nix: remove upstreamed PR patches
[sourcephile-nix.git] / servers / mermet / postfix.nix
index 56ef05345d1267b308fa3306af2decc5daccefed..a7006a5e202247d2408ad2b64881b7d766acb7c7 100644 (file)
@@ -24,6 +24,7 @@ options = {
   };
 };
 config = {
+users.groups.acme.members = [ postfix.user ];
 systemd.services.postfix = {
   after = ["openldap.service"];
   preStart = ''
@@ -158,13 +159,14 @@ services.postfix = {
       # Reject if the domain is not working, even before bothering to check the address
       "reject_unknown_recipient_domain"
       # Reject if the address is not working
+      # WARNING: this does not work if the recipient is greylisting.
       # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
       # postmap -s btree:/var/lib/postfix/data/verify_cache
-      "reject_unverified_recipient"
+      #"reject_unverified_recipient"
       "permit"
     ];
     # Trust the verify database
-    unverified_recipient_reject_code = "550";
+    #unverified_recipient_reject_code = "550";
     smtpd_data_restrictions = [
       # Force the smtpd's client to wait OK before sending
       "reject_unauth_pipelining"
@@ -245,6 +247,10 @@ services.postfix = {
       "hash:/etc/postfix/virtual"
     ];
     virtual_transport = "lmtp:unix:private/dovecot-lmtp";
+    /*
+    dovecot_destination_recipient_limit = "1";
+    virtual_transport = "dovecot";
+    */
 
     # There is no fallback
     fallback_transport = "";
@@ -283,6 +289,9 @@ services.postfix = {
           "TLSv1.2"
         ];
         milter_macro_daemon_name = "ORIGINATING";
+        smtpd_helo_restrictions = [
+          "permit_sasl_authenticated"
+        ] ++ postfix.config.smtpd_helo_restrictions;
         smtpd_relay_restrictions = [
           # SASL authorizes to send to the world
           "permit_sasl_authenticated"
@@ -333,6 +342,32 @@ services.postfix = {
         '';
       };
     };
+    /*
+    dovecot = {
+      type = "unix";
+      privileged = true;
+      chroot = false;
+      command = "pipe";
+      args = let
+        # rspamd could be used as a milter, but then it cannot apply
+        # its checks "per user" (milter is not yet dispatched to
+        # users), so we wrap dovecot-lda inside rspamc per recipient
+        # here.
+        rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
+          #!${pkgs.stdenv.shell}
+          sender="$1"
+          original_recipient="$2"
+          user="$3"
+          ${pkgs.coreutils}/bin/cat - | \
+            (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
+            ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
+          '';
+      in [
+        "flags=DRhu" "user=vhost:vhost"
+        "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
+      ];
+    };
+    */
   };
   extraMasterConf = ''
     #spfcheck    unix  -        n       n       -        0        spawn