]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/postfix.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
postfix: fix smtpd_tls_sni_maps
[sourcephile-nix.git] / servers / mermet / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames concatStringsSep readFile toPath;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
7 inherit (config) networking users;
8 inherit (config.services) postfix dovecot2 openldap;
9 in
10 {
11 imports = [
12 postfix/sourcephile.fr.nix
13 postfix/autogeree.net.nix
14 ];
15 options = {
16 services.postfix = {
17 tls_server_sni_maps = lib.mkOption {
18 type = types.attrsOf (types.listOf types.path);
19 default = {};
20 apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: x509: ''
21 ${domain} ${unwords x509}
22 '') m));
23 };
24 };
25 };
26 config = {
27 systemd.services.postfix = {
28 after = ["openldap.service"];
29 preStart = ''
30 install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/keys/postfix-sni
31 ${pkgs.postfix}/bin/postmap -F hash:/run/keys/postfix-sni
32 '';
33 };
34 services.postfix = {
35 enable = true;
36 networksStyle = "host";
37 hostname ="${networking.hostName}.${networking.domain}";
38 domain = networking.domain;
39 origin = "$myhostname";
40 destination = [
41 "localhost"
42 "localhost.localdomain"
43 "$myhostname"
44 ];
45 postmasterAlias = "root";
46 rootAlias = "root@${networking.domain}";
47 sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
48 sslKey = "/run/keys/${networking.domain}.key.pem";
49 networks = [
50 "127.0.0.0/8"
51 "[::1]/128"
52 ];
53 setSendmail = true;
54 # Parse the extension in email address, eg. contact+extension@
55 recipientDelimiter = "+";
56 config = {
57 debug_peer_level = "4";
58 debug_peer_list = [
59 #"chomsky.autogeree.net"
60 #"localhost"
61 #"mail.sourcephile.fr"
62 ];
63
64 #
65 # Sending to the world
66 #
67 # Appending .domain is the MUA's job
68 append_dot_mydomain = false;
69 smtp_body_checks = "";
70 #smtp_cname_overrides_servername = false;
71 smtp_connect_timeout = "60s";
72 #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
73 smtp_mime_header_checks = "";
74 smtp_nested_header_checks = "";
75 smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
76 #smtp_tls_fingerprint_digest = "sha1";
77 smtp_tls_loglevel = "1";
78 #smtp_tls_note_starttls_offer = true;
79 #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy";
80 # Only allow TLSv* protocols
81 smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ];
82 #smtp_tls_scert_verifydepth = "5";
83 #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ];
84 smtp_tls_security_level = "may";
85 smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache";
86 #smtp_tls_session_cache_timeout = "3600s";
87 #smtp_tls_verify_cert_match = "hostname";
88
89 #
90 # Receiving from the world
91 #
92 message_size_limit = "20480000";
93 maximal_queue_lifetime = "5d";
94 default_extra_recipient_limit = "5000";
95 line_length_limit = "2048";
96 duplicate_filter_limit = "5000";
97 # Stops mail from poorly written software
98 strict_rfc821_envelopes = true;
99 mime_header_checks = [];
100 milter_header_checks = [];
101 nested_header_checks = [];
102 body_checks = [];
103 content_filter = "";
104 permit_mx_backup_networks = [];
105 propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ];
106 #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ];
107 #masquerade_domains = "";
108 #masquerade_exceptions = "root";
109 queue_minfree = "0";
110 # Stops some techniques used to harvest email addresses
111 disable_vrfy_command = true;
112 enable_long_queue_ids = false;
113 # Useful to test restrictions
114 smtpd_authorized_xclient_hosts = "127.0.0.1";
115 smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)";
116 smtpd_client_connection_count_limit = "50";
117 smtpd_client_connection_rate_limit = "0";
118 smtpd_client_event_limit_exceptions = "$mynetworks";
119 smtpd_client_message_rate_limit = "0";
120 smtpd_client_new_tls_session_rate_limit = "0";
121 smtpd_client_port_logging = false;
122 smtpd_client_recipient_rate_limit = "0";
123 # Ban 5 sec on error
124 smtpd_error_sleep_time = "5";
125 # Needed to enforce reject_unknown_helo_hostname
126 smtpd_helo_required = true;
127 smtpd_helo_restrictions = [
128 "reject_invalid_helo_hostname"
129 "reject_non_fqdn_helo_hostname"
130 # Don't talk to mail systems that don't know their own hostname.
