{ pkgs, lib, config, ... }: let domain = "autogeree.net"; domainSuffix = "dc=autogeree,dc=net"; in { services.postfix = { extraAliases = '' ''; virtual = '' root@${domain} julm+root@${domain} ''; tls_server_sni_maps = let chain = [ "/var/lib/acme/${domain}/key.pem" "/var/lib/acme/${domain}/fullchain.pem" ]; in { "smtp.${domain}" = chain; "mail.${domain}" = chain; }; config = { virtual_mailbox_domains = [ domain ]; virtual_mailbox_maps = [ # Map the main address and aliases to the main mail address. # This is checked by permit_auth_recipient ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" '' domain = ${domain} version = 3 debuglevel = 0 server_host = ldapi:// bind = sasl sasl_mechs = EXTERNAL search_base = ou=posix,${domainSuffix} scope = sub dereference = 0 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE)) result_format = %s result_attribute = mail '') ]; # Map MAIL FROM addresses to the SASL login names allowed to use it. smtpd_sender_login_maps = [ ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" '' domain = ${domain} version = 3 debuglevel = 0 server_host = ldapi:// bind = sasl sasl_mechs = EXTERNAL search_base = ou=posix,${domainSuffix} scope = sub dereference = 0 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE)) result_format = %s@${domain} result_attribute = uid '') ]; }; }; security.acme.certs."${domain}" = { postRun = "systemctl reload postfix"; }; systemd.services.postfix = { wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; after = [ "openldap.service" "acme-selfsigned-${domain}.service" ]; }; }