]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/postfix.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: creds: reencrypt
[sourcephile-nix.git] / hosts / mermet / postfix.nix
1 { lib, config, ... }:
2 let
3 inherit (config) networking users;
4 inherit (config.services) postfix;
5 in
6 {
7 imports = [
8 postfix/autogeree.net.nix
9 postfix/sourcephile.fr.nix
10 ];
11 users.groups.acme.members = [ postfix.user ];
12 networking.nftables.ruleset = ''
13 table inet filter {
14 chain input-net {
15 tcp dport { smtp, submissions } counter accept comment "postfix: SMTP"
16 }
17 chain output-net {
18 skuid ${postfix.user} tcp dport smtp counter accept comment "postfix: SMTP"
19 }
20 }
21 '';
22 services.postfix = {
23 enable = true;
24 networksStyle = "host";
25 hostname = "${networking.hostName}.${networking.domain}";
26 domain = networking.domain;
27 origin = "$myhostname";
28 destination = [
29 "localhost"
30 "localhost.localdomain"
31 "$myhostname"
32 ];
33 postmasterAlias = "root";
34 rootAlias = "root@${networking.domain}";
35 sslKey = "/var/lib/acme/${networking.domain}/key.pem";
36 sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
37 networks = [
38 "127.0.0.0/8"
39 "[::1]/128"
40 ];
41 setSendmail = true;
42 # Parse the extension in email address, eg. contact+extension@
43 recipientDelimiter = "+";
44 #mapFiles.sender_access = postfix/sender_access.clear;
45 #mapFiles.virtual_mailbox_maps = ;
46 config = {
47 debug_peer_level = "4";
48 debug_peer_list = [
49 #"chomsky.autogeree.net"
50 #"localhost"
51 #"mail.sourcephile.fr"
52 ];
53
54 #
55 # Sending to the world
56 #
57 # Appending .domain is the MUA's job
58 append_dot_mydomain = false;
59 smtp_body_checks = "";
60 #smtp_cname_overrides_servername = false;
61 smtp_connect_timeout = "60s";
62 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
63 smtp_mime_header_checks = "";
64 smtp_nested_header_checks = "";
65 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
66 #smtp_tls_fingerprint_digest = "sha1";
67 smtp_tls_loglevel = "1";
68 #smtp_tls_note_starttls_offer = true;
69 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
70 # Only allow TLSv* protocols
71 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
72 #smtp_tls_scert_verifydepth = "5";
73 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
74 smtp_tls_security_level = "may";
75 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
76 #smtp_tls_session_cache_timeout = "3600s";
77 #smtp_tls_verify_cert_match = "hostname";
78
79 #
80 # Receiving from the world
81 #
82 message_size_limit = "20480000";
83 maximal_queue_lifetime = "5d";
84 default_extra_recipient_limit = "5000";
85 line_length_limit = "2048";
86 duplicate_filter_limit = "5000";
87 # Stops mail from poorly written software
88 strict_rfc821_envelopes = true;
89 mime_header_checks = [ ];
90 milter_header_checks = [ ];
91 nested_header_checks = [ ];
92 body_checks = [ ];
93 content_filter = "";
94 permit_mx_backup_networks = [ ];
95 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
96 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
97 #masquerade_domains = "";
98 #masquerade_exceptions = "root";
99 queue_minfree = "0";
100 # Stops some techniques used to harvest email addresses
101 disable_vrfy_command = true;
102 enable_long_queue_ids = false;
103 # Useful to test restrictions
104 smtpd_authorized_xclient_hosts = "127.0.0.1";
105 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
106 smtpd_client_connection_count_limit = "50";
107 smtpd_client_connection_rate_limit = "0";
108 smtpd_client_event_limit_exceptions = "$mynetworks";
109 smtpd_client_message_rate_limit = "0";
110 smtpd_client_new_tls_session_rate_limit = "0";
111 smtpd_client_port_logging = false;
112 smtpd_client_recipient_rate_limit = "0";
113 # Ban 5 sec on error
114 smtpd_error_sleep_time = "5";
115 # Needed to enforce reject_unknown_helo_hostname
116 smtpd_helo_required = true;
117 smtpd_helo_restrictions = [
118 "reject_invalid_helo_hostname"
119 "reject_non_fqdn_helo_hostname"
120 # Don't talk to mail systems that don't know their own hostname.
121 "reject_unknown_helo_hostname"
122 "permit"
123 ];
124 smtpd_client_restrictions = [
125 ];
126 # Set in postfix/*.nix and used in submissions/smptd
127 # with reject_sender_login_mismatch
128 smtpd_sender_login_maps = [ ];
129 smtpd_sender_restrictions = [
130 "reject_non_fqdn_sender"
131 #"check_sender_access hash:/etc/postfix/sender_access"
132 "permit"
133 ];
134 smtpd_reject_unlisted_recipient = true;
135 # Check the RCPT TO, before smtpd_recipient_restrictions
136 # Restrictions based on what is allowed or not,
137 # these are applied before smtpd_recipient_restrictions
138 smtpd_relay_restrictions = [
139 "permit_mynetworks"
140 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
141 "permit_auth_destination"
142 # The world is only authorized to use our relay for the above destinations.
