{ pkgs, lib, config, ... }: let inherit (builtins) attrNames concatStringsSep readFile toPath; inherit (builtins.extraBuiltins) pass; inherit (lib) types; inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs; inherit (config) networking users; inherit (config.services) postfix dovecot2 openldap; in { imports = [ postfix/sourcephile.fr.nix postfix/autogeree.net.nix ]; options = { services.postfix = { tls_server_sni_maps = lib.mkOption { type = types.attrsOf (types.listOf types.path); default = {}; apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: x509: '' ${domain} ${unwords x509} '') m)); }; }; }; config = { systemd.services.postfix = { after = ["openldap.service"]; preStart = '' install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/keys/postfix-sni ${pkgs.postfix}/bin/postmap -F hash:/run/keys/postfix-sni ''; }; services.postfix = { enable = true; networksStyle = "host"; hostname ="${networking.hostName}.${networking.domain}"; domain = networking.domain; origin = "$myhostname"; destination = [ "localhost" "localhost.localdomain" "$myhostname" ]; postmasterAlias = "root"; rootAlias = "root@${networking.domain}"; sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem"); sslKey = "/run/keys/${networking.domain}.key.pem"; networks = [ "127.0.0.0/8" "[::1]/128" ]; setSendmail = true; # Parse the extension in email address, eg. contact+extension@ recipientDelimiter = "+"; config = { debug_peer_level = "4"; debug_peer_list = [ #"chomsky.autogeree.net" #"localhost" #"mail.sourcephile.fr" ]; # # Sending to the world # # Appending .domain is the MUA's job append_dot_mydomain = false; smtp_body_checks = ""; #smtp_cname_overrides_servername = false; smtp_connect_timeout = "60s"; #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks"; smtp_mime_header_checks = ""; smtp_nested_header_checks = ""; smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ]; #smtp_tls_fingerprint_digest = "sha1"; smtp_tls_loglevel = "1"; #smtp_tls_note_starttls_offer = true; #smtp_tls_policy_maps = "hash:/var/lib/postfix/conf/tls_policy"; # Only allow TLSv* protocols smtp_tls_protocols = [ "!SSLv2" "!SSLv3" ]; #smtp_tls_scert_verifydepth = "5"; #smtp_tls_secure_cert_match = [ "nexthop" "dot-nexthop" ]; smtp_tls_security_level = "may"; smtp_tls_session_cache_database = "btree:$data_directory/smtp_tls_session_cache"; #smtp_tls_session_cache_timeout = "3600s"; #smtp_tls_verify_cert_match = "hostname"; # # Receiving from the world # message_size_limit = "20480000"; maximal_queue_lifetime = "5d"; default_extra_recipient_limit = "5000"; line_length_limit = "2048"; duplicate_filter_limit = "5000"; # Stops mail from poorly written software strict_rfc821_envelopes = true; mime_header_checks = []; milter_header_checks = []; nested_header_checks = []; body_checks = []; content_filter = ""; permit_mx_backup_networks = []; propagate_unmatched_extensions = [ "canonical" "virtual" "alias" ]; #masquerade_classes = [ "envelope_sender" "header_sender" "header_recipient" ]; #masquerade_domains = ""; #masquerade_exceptions = "root"; queue_minfree = "0"; # Stops some techniques used to harvest email addresses disable_vrfy_command = true; enable_long_queue_ids = false; # Useful to test restrictions smtpd_authorized_xclient_hosts = "127.0.0.1"; smtpd_banner = "$myhostname ESMTP $mail_name (NixOS)"; smtpd_client_connection_count_limit = "50"; smtpd_client_connection_rate_limit = "0"; smtpd_client_event_limit_exceptions = "$mynetworks"; smtpd_client_message_rate_limit = "0"; smtpd_client_new_tls_session_rate_limit = "0"; smtpd_client_port_logging = false; smtpd_client_recipient_rate_limit = "0"; # Ban 5 sec on error smtpd_error_sleep_time = "5"; # Needed to enforce reject_unknown_helo_hostname smtpd_helo_required = true; smtpd_helo_restrictions = [ "reject_invalid_helo_hostname" "reject_non_fqdn_helo_hostname" # Don't talk to mail systems that don't know their own hostname. "reject_unknown_helo_hostname" "permit" ]; smtpd_client_restrictions = [ ]; # Set in postfix/*.nix and used in submissions/smptd # with reject_sender_login_mismatch smtpd_sender_login_maps = []; smtpd_sender_restrictions = [ "reject_non_fqdn_sender" "permit" ]; smtpd_reject_unlisted_recipient = true; # Check the RCPT TO, before smtpd_recipient_restrictions # Restrictions based on what is allowed or not, # these are applied before