postfix: prepare LDAP config, need Internet to recompile postfix withLDAP=true.

diff --git a/install/logical/friot/postfix.nix b/install/logical/friot/postfix.nix
index db0fb78d2404871d7f5b8dd0a6cf1ab764b33929..1eeb72c44dd48c360e201a72b0ee0decf72ee87f 100644 (file)
--- a/install/logical/friot/postfix.nix
+++ b/install/logical/friot/postfix.nix
@@ -1,7 +1,7 @@
 {pkgs, lib, config, nodes, ...}:
 let inherit (builtins) attrNames toFile;
     inherit (lib) types;
-    inherit (config.services) x509 postfix dovecot2 postgrey;
+    inherit (config.services) x509 postfix dovecot2 postgrey openldap;
     unlines = lib.concatStringsSep "\n";
     unwords = lib.concatStringsSep " ";
     when    = x: y: if x == null then "" else y;
@@ -61,6 +61,20 @@ config = {
        + unlines (lib.mapAttrsToList
            (from: to: "${from} ${unwords to}")
            postfix.aliases));
+    mapFiles."ldap-virtual_alias_maps.cf" =
+      toFile "ldap-virtual_alias_maps.cf" ''
+        version          = 3
+        debuglevel       = 3
+        server_host      = ldapi://
+        bind             = sasl
+        sasl_mechs       = EXTERNAL
+        search_base      = ou=posix,${openldap.domainSuffix}
+        scope            = sub
+        dereference      = 0
+        query_filter     = (&(mail=%s))
+        result_format    = %s
+        result_attribute = mailAlias
+      '';
     sslCert = x509.cert;
     sslKey = x509.key;
     #enableSubmission = true;
@@ -71,7 +85,10 @@ config = {
       config.networking.hostName
       "${config.networking.hostName}.localdomain"
     ];
-    networks = [ "127.0.0.0/8" "[::1]/128" ];
+    networks = [
+      "127.0.0.0/8"
+      "[::1]/128"
+    ];
     recipientDelimiter = "+";
     config = {
       # Appending .domain is the MUA's job
@@ -157,7 +174,7 @@ config = {
       #smtp_header_checks = "regexp:/var/lib/postfix/smtp_header_checks";
       smtp_mime_header_checks = "";
       smtp_nested_header_checks = "";
-      smtp_tls_exclude_ciphers = [ "RC4" "aNULL" ];
+      smtp_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
       #smtp_tls_fingerprint_digest = "sha1";
       smtp_tls_loglevel = "1";
       #smtp_tls_note_starttls_offer = true;
@@ -240,6 +257,7 @@ config = {
       smtpd_relay_restrictions = [
         "permit_mynetworks"
         "permit_sasl_authenticated"
+          # NOTE: permit auth through dovecot's SASL
         "reject_unauth_destination"
       ];
       #smtpd_restriction_classes = "";
@@ -252,6 +270,7 @@ config = {
         "permit_mynetworks"
         "permit_tls_clientcerts"
         "permit_sasl_authenticated"
+          # NOTE: permit auth through dovecot's SASL
         #"check_sender_access hash:/var/lib/postfix/conf/sender_access"
         "reject_unauth_pipelining"
         "reject_non_fqdn_sender"
@@ -320,7 +339,7 @@ config = {
       virtual_alias_domains = [];
       virtual_alias_maps = [
         "hash:/etc/postfix/virtual_alias_maps"
-        #"ldap:aliases"
+        #TODO: "ldap:/etc/postfix/ldap-virtual_alias_maps.cf"
         #"hash:/etc/postfix/virtual_alias-dovecot"
         #"hash:/var/lib/postfix/conf/valias"
         #"regexp:/etc/sympa/virtual_alias"

diff --git a/install/overlays.nix b/install/overlays.nix
index 9e61eecfd348469c275d8e92403c50d42e78e109..98f92aa6ae6540c37e3958bdecc56c10b2db2fa1 100644 (file)
--- a/install/overlays.nix
+++ b/install/overlays.nix
@@ -1,3 +1,4 @@
 map import
 [ #overlays/servers/mail/dovecot.nix
+  #TODO: overlays/servers/mail/postfix.nix
 ]

diff --git a/install/overlays/servers/mail/postfix.nix b/install/overlays/servers/mail/postfix.nix
new file mode 100644 (file)
index 0000000..f356ccf
--- /dev/null
+++ b/install/overlays/servers/mail/postfix.nix
@@ -0,0 +1,3 @@
+self: super:  {
+  withLDAP = true;
+}