143 "reject"
144 ];
145 # Restrictions based on what is working or not
146 smtpd_recipient_restrictions = [
147 # Reject if the domain is not fully qualified
148 "reject_non_fqdn_recipient"
149 # Reject if the domain is not working, even before bothering to check the address
150 "reject_unknown_recipient_domain"
151 # Reject if the address is not working
152 # WARNING: this does not work if the recipient is greylisting.
153 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
154 # postmap -s btree:/var/lib/postfix/data/verify_cache
155 #"reject_unverified_recipient"
156 "permit"
157 ];
158 # Trust the verify database
159 #unverified_recipient_reject_code = "550";
160 smtpd_data_restrictions = [
161 # Force the smtpd's client to wait OK before sending
162 "reject_unauth_pipelining"
163 "permit"
164 ];
165 smtpd_end_of_data_restrictions = [
166 # Enforce mail volume quota via policy service callouts.
167 #check_policy_service unix:private/policy
168 ];
169 #smtpd_milters = "";
170 smtpd_peername_lookup = true;
171 smtpd_recipient_limit = "5000";
172 smtpd_recipient_overshoot_limit = "5000";
173 #smtpd_restriction_classes = "";
174 #smtpd_sasl_auth_enable = true;
175 #smtpd_sasl_path = "private/auth";
176 #smtpd_sasl_security_options = "noanonymous";
177 #smtpd_sasl_type = "dovecot";
178 smtpd_starttls_timeout = "300s";
179 #smtpd_tls_always_issue_session_ids = true;
180 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
181 smtpd_tls_ask_ccert = false;
182 #smtpd_tls_ccert_verifydepth = "5";
183 smtpd_tls_ciphers = "high";
184 smtpd_tls_eecdh_grade = "auto";
185 # Disable weak ciphers as reported by https://ssl-tools.net
186 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
187 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
188 smtpd_tls_fingerprint_digest = "sha512";
189 # Log only a summary message on TLS handshake completion
190 smtpd_tls_loglevel = "1";
191 smtpd_tls_mandatory_ciphers = "high";
192 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
193 # Only allow TLSv*
194 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
195 #smtpd_tls_received_header = false;
196 smtpd_tls_req_ccert = false;
197 # Postfix 2.3 and later
198 # encrypt
199 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
200 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
201 # SMTP server. Instead, this option should be used only on dedicated servers.
202 smtpd_tls_security_level = "may";
203 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
204 #smtpd_tls_session_cache_timeout = "3600s";
205 #smtpd_tls_chain_files =
206
207 relayhost = [ ];
208 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
209 # This is where to put backup MX domains
210 relay_domains = [ ];
211 relay_recipient_maps = [ ];
212
213 # Use a non blocking source of randomness
214 tls_random_source = "dev:/dev/urandom";
215 # Map each domain to a specific X.509 certificate
216 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
217
218 # Only explicitely aliased accounts have a mail, not all the passwd
219 #local_recipient_maps = "$alias_maps";
220 # Note that the local transport rewrites the envelope recipient
221 # according to the alias_maps, and thus the aliasing is transparent
222 # to the nexthop (eg. dovecot)
223 #local_transport = local:$myhostname
224 # No console bell on new mail
225 biff = false;
226 forward_path = [
227 /*
228 "$home/.forward''${recipient_delimiter}''${extension}"
229 */
230 "$home/.forward"
231 ];
232
233 # Filled by the postfix/*.nix
234 virtual_mailbox_domains = [ ];
235 # Completed by the postfix/*.nix
236 virtual_mailbox_maps = [
237 # Is it necessary because it's already in virtual_alias_maps
238 "hash:/etc/postfix/virtual"
239 ];
240 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
241 /*
242 dovecot_destination_recipient_limit = "1";
243 virtual_transport = "dovecot";
244 */
245
246 # There is no fallback
247 fallback_transport = "";
248 };
249 virtualMapType = "hash";
250 masterConfig =
251 let
252 mkVal = value:
253 if lib.isList value
254 then lib.concatStringsSep "," value
255 else
256 if value == true then "yes"
257 else if value == false then "no"
258 else toString value;
259 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
260 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
261 in
262 {
263 pickup = {
264 args = mkArgs {
265 cleanup_service_name = "submissions-header-cleanup";
266 };
267 };
268 # Implicit TLS on port 465
269 # https://tools.ietf.org/html/rfc8314#section-3.3
270 submissions = {
271 type = "inet";
272 private = false;
273 command = "smtpd";
274 args = mkArgs {
275 syslog_name = "postfix/submissions";
276 # Implicit TLS, not STARTTLS
277 smtpd_tls_wrappermode = true;
278 smtpd_tls_mandatory_protocols = [
279 "TLSv1.3"
280 # FIXME: to be removed when K-9 Mail will support TLSv1.3,
281 # K-9 Mail 5.600 does not.