131 "reject_unknown_helo_hostname"
132 "permit"
133 ];
134 smtpd_client_restrictions = [
135 ];
136 # Set in postfix/*.nix and used in submissions/smptd
137 # with reject_sender_login_mismatch
138 smtpd_sender_login_maps = [];
139 smtpd_sender_restrictions = [
140 "reject_non_fqdn_sender"
141 "permit"
142 ];
143 smtpd_reject_unlisted_recipient = true;
144 # Check the RCPT TO, before smtpd_recipient_restrictions
145 # Restrictions based on what is allowed or not,
146 # these are applied before smtpd_recipient_restrictions
147 smtpd_relay_restrictions = [
148 "permit_mynetworks"
149 # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps
150 "permit_auth_destination"
151 # The world is only authorized to use our relay for the above destinations.
152 "reject"
153 ];
154 # Restrictions based on what is working or not
155 smtpd_recipient_restrictions = [
156 # Reject if the domain is not fully qualified
157 "reject_non_fqdn_recipient"
158 # Reject if the domain is not working, even before bothering to check the address
159 "reject_unknown_recipient_domain"
160 # Reject if the address is not working
161 # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
162 # postmap -s btree:/var/lib/postfix/data/verify_cache
163 "reject_unverified_recipient"
164 "permit"
165 ];
166 # Trust the verify database
167 unverified_recipient_reject_code = "550";
168 smtpd_data_restrictions = [
169 # Force the smtpd's client to wait OK before sending
170 "reject_unauth_pipelining"
171 "permit"
172 ];
173 smtpd_end_of_data_restrictions = [
174 # Enforce mail volume quota via policy service callouts.
175 #check_policy_service unix:private/policy
176 ];
177 #smtpd_milters = "";
178 smtpd_peername_lookup = true;
179 smtpd_recipient_limit = "5000";
180 smtpd_recipient_overshoot_limit = "5000";
181 #smtpd_restriction_classes = "";
182 #smtpd_sasl_auth_enable = true;
183 #smtpd_sasl_path = "private/auth";
184 #smtpd_sasl_security_options = "noanonymous";
185 #smtpd_sasl_type = "dovecot";
186 smtpd_starttls_timeout = "300s";
187 #smtpd_tls_always_issue_session_ids = true;
188 #smtpd_tls_CApath = "/etc/postfix/x509/ca/";
189 smtpd_tls_ask_ccert = false;
190 #smtpd_tls_ccert_verifydepth = "5";
191 smtpd_tls_ciphers = "high";
192 smtpd_tls_eecdh_grade = "auto";
193 # Disable weak ciphers as reported by https://ssl-tools.net
194 # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
195 smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
196 smtpd_tls_fingerprint_digest = "sha512";
197 # Log only a summary message on TLS handshake completion
198 smtpd_tls_loglevel = "1";
199 smtpd_tls_mandatory_ciphers = "high";
200 smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ];
201 # Only allow TLSv*
202 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
203 #smtpd_tls_received_header = false;
204 smtpd_tls_req_ccert = false;
205 # Postfix 2.3 and later
206 # encrypt
207 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
208 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
209 # SMTP server. Instead, this option should be used only on dedicated servers.
