Default to default domain
This commit is contained in:
parent
860bb22034
commit
8b3f771c23
@ -8,35 +8,28 @@ let
|
|||||||
|
|
||||||
# The final newline is important
|
# The final newline is important
|
||||||
write-entries = filename: entries:
|
write-entries = filename: entries:
|
||||||
let
|
let entries-string = (concatStringsSep "\n" entries);
|
||||||
entries-string = (concatStringsSep "\n" entries);
|
|
||||||
in builtins.toFile filename ''
|
in builtins.toFile filename ''
|
||||||
${entries-string}
|
${entries-string}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
make-user-aliases = entries:
|
make-user-aliases = entries:
|
||||||
|
concatStringsSep "\n" (mapAttrsToList (user: aliases:
|
||||||
concatStringsSep "\n"
|
concatStringsSep "\n"
|
||||||
(mapAttrsToList (user: aliases:
|
(map (alias: "${alias} ${user}@${cfg.domain}") aliases)) entries);
|
||||||
concatStringsSep "\n"
|
|
||||||
(map (alias: "${alias} ${user}") aliases))
|
|
||||||
entries);
|
|
||||||
|
|
||||||
make-alias-users = domains: entries:
|
make-alias-users = domains: entries:
|
||||||
concatStringsSep "\n"
|
concatStringsSep "\n" (flatten (mapAttrsToList (alias: users:
|
||||||
(flatten
|
(map (domain: "${alias}@${domain} ${concatStringsSep "," users}")
|
||||||
(mapAttrsToList (alias: users:
|
domains)) entries));
|
||||||
(map (domain:
|
|
||||||
"${alias}@${domain} ${concatStringsSep "," users}")
|
|
||||||
domains))
|
|
||||||
entries));
|
|
||||||
|
|
||||||
policyd-spf = pkgs.writeText "policyd-spf.conf" (
|
policyd-spf = pkgs.writeText "policyd-spf.conf"
|
||||||
cfg.postfix.policy-spf-extra-config
|
(cfg.postfix.policy-spf-extra-config + (lib.optionalString cfg.debug ''
|
||||||
+ (lib.optionalString cfg.debug ''
|
|
||||||
debugLevel = 4
|
debugLevel = 4
|
||||||
''));
|
''));
|
||||||
|
|
||||||
submission-header-cleanup-rules = pkgs.writeText "submission_header_cleanup_rules" (''
|
submission-header-cleanup-rules =
|
||||||
|
pkgs.writeText "submission_header_cleanup_rules" (''
|
||||||
# Removes sensitive headers from mails handed in via the submission port.
|
# Removes sensitive headers from mails handed in via the submission port.
|
||||||
# See https://thomas-leister.de/mailserver-debian-stretch/
|
# See https://thomas-leister.de/mailserver-debian-stretch/
|
||||||
# Uses "pcre" style regex.
|
# Uses "pcre" style regex.
|
||||||
@ -48,8 +41,7 @@ let
|
|||||||
/^X-Enigmail:/ IGNORE
|
/^X-Enigmail:/ IGNORE
|
||||||
'');
|
'');
|
||||||
blacklist-postfix-entry = sender: "${sender} REJECT";
|
blacklist-postfix-entry = sender: "${sender} REJECT";
|
||||||
blacklist-postfix-file = filename: entries:
|
blacklist-postfix-file = filename: entries: write-entries filename entries;
|
||||||
write-entries filename entries;
|
|
||||||
sender-blacklist-file = blacklist-postfix-file "reject_senders"
|
sender-blacklist-file = blacklist-postfix-file "reject_senders"
|
||||||
(map blacklist-postfix-entry cfg.sender-blacklist);
|
(map blacklist-postfix-entry cfg.sender-blacklist);
|
||||||
recipient-blacklist-file = blacklist-postfix-file "reject_recipients"
|
recipient-blacklist-file = blacklist-postfix-file "reject_recipients"
|
||||||
@ -57,12 +49,13 @@ let
|
|||||||
|
|
||||||
# A list of domains for which we accept mail
|
# A list of domains for which we accept mail
|
||||||
virtual-mailbox-map-file = write-entries "virtual_mailbox_map"
|
virtual-mailbox-map-file = write-entries "virtual_mailbox_map"
|
||||||
(map (domain: "@${domain} OK") (cfg.local-domains ++ [cfg.domain]));
|
(map (domain: "@${domain} OK") (cfg.local-domains ++ [ cfg.domain ]));
|
||||||
|
|
||||||
sender-login-map-file = let
|
sender-login-map-file =
|
||||||
escapeDot = (str: replaceStrings ["."] ["\\."] str);
|
let escapeDot = (str: replaceStrings [ "." ] [ "\\." ] str);
|
||||||
in write-entries "sender_login_maps"
|
in write-entries "sender_login_maps"
|
||||||
(map (domain: "/^(.*)@${escapeDot domain}$/ \${1}") (cfg.local-domains ++ [cfg.domain]));
