inherit (lib) types;
inherit (pkgs.lib) unlines unlinesAttrs;
inherit (config) networking;
- inherit (config.services) x509 postfix dovecot2 postgrey openldap;
+ inherit (config.services) x509 postfix dovecot2 openldap;
unwords = lib.concatStringsSep " ";
when = x: y: if x == null then "" else y;
};
config = {
systemd.services.postfix.after =
- [ "openldap.service"
- ] ++ (if x509.scheme == "letsencrypt"
- then [ "nginx.service" ] # XXX: not sure if this is enough
- else []);
+ [ "openldap.service" ] ++
+ (if x509.scheme == "letsencrypt"
+ then [ "nginx.service" ] # XXX: not sure if this is enough
+ else []);
services.postfix = {
enable = true;
#hostname = networking.domain;
mapFiles."ldap-virtual_alias_maps.cf" =
toFile "ldap-virtual_alias_maps.cf" ''
version = 3
- debuglevel = 3
+ debuglevel = 0
server_host = ldapi://
bind = sasl
sasl_mechs = EXTERNAL
mapFiles."ldap-forward.cf" =
toFile "ldap-forward.cf" ''
version = 3
- debuglevel = 3
+ debuglevel = 0
server_host = ldapi://
bind = sasl
sasl_mechs = EXTERNAL
mime_header_checks = "";
milter_header_checks = "";
nested_header_checks = "";
- non_smtpd_milters = "";
+ #non_smtpd_milters = "";
parent_domain_matches_subdomains = [
#"debug_peer_list"
#"fast_flush_domains"
"permit"
];
#smtpd_milters = "";
- # Needed by postgrey
smtpd_peername_lookup = true;
smtpd_recipient_limit = "5000";
smtpd_recipient_overshoot_limit = "5000";
#"check_policy_service inet:localhost:12340"
# check quota
"permit_mynetworks"
- "permit_tls_clientcerts"
+ #"permit_tls_clientcerts"
"permit_sasl_authenticated"
"reject_unverified_recipient"
# $fallback_transport is responsible of checking the existence of the recipient
# Check SPF
#"check_policy_service unix:private/spfcheck"
# Greylisting using postgrey
- "check_policy_service unix:${postgrey.socket.path}"
- # Once postgrey passed, permit what is for us
+ #"check_policy_service unix:${postgrey.socket.path}"
"permit_auth_destination"
"reject"
#"reject_unknown_sender_domain"
#smtpd_sasl_type = "dovecot";
smtpd_sender_restrictions = [
"permit_mynetworks"
- "permit_tls_clientcerts"
+ #"permit_tls_clientcerts"
"permit_sasl_authenticated"
# NOTE: permit auth through dovecot's SASL
#"check_sender_access hash:/var/lib/postfix/conf/sender_access"
# Log only a summary message on TLS handshake completion
smtpd_tls_loglevel = "1";
smtpd_tls_mandatory_ciphers = "high";
- smtpd_tls_mandatory_protocols = "TLSv1";
+ smtpd_tls_mandatory_protocols = "TLSv1"; # FIXME: TLSv1.3
# Only allow TLSv*
smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" ];
#smtpd_tls_received_header = false;
#virtual_uid_maps = "static:5000";
#virtual_gid_maps = "static:5000";
#virtual_mailbox_base = dovecot2.mailDir;
- virtual_mailbox_domains = [networking.domain] ++ networking.domainAliases;
+ virtual_mailbox_domains = [ networking.domain ] ++ networking.domainAliases;
#virtual_mailbox_maps = "hash:/etc/postfix/virtual_mailbox_maps";
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
};
sourcephile / git / sourcephile-nix.git / blobdiff