Works without SSSD!

Now...accept incoming mail if we're the destination
2023-10-02 12:38:56 -07:00 · 2023-10-02 12:38:56 -07:00 · 8d613f6e57
parent 17571822f5
commit 8d613f6e57
3 changed files with 2 additions and 53 deletions
--- a/dovecot.nix
+++ b/dovecot.nix
@ -260,44 +260,6 @@ in {
        socketPath = "/var/run/dovecot2/old-stats";
      };

-      sssd = {
-        enable = true;
-        # FIXME: pass as config
-        environmentFile = "/run/dovecot-secrets/sssd.env";
-        config = ''
-          [nss]
-          reconnection_retries = 3
-
-          [sssd]
-          config_file_version = 2
-          reconnection_retries = 3
-          domains = $SSSD_LDAP_DOMAIN
-          services = nss, pam
-
-          [pam]
-          reconnection_retries = 3
-
-          [domain/$SSSD_LDAP_DOMAIN]
-          cache_credentials = False
-          id_provider = ldap
-          auth_provider = ldap
-          ldap_uri = $SSSD_LDAP_SERVER
-
-          ldap_schema = rfc2307bis
-          ldap_search_base = $SSSD_LDAP_SEARCH_BASE
-          ldap_user_search_base = $SSSD_LDAP_USER_SEARCH_BASE
-          ldap_group_search_base = $SSSD_LDAP_GROUP_SEARCH_BASE
-
-          ldap_user_object_class = user
-          ldap_user_name = cn
-          ldap_group_object_class = group
-          ldap_group_name = cn
-
-          ldap_default_bind_dn = $SSSD_LDAP_BIND_DN
-          ldap_default_authtok = $SSSD_LDAP_AUTH_TOKEN
-        '';
-      };
-
      dovecot2 = {
        enable = true;
        enableImap = true;
--- a/mail-server.nix
+++ b/mail-server.nix
@ -205,19 +205,6 @@ in {
        target-file = "/run/ldap-proxy/env";
      };

-      dovecotSssdEnv = {
-        source-file = pkgs.writeText "dovecot-sssd.env" (concatStringsSep "\n" [
-          "SSSD_LDAP_DOMAIN=${cfg.primary-domain}"
-          "SSSD_LDAP_SERVER=ldap://ldap-proxy:3389/"
-          "SSSD_LDAP_SEARCH_BASE=${cfg.ldap.base}"
-          "SSSD_LDAP_USER_SEARCH_BASE=${cfg.ldap.user-ou},${cfg.ldap.base}"
-          "SSSD_LDAP_GROUP_SEARCH_BASE=${cfg.ldap.group-ou},${cfg.ldap.base}"
-          "SSSD_LDAP_BIND_DN=${cfg.ldap.bind-dn}"
-          "SSSD_LDAP_AUTH_TOKEN=${readFile cfg.ldap.bind-password-file}"
-        ]);
-        target-file = "/run/dovecot-secrets/sssd.env";
-      };
-
      dovecotLdapConfig = {
        source-file = pkgs.writeText "dovecot-ldap.conf"
          (concatStringsSep "\n" [
@ -343,7 +330,6 @@ in {
                "${cfg.imap.ssl-directory}:/run/certs/imap:ro"
                "${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams"
                "${cfg.state-directory}/mail:/mail"
-                "${hostSecrets.dovecotSssdEnv.target-file}:/run/dovecot-secrets/sssd.env:ro"
              ];
              depends_on = [ "antispam" "ldap-proxy" ];
            };
--- a/postfix.nix
+++ b/postfix.nix
@ -263,7 +263,8 @@ in {
          "reject_non_fqdn_recipient"
          "check_policy_service unix:private/policy-spf"
        ] ++ (map (blacklist: "reject_rbl_client ${blacklist}")
-          cfg.blacklist.dns) ++ [ "permit_mynetworks" "reject" ];
+          cfg.blacklist.dns)
+          ++ [ "permit_mynetworks" "reject_unauth_destination" ];

        client-restrictions =
          [ "permit_sasl_authenticated" "permit_mynetworks" "reject" ];