|
(map (domain: "/^(.*)@${escapeDot domain}$/ \${1}")
|
||||||
|
(cfg.local-domains ++ [ cfg.domain ]));
|
||||||
|
|
||||||
mapped-file = name: "hash:/var/lib/postfix/conf/${name}";
|
mapped-file = name: "hash:/var/lib/postfix/conf/${name}";
|
||||||
|
|
||||||
@ -112,7 +105,7 @@ in {
|
|||||||
domain = cfg.domain;
|
domain = cfg.domain;
|
||||||
origin = cfg.domain;
|
origin = cfg.domain;
|
||||||
hostname = cfg.mail-hostname;
|
hostname = cfg.mail-hostname;
|
||||||
destination = ["localhost" "localhost.localdomain"];
|
destination = [ "localhost" "localhost.localdomain" ];
|
||||||
# destination = ["localhost" "localhost.localdomain" cfg.hostname] ++
|
# destination = ["localhost" "localhost.localdomain" cfg.hostname] ++
|
||||||
# cfg.local-domains;;
|
# cfg.local-domains;;
|
||||||
|
|
||||||
@ -132,25 +125,27 @@ in {
|
|||||||
virtual = ''
|
virtual = ''
|
||||||
${make-user-aliases cfg.user-aliases}
|
${make-user-aliases cfg.user-aliases}
|
||||||
|
|
||||||
${make-alias-users ([cfg.domain] ++ cfg.local-domains) cfg.alias-users}
|
${make-alias-users ([ cfg.domain ] ++ cfg.local-domains)
|
||||||
|
cfg.alias-users}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
sslCert = cfg.postfix.ssl-certificate;
|
sslCert = cfg.postfix.ssl-certificate;
|
||||||
sslKey = cfg.postfix.ssl-private-key;
|
sslKey = cfg.postfix.ssl-private-key;
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
virtual_mailbox_domains = cfg.local-domains ++ [cfg.domain];
|
virtual_mailbox_domains = cfg.local-domains ++ [ cfg.domain ];
|
||||||
# virtual_mailbox_base = "${cfg.mail-directory}/";
|
# virtual_mailbox_base = "${cfg.mail-directory}/";
|
||||||
virtual_mailbox_maps = mapped-file "virtual_mailbox_map";
|
virtual_mailbox_maps = mapped-file "virtual_mailbox_map";
|
||||||
|
|
||||||
virtual_uid_maps = "static:${toString cfg.mail-user-id}";
|
virtual_uid_maps = "static:${toString cfg.mail-user-id}";
|
||||||
virtual_gid_maps = "static:${toString config.users.groups."${cfg.mail-group}".gid}";
|
virtual_gid_maps =
|
||||||
|
"static:${toString config.users.groups."${cfg.mail-group}".gid}";
|
||||||
|
|
||||||
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||||
|
|
||||||
# NOTE: it's important that this ends with /, to indicate Maildir format!
|
# NOTE: it's important that this ends with /, to indicate Maildir format!
|
||||||
# mail_spool_directory = "${cfg.mail-directory}/";
|
# mail_spool_directory = "${cfg.mail-directory}/";
|
||||||
message_size_limit = toString(cfg.message-size-limit * 1024 * 1024);
|
message_size_limit = toString (cfg.message-size-limit * 1024 * 1024);
|
||||||
|
|
||||||
smtpd_banner = "${cfg.mail-hostname} ESMTP NO UCE";
|
smtpd_banner = "${cfg.mail-hostname} ESMTP NO UCE";
|
||||||
|
|
||||||
@ -176,7 +171,8 @@ in {
|
|||||||
recipient_delimiter = "+";
|
recipient_delimiter = "+";
|
||||||
|
|
||||||
milter_protocol = "6";
|
milter_protocol = "6";
|
||||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
|
milter_mail_macros =
|
||||||
|
"i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
|
||||||
|
|
||||||
smtpd_milters = [
|
smtpd_milters = [
|
||||||
"unix:/run/rspamd/rspamd-milter.sock"
|
"unix:/run/rspamd/rspamd-milter.sock"
|
||||||
@ -218,11 +214,8 @@ in {
|
|||||||
"reject_non_fqdn_recipient"
|
"reject_non_fqdn_recipient"
|
||||||
];
|
];
|
||||||
|
|
||||||
smtpd_helo_restrictions = [
|
smtpd_helo_restrictions =
|
||||||
"permit_mynetworks"
|
[ "permit_mynetworks" "reject_invalid_hostname" "permit" ];
|
||||||
"reject_invalid_hostname"
|
|
||||||
"permit"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Handled by submission
|
# Handled by submission
|
||||||
smtpd_tls_security_level = "may";
|
smtpd_tls_security_level = "may";
|
||||||
@ -230,44 +223,27 @@ in {
|
|||||||
smtpd_tls_eecdh_grade = "ultra";
|
smtpd_tls_eecdh_grade = "ultra";
|
||||||
|
|
||||||
# Disable obselete protocols
|
