servers/mermet/postfix.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) attrNames concatStringsSep readFile toPath;
   4   inherit (builtins.extraBuiltins) pass;
   5   inherit (lib) types;
   6   inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
   7   inherit (config) networking users;
   8   inherit (config.services) postfix dovecot2 openldap;
   9 in
  10 {
  11 imports = [
  12   postfix/sourcephile.fr.nix
  13   postfix/autogeree.net.nix
  14 ];
  15 config = {
  16 systemd.services.postfix.after = [
  17   "openldap.service"
  18 ];
  19 services.postfix = {
  20   enable = true;
  21   networksStyle = "host";
  22   hostname ="${networking.hostName}.${networking.domain}";
  23   domain = networking.domain;
  24   origin = "$myhostname";
  25   destination = [
  26     "localhost"
  27     "localhost.localdomain"
  28     "$myhostname"
  29   ];
  30   postmasterAlias = "root";
  31   rootAlias = "root@${networking.domain}";
  32   sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
  33   sslKey = "/run/keys/${networking.domain}.key.pem";
  34   networks = [
  35     "127.0.0.0/8"
  36     "[::1]/128"
  37   ];
  38   # Parse the extension in email address, eg. contact+extension@
  39   recipientDelimiter = "+";
  40   config = {
  41     debug_peer_level = "4";
  42     debug_peer_list = [
  43       #"chomsky.autogeree.net"
  44       #"localhost"
  45     ];
  46
  47     #
  48     # Sending to the world
  49     #
  50     # Appending .domain is the MUA's job
  51     append_dot_mydomain = false;
  52     smtp_body_checks = "";
  53     #smtp_cname_overrides_servername = false;
  54     smtp_connect_timeout = "60s";
  55     #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
  56     smtp_mime_header_checks = "";
  57     smtp_nested_header_checks = "";
  58     smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
  59     #smtp_tls_fingerprint_digest = "sha1";
  60     smtp_tls_loglevel = "1";
  61     #smtp_tls_note_starttls_offer = true;
  62     #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
  63     # Only allow TLSv* protocols
  64     smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
  65     #smtp_tls_scert_verifydepth = "5";
  66     #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
  67     smtp_tls_security_level = "may";
  68     smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
  69     #smtp_tls_session_cache_timeout = "3600s";
  70     #smtp_tls_verify_cert_match = "hostname";
  71
  72     #
  73     # Receiving from the world
  74     #
  75     message_size_limit = "20480000";
  76     maximal_queue_lifetime = "5d";
  77     default_extra_recipient_limit = "5000";
  78     line_length_limit = "2048";
  79     duplicate_filter_limit = "5000";
  80     # Stops mail from poorly written software
  81     strict_rfc821_envelopes = true;
  82     mime_header_checks = [];
  83     milter_header_checks = [];
  84     nested_header_checks = [];
  85     body_checks = [];
  86     content_filter = "";
  87     permit_mx_backup_networks = [];
  88     propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
  89     #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
  90     #masquerade_domains = "";
  91     #masquerade_exceptions = "root";
  92     queue_minfree = "0";
  93     # Stops some techniques used to harvest email addresses
  94     disable_vrfy_command = true;
  95     enable_long_queue_ids = false;
  96     # Useful to test restrictions
  97     smtpd_authorized_xclient_hosts = "127.0.0.1";
  98     smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
  99     smtpd_client_connection_count_limit = "50";
 100     smtpd_client_connection_rate_limit = "0";
 101     smtpd_client_event_limit_exceptions = "$mynetworks";
 102     smtpd_client_message_rate_limit = "0";
 103     smtpd_client_new_tls_session_rate_limit = "0";
 104     smtpd_client_port_logging = false;
 105     smtpd_client_recipient_rate_limit = "0";
 106     # Ban 5 sec on error
 107     smtpd_error_sleep_time = "5";
 108     # Needed to enforce reject_unknown_helo_hostname
 109     smtpd_helo_required = true;
 110     smtpd_helo_restrictions = [
 111       "reject_invalid_helo_hostname"
 112       "reject_non_fqdn_helo_hostname"
 113       # Don't talk to mail systems that don't know their own hostname.