282 "TLSv1.2"
283 ];
284 milter_macro_daemon_name = "ORIGINATING";
285 smtpd_helo_restrictions = [
286 "permit_sasl_authenticated"
287 ] ++ postfix.config.smtpd_helo_restrictions;
288 smtpd_relay_restrictions = [
289 # SASL authorizes to send to the world
290 "permit_sasl_authenticated"
291 "reject"
292 ];
293 smtpd_sasl_auth_enable = true;
294 smtpd_sasl_type = "dovecot";
295 smtpd_sasl_path = "private/auth";
296 smtpd_sasl_local_domain = "";
297 # Offer SASL authentication only after a TLS-encrypted session has been established
298 smtpd_tls_auth_only = true;
299 smtpd_sasl_tls_security_options = [ "noanonymous" ];
300 # Do not put SASL logins in mail headers
301 smtpd_sasl_authenticated_header = false;
302 # Who cares about (old) Outlook
303 broken_sasl_auth_clients = false;
304 smtpd_sender_restrictions = [
305 "reject_non_fqdn_sender"
306 # Check that the SASL user is using only its own
307 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
308 "reject_sender_login_mismatch"
309 "permit"
310 ];
311 # No X.509 certificates for users, for now
312 smtpd_tls_ask_ccert = false;
313 smtpd_tls_ccert_verifydepth = 0;
314 smtpd_tls_loglevel = 1;
315 smtpd_tls_req_ccert = false;
316 cleanup_service_name = "submissions-header-cleanup";
317 };
318 };
319 };
320 extraMasterConf = ''
321 #spfcheck unix - n n - 0 spawn
322 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
323 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
324 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
325 # -o cleanup_service_name=submissions-header-cleanup
326 #spfcheck unix - n n - 0 spawn
327 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
328 #uucp unix - n n - - pipe
329 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
330 #smtp inet n - - - - smtpd
331 # -o cleanup_service_name=pre-cleanup
332 # -o content_filter=amavis:[127.0.0.1]:10024
333 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
334 # -o receive_override_options=no_address_mappings
335 #amavis unix - - n - 2 lmtp
336 # -o lmtp_data_done_timeout=1200
337 # -o lmtp_send_xforward_command=yes
338 # -o lmtp_tls_note_starttls_offer=no
339 #127.0.0.1:10025 inet n - n - - smtpd
340 # -o content_filter=
341 # -o local_header_rewrite_clients=
342 # -o local_recipient_maps=
343 # -o mynetworks=127.0.0.0/8
344 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
345 # -o relay_recipient_maps=
346 # -o smtpd_client_connection_count_limit=0
347 # -o smtpd_client_connection_rate_limit=0
348 # -o smtpd_client_restrictions=permit_mynetworks,reject
349 # -o smtpd_data_restrictions=reject_unauth_pipelining
350 # -o smtpd_delay_reject=no
351 # -o smtpd_end_of_data_restrictions=
352 # -o smtpd_error_sleep_time=0
353 # -o smtpd_hard_error_limit=1000
354 # -o smtpd_helo_restrictions=
355 # -o smtpd_milters=
356 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
357 # -o smtpd_restriction_classes=
358 # -o smtpd_sender_restrictions=
359 # -o smtpd_soft_error_limit=1001
360 # -o strict_rfc821_envelopes=yes
361 #submission inet n - - - - smtpd
362 # -o cleanup_service_name=pre-cleanup
363 # -o content_filter=amavis:[127.0.0.1]:10024
364 # -o milter_macro_daemon_name=ORIGINATING
365 # -o receive_override_options=no_address_mappings
366 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
367 # -o smtpd_tls_ask_ccert=yes
368 # -o smtpd_tls_auth_only=yes
369 # -o smtpd_tls_ccert_verifydepth=2
370 # -o smtpd_tls_loglevel=1
371 # -o smtpd_tls_req_ccert=yes
372 # -o smtpd_tls_security_level=encrypt
373 #smtps inet n - - - - smtpd
374 # -o milter_macro_daemon_name=ORIGINATING
375 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
376 # -o smtpd_sasl_auth_enable=yes
377 # -o smtpd_tls_ask_ccert=yes
378 # -o smtpd_tls_auth_only=yes
379 # -o smtpd_tls_ccert_verifydepth=0
380 # -o smtpd_tls_loglevel=1
381 # -o smtpd_tls_req_ccert=no
382 # -o smtpd_tls_security_level=encrypt
383 # -o smtpd_tls_wrappermode=yes
384 #pickup fifo n - - 60 1 pickup
385 # -o cleanup_service_name=pre-cleanup
386 # -o content_filter=amavis:[127.0.0.1]:10024
387 #pre-cleanup unix n - - - 0 cleanup
388 # -o virtual_alias_maps=
389 #cleanup unix n - - - 0 cleanup
390 # -o mime_header_checks=
391 # -o nested_header_checks=
392 # -o body_checks=
393 # -o header_checks=
394 #-- SYMPA begin
395 #sympa unix - n n - - pipe
396 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
397 #sympabounce unix - n n - - pipe
398 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
399 #-- SYMPA end
400 '';
401 #noclue unix - n n - - pipe
402 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
403 };
404 }
NixOS configurations for Sourcephile's infrastructure