{ pkgs, lib, config, ... }:
-let inherit (lib) types;
- inherit (pkgs.lib) unlinesAttrs unwords;
- inherit (config) networking;
- inherit (config.services) postfix;
+let
+ inherit (lib) types;
+ inherit (config.services) postfix;
in
{
-options.services.postfix = {
- aliases = lib.mkOption {
- type = with types; attrsOf (listOf str);
- default = {};
- example = { "root@${networking.domain}" = [
- "user1@${networking.domain}"
- "user2@${networking.domain}"
- ];
- "@example.coop" = ["user1@${networking.domain}"];
- };
+ options = {
+ services.postfix = {
+ tls_server_sni_maps = lib.mkOption {
+ type = types.attrsOf (types.listOf types.path);
+ default = { };
+ apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList
+ (domain: x509: ''
+ ${domain} ${lib.concatStringsSep " " x509}
+ '')
+ m));
+ };
+ };
};
-};
-config = lib.mkIf postfix.enable {
- services.postfix = {
- mapFiles."virtual_alias_maps" = pkgs.writeText "virtual_alias_maps"
- (unlinesAttrs
- (from: to: "${from} ${unwords to}")
- postfix.aliases);
- config = {
- virtual_alias_maps = [
- "hash:/etc/postfix/virtual_alias_maps"
- ];
+ config = {
+ systemd.services.postfix = {
+ preStart = ''
+ install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/keys/postfix-sni
+ ${pkgs.postfix}/bin/postmap -F hash:/run/keys/postfix-sni
+ '';
+ };
+ services.postfix = {
+ masterConfig = {
+ submissions-header-cleanup = {
+ type = "unix";
+ private = false;
+ maxproc = 0;
+ command = "cleanup";
+ args = [
+ "-o"
+ ("header_checks=pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
+ # Removes sensitive headers from mails handed in via the submission or smtps port.
+ # See https://thomas-leister.de/mailserver-debian-stretch/
+ # Uses "pcre" style regex.
+
+ /^Received:/ IGNORE
+ /^User-Agent:/ IGNORE
+ /^X-Enigmail:/ IGNORE
+ /^X-Mailer:/ IGNORE
+ /^X-Originating-IP:/ IGNORE
+ '')
+ ];
+ };
+ };
};
};
-};
}
sourcephile / git / sourcephile-nix.git / blobdiff