 114       "reject_unknown_helo_hostname"
 115       "permit"
 116     ];
 117     smtpd_client_restrictions = [
 118     ];
 119     # Set in postfix/*.nix and used in submissions/smptd
 120     # with reject_sender_login_mismatch
 121     smtpd_sender_login_maps = [];
 122     smtpd_sender_restrictions = [
 123       "reject_non_fqdn_sender"
 124       "permit"
 125     ];
 126     smtpd_reject_unlisted_recipient = true;
 127     # Check the RCPT TO, before smtpd_recipient_restrictions
 128     # Restrictions based on what is allowed or not,
 129     # these are applied before smtpd_recipient_restrictions
 130     smtpd_relay_restrictions = [
 131       "permit_mynetworks"
 132       # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
 133       "permit_auth_destination"
 134       # The world is only authorized to use our relay for the above destinations.
 135       "reject"
 136     ];
 137     # Restrictions based on what is working or not
 138     smtpd_recipient_restrictions = [
 139       # Reject if the domain is not fully qualified
 140       "reject_non_fqdn_recipient"
 141       # Reject if the domain is not working, even before bothering to check the address
 142       "reject_unknown_recipient_domain"
 143       # Reject if the address is not working
 144       # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
 145       # postmap -s btree:/var/lib/postfix/data/verify_cache
 146       "reject_unverified_recipient"
 147       "permit"
 148     ];
 149     # Trust the verify database
 150     unverified_recipient_reject_code = "550";
 151     smtpd_data_restrictions = [
 152       # Force the smtpd's client to wait OK before sending
 153       "reject_unauth_pipelining"
 154       "permit"
 155     ];
 156     smtpd_end_of_data_restrictions = [
 157       # Enforce mail volume quota via policy service callouts.
 158       #check_policy_service unix:private/policy
 159     ];
 160     #smtpd_milters = "";
 161     smtpd_peername_lookup = true;
 162     smtpd_recipient_limit = "5000";
 163     smtpd_recipient_overshoot_limit = "5000";
 164     #smtpd_restriction_classes = "";
 165     #smtpd_sasl_auth_enable = true;
 166     #smtpd_sasl_path = "private/auth";
 167     #smtpd_sasl_security_options = "noanonymous";
 168     #smtpd_sasl_type = "dovecot";
 169     smtpd_starttls_timeout = "300s";
 170     #smtpd_tls_always_issue_session_ids = true;
 171     #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
 172     smtpd_tls_ask_ccert = false;
 173     #smtpd_tls_ccert_verifydepth = "5";
 174     smtpd_tls_ciphers = "high";
 175     smtpd_tls_eecdh_grade = "ultra";
 176     # Disable weak ciphers as reported by https://ssl-tools.net
 177     # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
 178     smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
 179     smtpd_tls_fingerprint_digest = "sha512";
 180     # Log only a summary message on TLS handshake completion
 181     smtpd_tls_loglevel = "1";
 182     smtpd_tls_mandatory_ciphers = "high";
 183     smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
 184     # Only allow TLSv*
 185     smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
 186     #smtpd_tls_received_header = false;
 187     smtpd_tls_req_ccert = false;
 188     # Postfix 2.3 and later
 189     # encrypt
 190     #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
 191     #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
 192     #  SMTP server. Instead, this option should be used only on dedicated servers.