smtpd_recipient_restrictions smtpd_relay_restrictions = [ "permit_mynetworks" # Check the recipient's address in virtual_mailbox_domains and virtual_mailbox_maps "permit_auth_destination" # The world is only authorized to use our relay for the above destinations. "reject" ]; # Restrictions based on what is working or not smtpd_recipient_restrictions = [ # Reject if the domain is not fully qualified "reject_non_fqdn_recipient" # Reject if the domain is not working, even before bothering to check the address "reject_unknown_recipient_domain" # Reject if the address is not working # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with: # postmap -s btree:/var/lib/postfix/data/verify_cache "reject_unverified_recipient" "permit" ]; # Trust the verify database unverified_recipient_reject_code = "550"; smtpd_data_restrictions = [ # Force the smtpd's client to wait OK before sending "reject_unauth_pipelining" "permit" ]; smtpd_end_of_data_restrictions = [ # Enforce mail volume quota via policy service callouts. #check_policy_service unix:private/policy ]; #smtpd_milters = ""; smtpd_peername_lookup = true; smtpd_recipient_limit = "5000"; smtpd_recipient_overshoot_limit = "5000"; #smtpd_restriction_classes = ""; #smtpd_sasl_auth_enable = true; #smtpd_sasl_path = "private/auth"; #smtpd_sasl_security_options = "noanonymous"; #smtpd_sasl_type = "dovecot"; smtpd_starttls_timeout = "300s"; #smtpd_tls_always_issue_session_ids = true; #smtpd_tls_CApath = "/etc/postfix/x509/ca/"; smtpd_tls_ask_ccert = false; #smtpd_tls_ccert_verifydepth = "5"; smtpd_tls_ciphers = "high"; smtpd_tls_eecdh_grade = "auto"; # Disable weak ciphers as reported by https://ssl-tools.net # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ]; smtpd_tls_fingerprint_digest = "sha512"; # Log only a summary message on TLS handshake completion smtpd_tls_loglevel = "1"; smtpd_tls_mandatory_ciphers = "high"; smtpd_tls_mandatory_protocols = [ "!SSLv2" "!SSLv3" ]; # Only allow TLSv* smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ]; #smtpd_tls_received_header = false; smtpd_tls_req_ccert = false; # Postfix 2.3 and later # encrypt # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced # SMTP server. Instead, this option should be used only on dedicated servers. smtpd_tls_security_level = "may"; smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache"; #smtpd_tls_session_cache_timeout = "3600s"; #smtpd_tls_chain_files = relayhost = []; #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts # This is where to put backup MX domains relay_domains = []; relay_recipient_maps = []; # Use a non blocking source of randomness tls_random_source = "dev:/dev/urandom"; # Map each domain to a specific X.509 certificate tls_server_sni_maps = "hash:/run/keys/postfix-sni"; # Only explicitely aliased accounts have a mail, not all the passwd local_recipient_maps = "$alias_maps"; # Note that the local transport rewrites the envelope recipient # according to the alias_maps, and thus the aliasing is transparent # to the nexthop (eg. dovecot) #local_transport = local:$myhostname # No console bell on new mail biff = false; forward_path = [ /* "$home/.forward''${recipient_delimiter}''${extension}" "$home/.forward" */ ]; # Filled by the postfix/*.nix virtual_mailbox_domains = []; # Completed by the postfix/*.nix virtual_mailbox_maps = [ "hash:/etc/postfix/virtual" ]; virtual_transport = "lmtp:unix:private/dovecot-lmtp"; # There is no fallback fallback_transport = ""; }; virtualMapType = "hash"; masterConfig = let mkVal = value: if lib.isList value then concatStringsSep "," value else if value == true then "yes" else if value == false then "no" else toString value; mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ]; mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args); in { pickup = { args = mkArgs { cleanup_service_name = "submissions-header-cleanup"; }; }; # Implicit TLS on port 465 # https://tools.ietf.org/html/rfc8314#section-3.3 submissions = { type = "inet"; private = false; command = "smtpd"; args = mkArgs { syslog_name = "postfix/submissions"; # Implicit TLS, not STARTTLS smtpd_tls_wrappermode = true; smtpd_tls_mandatory_protocols = [ "TLSv1.3" # K-9 Mail 5.600 still requires this.. "TLSv1.2" ]; milter_macro_daemon_name = "ORIGINATING"; smtpd_relay_restrictions = [ # SASL authorizes to send to the world "permit_sasl_authenticated" "reject" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_type = "dovecot"; smtpd_sasl_path = "private/auth"; smtpd_sasl_local_domain = ""; # Offer SASL authentication only after a TLS-encrypted session has been established smtpd_tls_auth_only = true; smtpd_sasl_tls_security_options = [ "noanonymous" ]; # Do not put SASL logins in mail headers smtpd_sasl_authenticated_header = false; # Who cares about (old) Outlook broken_sasl_auth_clients = false; smtpd_sender_restrictions = [ "reject_non_fqdn_sender" # Check that the SASL user is using only its own # mail addresses on the envelope, as indicated in smtpd_sender_login_maps "reject_sender_login_mismatch" "permit" ]; # No X.509 certificates for users, for now smtpd_tls_ask_ccert = false; smtpd_tls_ccert_verifydepth = 0; smtpd_tls_loglevel = 1; smtpd_tls_req_ccert = false; cleanup_service_name = "submissions-header-cleanup"; }; }; submissions-header-cleanup = { type = "unix"; private = false; maxproc = 0; command = "cleanup"; args = mkArgs { header_checks = "pcre:" + pkgs.writeText "submission_header_cleanup_rules" '' # Removes sensitive headers from mails handed in via the submission or smtps port. # See https://thomas-leister.de/mailserver-debian-stretch/ # Uses "pcre" style regex. /^Received:/ IGNORE /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE ''; }; }; }; extraMasterConf = '' #spfcheck unix - n n - 0 spawn # user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl # -o smtpd_sender_restrictions=reject_sender_login_mismatch # -o smtpd_sender_login_maps=hash:/etc/postfix/vaccounts # -o cleanup_service_name=submissions-header-cleanup #spfcheck unix - n n - 0 spawn # user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) #smtp inet n - - - - smtpd # -o cleanup_service_name=pre-cleanup # -o content_filter=amavis:[127.0.0.1]:10024 # -o smtpd_sender_restrictions=reject_unauth_pipelining,reject_non_fqdn_sender,permit # -o receive_override_options=no_address_mappings #amavis unix - - n - 2 lmtp # -o lmtp_data_done_timeout=1200 # -o lmtp_send_xforward_command=yes # -o lmtp_tls_note_starttls_offer=no #127.0.0.1:10025 inet n - n - - smtpd # -o content_filter= # -o local_header_rewrite_clients= # -o local_recipient_maps= # -o mynetworks=127.0.0.0/8 # -o receive_override_options=no_header_body_checks,no_milters,no_unknown_recipient_checks # -o relay_recipient_maps= # -o smtpd_client_connection_count_limit=0 # -o smtpd_client_connection_rate_limit=0 # -o smtpd_client_restrictions=permit_mynetworks,reject # -o smtpd_data_restrictions=reject_unauth_pipelining # -o smtpd_delay_reject=no # -o smtpd_end_of_data_restrictions= # -o smtpd_error_sleep_time=0 # -o smtpd_hard_error_limit=1000 # -o smtpd_helo_restrictions= # -o smtpd_milters= # -o smtpd_recipient_restrictions=permit_mynetworks,reject # -o smtpd_restriction_classes= # -o smtpd_sender_restrictions= # -o smtpd_soft_error_limit=1001 # -o strict_rfc821_envelopes=yes #submission inet n - - - - smtpd # -o cleanup_service_name=pre-cleanup # -o content_filter=amavis:[127.0.0.1]:10024 # -o milter_macro_daemon_name=ORIGINATING # -o receive_override_options=no_address_mappings # -o smtpd_sender_restrictions=permit_tls_clientcerts,reject # -o smtpd_tls_ask_ccert=yes # -o smtpd_tls_auth_only=yes # -o smtpd_tls_ccert_verifydepth=2 # -o smtpd_tls_loglevel=1 # -o smtpd_tls_req_ccert=yes # -o smtpd_tls_security_level=encrypt #smtps inet n - - - - smtpd # -o milter_macro_daemon_name=ORIGINATING # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_ask_ccert=yes # -o smtpd_tls_auth_only=yes # -o smtpd_tls_ccert_verifydepth=0 # -o smtpd_tls_loglevel=1 # -o smtpd_tls_req_ccert=no # -o smtpd_tls_security_level=encrypt # -o smtpd_tls_wrappermode=yes #pickup fifo n - - 60 1 pickup # -o cleanup_service_name=pre-cleanup # -o content_filter=amavis:[127.0.0.1]:10024 #pre-cleanup unix n - - - 0 cleanup # -o virtual_alias_maps= #cleanup unix n - - - 0 cleanup # -o mime_header_checks= # -o nested_header_checks= # -o body_checks= # -o header_checks= #-- SYMPA begin #sympa unix - n n - - pipe # flags=R user=sympa argv=/usr/lib/sympa/bin/queue ''${recipient} #sympabounce unix - n n - - pipe # flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ''${recipient} #-- SYMPA end ''; #noclue unix - n n - - pipe # flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender} }; }; }