# Disable obselete protocols
|
||||||
smtpd_tls_protocols = [
|
smtpd_tls_protocols =
|
||||||
"TLSv1.2"
|
[ "TLSv1.2" "TLSv1.1" "!TLSv1" "!SSLv2" "!SSLv3" ];
|
||||||
"TLSv1.1"
|
smtp_tls_protocols = [ "TLSv1.2" "TLSv1.1" "!TLSv1" "!SSLv2" "!SSLv3" ];
|
||||||
"!TLSv1"
|
smtpd_tls_mandatory_protocols =
|
||||||
"!SSLv2"
|
[ "TLSv1.2" "TLSv1.1" "!TLSv1" "!SSLv2" "!SSLv3" ];
|
||||||
"!SSLv3"
|
smtp_tls_mandatory_protocols =
|
||||||
];
|
[ "TLSv1.2" "TLSv1.1" "!TLSv1" "!SSLv2" "!SSLv3" ];
|
||||||
smtp_tls_protocols = [
|
|
||||||
"TLSv1.2"
|
|
||||||
"TLSv1.1"
|
|
||||||
"!TLSv1"
|
|
||||||
"!SSLv2"
|
|
||||||
"!SSLv3"
|
|
||||||
];
|
|
||||||
smtpd_tls_mandatory_protocols = [
|
|
||||||
"TLSv1.2"
|
|
||||||
"TLSv1.1"
|
|
||||||
"!TLSv1"
|
|
||||||
"!SSLv2"
|
|
||||||
"!SSLv3"
|
|
||||||
];
|
|
||||||
smtp_tls_mandatory_protocols = [
|
|
||||||
"TLSv1.2"
|
|
||||||
"TLSv1.1"
|
|
||||||
"!TLSv1"
|
|
||||||
"!SSLv2"
|
|
||||||
"!SSLv3"
|
|
||||||
];
|
|
||||||
|
|
||||||
smtp_tls_ciphers = "high";
|
smtp_tls_ciphers = "high";
|
||||||
smtpd_tls_ciphers = "high";
|
smtpd_tls_ciphers = "high";
|
||||||
smtp_tls_mandatory_ciphers = "high";
|
smtp_tls_mandatory_ciphers = "high";
|
||||||
smtpd_tls_mandatory_ciphers = "high";
|
smtpd_tls_mandatory_ciphers = "high";
|
||||||
|
|
||||||
smtpd_tls_mandatory_exclude_ciphers = ["MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL"];
|
smtpd_tls_mandatory_exclude_ciphers =
|
||||||
smtpd_tls_exclude_ciphers = ["MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL"];
|
[ "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL" ];
|
||||||
smtp_tls_mandatory_exclude_ciphers = ["MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL"];
|
smtpd_tls_exclude_ciphers =
|
||||||
smtp_tls_exclude_ciphers = ["MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL"];
|
[ "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL" ];
|
||||||
|
smtp_tls_mandatory_exclude_ciphers =
|
||||||
|
[ "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL" ];
|
||||||
|
smtp_tls_exclude_ciphers =
|
||||||
|
[ "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL" "aNULL" ];
|
||||||
|
|
||||||
tls_preempt_cipherlist = "yes";
|
tls_preempt_cipherlist = "yes";
|
||||||
|
|
||||||
@ -286,8 +262,10 @@ in {
|
|||||||
smtpd_sasl_security_options = "noanonymous";
|
smtpd_sasl_security_options = "noanonymous";
|
||||||
smtpd_sasl_local_domain = cfg.domain;
|
smtpd_sasl_local_domain = cfg.domain;
|
||||||
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
||||||
smtpd_sender_restrictions = "reject_sender_login_mismatch,reject_unknown_sender_domain";
|
smtpd_sender_restrictions =
|
||||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
"reject_sender_login_mismatch,reject_unknown_sender_domain";
|
||||||
|
smtpd_recipient_restrictions =
|
||||||
|
"reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||||
cleanup_service_name = "submission-header-cleanup";
|
cleanup_service_name = "submission-header-cleanup";
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -297,7 +275,11 @@ in {
|
|||||||
privileged = true;
|
privileged = true;
|
||||||
chroot = false;
|
chroot = false;
|
||||||
command = "spawn";
|
command = "spawn";
|
||||||
args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
|
args = [
|
||||||
|
"user=nobody"
|
||||||
|
"argv=${pkgs.pypolicyd-spf}/bin/policyd-spf"
|
||||||
|
"${policyd-spf}"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
"submission-header-cleanup" = {
|
"submission-header-cleanup" = {
|
||||||
type = "unix";
|
type = "unix";
|
||||||
@ -305,7 +287,8 @@ in {
|
|||||||
chroot = false;
|
chroot = false;
|
||||||
maxproc = 0;
|
maxproc = 0;
|
||||||
command = "cleanup";
|
command = "cleanup";
|
||||||
args = ["-o" "header_checks=pcre:${submission-header-cleanup-rules}"];
|
args =
|
||||||
|
[ "-o" "header_checks=pcre:${submission-header-cleanup-rules}" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user