 193     smtpd_tls_security_level = "may";
 194     smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
 195     #smtpd_tls_session_cache_timeout = "3600s";
 196
 197     relayhost = [];
 198     #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
 199     # This is where to put backup MX domains
 200     relay_domains = [];
 201     relay_recipient_maps = [];
 202
 203     # postconf(5) discourages to change this
 204     #tls_high_cipherlist = "AES256-SHA";
 205     #tls_random_bytes = "32";
 206     # Must not be in a chroot
 207     #tls_random_exchange_name = "$data_directory/prng_exch";
 208     #tls_random_prng_update_period = "3600s";
 209     #tls_random_reseed_period = "3600s";
 210     # Use a non blocking source of randomness
 211     tls_random_source = "dev:/dev/urandom";
 212
 213     # Only explicitely aliased accounts have a mail, not all the passwd
 214     local_recipient_maps = "$alias_maps";
 215     # Note that the local transport rewrites the envelope recipient
 216     # according to the alias_maps, and thus the aliasing is transparent
 217     # to the nexthop (eg. dovecot)
 218     #local_transport = local:$myhostname
 219     # No console bell on new mail
 220     biff = false;
 221     forward_path = [
 222       /*
 223       "$home/.forward''${recipient_delimiter}''${extension}"
 224       "$home/.forward"
 225       */
 226     ];
 227
 228     # Filled by the postfix/*.nix
 229     virtual_mailbox_domains = [];
 230     # Completed by the postfix/*.nix
 231     virtual_mailbox_maps = [
 232       "hash:/etc/postfix/virtual"
 233     ];
 234     virtual_transport = "lmtp:unix:private/dovecot-lmtp";
 235
 236     # There is no fallback
 237     fallback_transport = "";
 238   };
 239   virtualMapType = "hash";
 240   masterConfig =
 241     let
 242       mkVal = value:
 243         if lib.isList value
 244         then concatStringsSep "," value
 245         else
 246           if value == true then "yes"
 247           else if value == false then "no"
 248           else toString value;
 249       mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
 250       mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
 251     in {
 252     # Implicit TLS on port 465
 253     # https://tools.ietf.org/html/rfc8314#section-3.3
 254     submissions = {
 255       type = "inet";
 256       private = false;
 257       command = "smtpd";
 258       args = mkArgs {
 259         syslog_name = "postfix/submissions";
 260         # Implicit TLS, not STARTTLS
 261         smtpd_tls_wrappermode = true;
 262         smtpd_tls_mandatory_protocols = [
 263           "TLSv1.3"
 264           # K-9 Mail 5.600 still requires this..
 265           "TLSv1.2"
 266         ];
 267         milter_macro_daemon_name = "ORIGINATING";
 268         smtpd_relay_restrictions = [
 269           # SASL authorizes to send to the world
 270           "permit_sasl_authenticated"
 271           "reject"
 272         ];
 273         smtpd_sasl_auth_enable = true;
 274         smtpd_sasl_type = "dovecot";
 275         smtpd_sasl_path = "private/auth";
 276         smtpd_sasl_local_domain = "";
 277         # Offer SASL authentication only after a TLS-encrypted session has been established
 278         smtpd_tls_auth_only = true;
 279         smtpd_sasl_tls_security_options = [ "noanonymous" ];
 280         # Do not put SASL logins in mail headers
 281         smtpd_sasl_authenticated_header = false;
 282         # Who cares about (old) Outlook
 283         broken_sasl_auth_clients = false;
 284         smtpd_sender_restrictions = [
 285           "reject_non_fqdn_sender"
 286           # Check that the SASL user is using only its own
 287           # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
 288           "reject_sender_login_mismatch"
 289           "permit"
 290         ];
 291         # No X.509 certificates for users, for now
 292         smtpd_tls_ask_ccert = false;
 293         smtpd_tls_ccert_verifydepth = 0;
 294         smtpd_tls_loglevel = 1;
 295         smtpd_tls_req_ccert = false;
 296         cleanup_service_name = "submissions-header-cleanup";
 297       };
 298     };
 299     submissions-header-cleanup = {
 300       type = "unix";
 301       private = false;
 302       maxproc = 0;
 303       command = "cleanup";
 304       args = mkArgs {
 305         header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
 306           # Removes sensitive headers from mails handed in via the submission or smtps port.
 307           # See https://thomas-leister.de/mailserver-debian-stretch/
 308           # Uses "pcre" style regex.