210 smtpd_tls_security_level = "may";
211 smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
212 #smtpd_tls_session_cache_timeout = "3600s";
213 #smtpd_tls_chain_files =
214
215 relayhost = [];
216 #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
217 # This is where to put backup MX domains
218 relay_domains = [];
219 relay_recipient_maps = [];
220
221 # Use a non blocking source of randomness
222 tls_random_source = "dev:/dev/urandom";
223 # Map each domain to a specific X.509 certificate
224 tls_server_sni_maps = "hash:/run/keys/postfix-sni";
225
226 # Only explicitely aliased accounts have a mail, not all the passwd
227 local_recipient_maps = "$alias_maps";
228 # Note that the local transport rewrites the envelope recipient
229 # according to the alias_maps, and thus the aliasing is transparent
230 # to the nexthop (eg. dovecot)
231 #local_transport = local:$myhostname
232 # No console bell on new mail
233 biff = false;
234 forward_path = [
235 /*
236 "$home/.forward''${recipient_delimiter}''${extension}"
237 "$home/.forward"
238 */
239 ];
240
241 # Filled by the postfix/*.nix
242 virtual_mailbox_domains = [];
243 # Completed by the postfix/*.nix
244 virtual_mailbox_maps = [
245 "hash:/etc/postfix/virtual"
246 ];
247 virtual_transport = "lmtp:unix:private/dovecot-lmtp";
248
249 # There is no fallback
250 fallback_transport = "";
251 };
252 virtualMapType = "hash";
253 masterConfig =
254 let
255 mkVal = value:
256 if lib.isList value
257 then concatStringsSep "," value
258 else
259 if value == true then "yes"
260 else if value == false then "no"
261 else toString value;
262 mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
263 mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
264 in {
265 # Implicit TLS on port 465
266 # https://tools.ietf.org/html/rfc8314#section-3.3
267 submissions = {
268 type = "inet";
269 private = false;
270 command = "smtpd";
271 args = mkArgs {
272 syslog_name = "postfix/submissions";
273 # Implicit TLS, not STARTTLS
274 smtpd_tls_wrappermode = true;
275 smtpd_tls_mandatory_protocols = [
276 "TLSv1.3"
277 # K-9 Mail 5.600 still requires this..
278 "TLSv1.2"
279 ];
280 milter_macro_daemon_name = "ORIGINATING";
281 smtpd_relay_restrictions = [
282 # SASL authorizes to send to the world
283 "permit_sasl_authenticated"
284 "reject"
285 ];
286 smtpd_sasl_auth_enable = true;
287 smtpd_sasl_type = "dovecot";
288 smtpd_sasl_path = "private/auth";
289 smtpd_sasl_local_domain = "";
290 # Offer SASL authentication only after a TLS-encrypted session has been established
291 smtpd_tls_auth_only = true;
292 smtpd_sasl_tls_security_options = [ "noanonymous" ];
293 # Do not put SASL logins in mail headers
294 smtpd_sasl_authenticated_header = false;
295 # Who cares about (old) Outlook
296 broken_sasl_auth_clients = false;
297 smtpd_sender_restrictions = [
298 "reject_non_fqdn_sender"
299 # Check that the SASL user is using only its own
300 # mail addresses on the envelope, as indicated in smtpd_sender_login_maps
301 "reject_sender_login_mismatch"
302 "permit"
303 ];
304 # No X.509 certificates for users, for now
305 smtpd_tls_ask_ccert = false;
306 smtpd_tls_ccert_verifydepth = 0;
307 smtpd_tls_loglevel = 1;
308 smtpd_tls_req_ccert = false;
309 cleanup_service_name = "submissions-header-cleanup";
310 };
311 };
312 submissions-header-cleanup = {
313 type = "unix";
314 private = false;
315 maxproc = 0;
316 command = "cleanup";
317 args = mkArgs {
318 header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
319 # Removes sensitive headers from mails handed in via the submission or smtps port.
320 # See https://thomas-leister.de/mailserver-debian-stretch/
321 # Uses "pcre" style regex.
