [ "noanonymous" ];
279 # Do not put SASL logins in mail headers
280 smtpd_sasl_authenticated_header = false;
281 # Who cares about (old) Outlook
282 broken_sasl_auth_clients = false;
283 smtpd_sender_restrictions = [
284 "reject_non_fqdn_sender"
285 # Check that the SASL user is using only its own
286 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
287 "reject_sender_login_mismatch"
288 "permit"
289 ];
290 # No X.509 certificates for users, for now
291 smtpd_tls_ask_ccert = false;
292 smtpd_tls_ccert_verifydepth = 0;
293 smtpd_tls_loglevel = 1;
294 smtpd_tls_req_ccert = false;
295 cleanup_service_name = "submissions-header-cleanup";
296 };
297 };
298 submissions-header-cleanup = {
299 type = "unix";
300 private = false;
301 maxproc = 0;
302 command = "cleanup";
303 args = mkArgs {
304 header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
305 # Removes sensitive headers from mails handed in via the submission or smtps port.
306 # See https://thomas-leister.de/mailserver-debian-stretch/
307 # Uses "pcre" style regex.
308
309 /^Received:/ IGNORE
310 /^User-Agent:/ IGNORE
311 /^X-Enigmail:/ IGNORE
312 /^X-Mailer:/ IGNORE
313 /^X-Originating-IP:/ IGNORE
314 '';
315 };
316 };
317 };
318 extraMasterConf = ''
319 #spfcheck unix - n n - 0 spawn
320 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
321 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
322 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
323 # -o cleanup_service_name=submissions-header-cleanup
324 #spfcheck unix - n n - 0 spawn
325 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
326 #uucp unix - n n - - pipe
327 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
328 #smtp inet n - - - - smtpd
329 # -o cleanup_service_name=pre-cleanup
330 # -o content_filter=amavis:[127.0.0.1]:10024
331 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
332 # -o receive_override_options=no_address_mappings
333 #amavis unix - - n - 2 lmtp
334 # -o lmtp_data_done_timeout=1200
335 # -o lmtp_send_xforward_command=yes
336 # -o lmtp_tls_note_starttls_offer=no
337 #127.0.0.1:10025 inet n - n - - smtpd
338 # -o content_filter=
339 # -o local_header_rewrite_clients=
340 # -o local_recipient_maps=
341 # -o mynetworks=127.0.0.0/8
342 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
343 # -o relay_recipient_maps=
344 # -o smtpd_client_connection_count_limit=0
345 # -o smtpd_client_connection_rate_limit=0
346 # -o smtpd_client_restrictions=permit_mynetworks,reject
347 # -o smtpd_data_restrictions=reject_unauth_pipelining
348 # -o smtpd_delay_reject=no
349 # -o smtpd_end_of_data_restrictions=
350 # -o smtpd_error_sleep_time=0
351 # -o smtpd_hard_error_limit=1000
352 # -o smtpd_helo_restrictions=
353 # -o smtpd_milters=
354 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
355 # -o smtpd_restriction_classes=
356 # -o smtpd_sender_restrictions=
357 # -o smtpd_soft_error_limit=1001
358 # -o strict_rfc821_envelopes=yes
359 #submission inet n - - - - smtpd
360 # -o cleanup_service_name=pre-cleanup
361 # -o content_filter=amavis:[127.0.0.1]:10024
362 # -o milter_macro_daemon_name=ORIGINATING
363 # -o receive_override_options=no_address_mappings
364 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
365 # -o smtpd_tls_ask_ccert=yes
366 # -o smtpd_tls_auth_only=yes
367 # -o smtpd_tls_ccert_verifydepth=2
368 # -o smtpd_tls_loglevel=1
369 # -o smtpd_tls_req_ccert=yes
370 # -o smtpd_tls_security_level=encrypt
371 #smtps inet n - - - - smtpd
372 # -o milter_macro_daemon_name=ORIGINATING
373 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
374 # -o smtpd_sasl_auth_enable=yes
375 # -o smtpd_tls_ask_ccert=yes
376 # -o smtpd_tls_auth_only=yes
377 # -o smtpd_tls_ccert_verifydepth=0
378 # -o smtpd_tls_loglevel=1
379 # -o smtpd_tls_req_ccert=no
380 # -o smtpd_tls_security_level=encrypt
381 # -o smtpd_tls_wrappermode=yes
382 #pickup fifo n - - 60 1 pickup
383 # -o cleanup_service_name=pre-cleanup
384 # -o content_filter=amavis:[127.0.0.1]:10024
385 #pre-cleanup unix n - - - 0 cleanup
386 # -o virtual_alias_maps=
387 #cleanup unix n - - - 0 cleanup
388 # -o mime_header_checks=
389 # -o nested_header_checks=
390 # -o body_checks=
391 # -o header_checks=
392 #-- SYMPA begin
393 #sympa unix - n n - - pipe
394 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
395 #sympabounce unix - n n - - pipe
396 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
397 #-- SYMPA end
398 '';
399 #noclue unix - n n - - pipe
400 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
401 };
402 };
403 }