 309
 310           /^Received:/         IGNORE
 311           /^User-Agent:/       IGNORE
 312           /^X-Enigmail:/       IGNORE
 313           /^X-Mailer:/         IGNORE
 314           /^X-Originating-IP:/ IGNORE
 315         '';
 316       };
 317     };
 318   };
 319   extraMasterConf = ''
 320     #spfcheck    unix  -        n       n       -        0        spawn
 321     #  user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
 322     # -o smtpd_sender_restrictions=reject_sender_login_mismatch
 323     # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
 324     # -o cleanup_service_name=submissions-header-cleanup
 325     #spfcheck  unix  -       n       n       -       0       spawn
 326     #  user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
 327     #uucp      unix  -       n       n       -       -       pipe
 328     #  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 329     #smtp      inet  n       -       -       -       -       smtpd
 330     #  -o cleanup_service_name=pre-cleanup
 331     #  -o content_filter=amavis:[127.0.0.1]:10024
 332     #  -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
 333     #  -o receive_override_options=no_address_mappings
 334     #amavis    unix  -       -       n        -      2       lmtp
 335     #  -o lmtp_data_done_timeout=1200
 336     #  -o lmtp_send_xforward_command=yes
 337     #  -o lmtp_tls_note_starttls_offer=no
 338     #127.0.0.1:10025 inet n  -       n       -       -       smtpd
 339     #  -o content_filter=
 340     #  -o local_header_rewrite_clients=
 341     #  -o local_recipient_maps=
 342     #  -o mynetworks=127.0.0.0/8
 343     #  -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
 344     #  -o relay_recipient_maps=
 345     #  -o smtpd_client_connection_count_limit=0
 346     #  -o smtpd_client_connection_rate_limit=0
 347     #  -o smtpd_client_restrictions=permit_mynetworks,reject
 348     #  -o smtpd_data_restrictions=reject_unauth_pipelining
 349     #  -o smtpd_delay_reject=no
 350     #  -o smtpd_end_of_data_restrictions=
 351     #  -o smtpd_error_sleep_time=0
 352     #  -o smtpd_hard_error_limit=1000
 353     #  -o smtpd_helo_restrictions=
 354     #  -o smtpd_milters=
 355     #  -o smtpd_recipient_restrictions=permit_mynetworks,reject
 356     #  -o smtpd_restriction_classes=
 357     #  -o smtpd_sender_restrictions=
 358     #  -o smtpd_soft_error_limit=1001
 359     #  -o strict_rfc821_envelopes=yes
 360     #submission inet n       -       -       -       -       smtpd
 361     #  -o cleanup_service_name=pre-cleanup
 362     #  -o content_filter=amavis:[127.0.0.1]:10024
 363     #  -o milter_macro_daemon_name=ORIGINATING
 364     #  -o receive_override_options=no_address_mappings
 365     #  -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
 366     #  -o smtpd_tls_ask_ccert=yes
 367     #  -o smtpd_tls_auth_only=yes
 368     #  -o smtpd_tls_ccert_verifydepth=2
 369     #  -o smtpd_tls_loglevel=1
 370     #  -o smtpd_tls_req_ccert=yes
 371     #  -o smtpd_tls_security_level=encrypt
 372     #smtps     inet  n       -       -       -       -       smtpd
 373     #  -o milter_macro_daemon_name=ORIGINATING
 374     #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 375     #  -o smtpd_sasl_auth_enable=yes
 376     #  -o smtpd_tls_ask_ccert=yes
 377     #  -o smtpd_tls_auth_only=yes
 378     #  -o smtpd_tls_ccert_verifydepth=0
 379     #  -o smtpd_tls_loglevel=1
 380     #  -o smtpd_tls_req_ccert=no
 381     #  -o smtpd_tls_security_level=encrypt
 382     #  -o smtpd_tls_wrappermode=yes
 383     #pickup    fifo  n       -       -       60      1       pickup
 384     #  -o cleanup_service_name=pre-cleanup
 385     #  -o content_filter=amavis:[127.0.0.1]:10024
 386     #pre-cleanup unix n      -       -       -       0       cleanup
 387     #  -o virtual_alias_maps=
 388     #cleanup   unix  n       -       -       -       0       cleanup
 389     #  -o mime_header_checks=
 390     #  -o nested_header_checks=
 391     #  -o body_checks=
 392     #  -o header_checks=
 393     #-- SYMPA begin
 394     #sympa unix - n n - - pipe
 395     #  flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
 396     #sympabounce unix - n n - - pipe
 397     #  flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
 398     #-- SYMPA end
 399   '';
 400    #noclue    unix  -       n       n       -       -       pipe
 401    #  flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
 402 };
 403 };
 404 }