322
323 /^Received:/ IGNORE
324 /^X-Enigmail:/ IGNORE
325 /^X-Mailer:/ IGNORE
326 /^X-Originating-IP:/ IGNORE
327 # Not removing User-Agent, it may be signed
328 #/^User-Agent:/ IGNORE
329 '';
330 };
331 };
332 };
333 extraMasterConf = ''
334 #spfcheck unix - n n - 0 spawn
335 # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
336 # -o smtpd_sender_restrictions=reject_sender_login_mismatch
337 # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts
338 # -o cleanup_service_name=submissions-header-cleanup
339 #spfcheck unix - n n - 0 spawn
340 # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
341 #uucp unix - n n - - pipe
342 # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
343 #smtp inet n - - - - smtpd
344 # -o cleanup_service_name=pre-cleanup
345 # -o content_filter=amavis:[127.0.0.1]:10024
346 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit
347 # -o receive_override_options=no_address_mappings
348 #amavis unix - - n - 2 lmtp
349 # -o lmtp_data_done_timeout=1200
350 # -o lmtp_send_xforward_command=yes
351 # -o lmtp_tls_note_starttls_offer=no
352 #127.0.0.1:10025 inet n - n - - smtpd
353 # -o content_filter=
354 # -o local_header_rewrite_clients=
355 # -o local_recipient_maps=
356 # -o mynetworks=127.0.0.0/8
357 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks
358 # -o relay_recipient_maps=
359 # -o smtpd_client_connection_count_limit=0
360 # -o smtpd_client_connection_rate_limit=0
361 # -o smtpd_client_restrictions=permit_mynetworks,reject
362 # -o smtpd_data_restrictions=reject_unauth_pipelining
363 # -o smtpd_delay_reject=no
364 # -o smtpd_end_of_data_restrictions=
365 # -o smtpd_error_sleep_time=0
366 # -o smtpd_hard_error_limit=1000
367 # -o smtpd_helo_restrictions=
368 # -o smtpd_milters=
369 # -o smtpd_recipient_restrictions=permit_mynetworks,reject
370 # -o smtpd_restriction_classes=
371 # -o smtpd_sender_restrictions=
372 # -o smtpd_soft_error_limit=1001
373 # -o strict_rfc821_envelopes=yes
374 #submission inet n - - - - smtpd
375 # -o cleanup_service_name=pre-cleanup
376 # -o content_filter=amavis:[127.0.0.1]:10024
377 # -o milter_macro_daemon_name=ORIGINATING
378 # -o receive_override_options=no_address_mappings
379 # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject
380 # -o smtpd_tls_ask_ccert=yes
381 # -o smtpd_tls_auth_only=yes
382 # -o smtpd_tls_ccert_verifydepth=2
383 # -o smtpd_tls_loglevel=1
384 # -o smtpd_tls_req_ccert=yes
385 # -o smtpd_tls_security_level=encrypt
386 #smtps inet n - - - - smtpd
387 # -o milter_macro_daemon_name=ORIGINATING
388 # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
389 # -o smtpd_sasl_auth_enable=yes
390 # -o smtpd_tls_ask_ccert=yes
391 # -o smtpd_tls_auth_only=yes
392 # -o smtpd_tls_ccert_verifydepth=0
393 # -o smtpd_tls_loglevel=1
394 # -o smtpd_tls_req_ccert=no
395 # -o smtpd_tls_security_level=encrypt
396 # -o smtpd_tls_wrappermode=yes
397 #pickup fifo n - - 60 1 pickup
398 # -o cleanup_service_name=pre-cleanup
399 # -o content_filter=amavis:[127.0.0.1]:10024
400 #pre-cleanup unix n - - - 0 cleanup
401 # -o virtual_alias_maps=
402 #cleanup unix n - - - 0 cleanup
403 # -o mime_header_checks=
404 # -o nested_header_checks=
405 # -o body_checks=
406 # -o header_checks=
407 #-- SYMPA begin
408 #sympa unix - n n - - pipe
409 # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient}
410 #sympabounce unix - n n - - pipe
411 # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient}
412 #-- SYMPA end
413 '';
414 #noclue unix - n n - - pipe
415 # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
416 };
417 };
418 }
NixOS configurations for Sourcephile's infrastructure