nixos-mailserver/mail-server/postfix.nix

258 lines
9.6 KiB
Nix
Raw Normal View History

2016-07-25 20:48:40 +05:00
# nixos-mailserver: a simple mail server
2018-01-29 14:34:27 +05:00
# Copyright (C) 2016-2018 Robin Raymond
2016-07-25 20:48:40 +05:00
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
2017-09-03 14:13:34 +05:00
{ config, pkgs, lib, ... }:
with (import ./common.nix { inherit config pkgs lib; });
let
2017-11-10 02:13:27 +05:00
inherit (lib.strings) concatStringsSep;
2017-09-03 14:13:34 +05:00
cfg = config.mailserver;
# valiases_postfix :: [ String ]
2017-11-21 15:18:07 +05:00
valiases_postfix = lib.flatten (lib.mapAttrsToList
(name: value:
let to = name;
in map (from: "${from} ${to}") (value.aliases ++ lib.singleton name))
2017-11-21 15:18:07 +05:00
cfg.loginAccounts);
2017-12-18 16:26:54 +05:00
# catchAllPostfix :: [ String ]
catchAllPostfix = lib.flatten (lib.mapAttrsToList
(name: value:
let to = name;
in map (from: "@${from} ${to}") value.catchAll)
cfg.loginAccounts);
2017-11-21 15:18:07 +05:00
# extra_valiases_postfix :: [ String ]
extra_valiases_postfix = attrsToAliasList cfg.extraVirtualAliases;
2017-11-21 15:35:52 +05:00
# all_valiases_postfix :: [ String ]
all_valiases_postfix = valiases_postfix ++ extra_valiases_postfix;
2017-11-21 15:18:07 +05:00
2019-10-17 00:51:45 +05:00
# denied_recipients_postfix :: [ String ]
denied_recipients_postfix = (map
(acct: "${acct.name} REJECT ${acct.sendOnlyRejectMessage}")
2019-10-17 00:51:45 +05:00
(lib.filter (acct: acct.sendOnly) (lib.attrValues cfg.loginAccounts)));
denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients_postfix);
# attrsToAliasList :: Map String (Either String [ String ]) -> [ String ]
attrsToAliasList = aliases:
let
toList = to: if builtins.isList to then to else [to];
in lib.mapAttrsToList
(from: to: "${from} " + (lib.concatStringsSep ", " (toList to)))
aliases;
# forwards :: [ String ]
forwards = attrsToAliasList cfg.forwards;
2019-10-17 00:51:45 +05:00
# valiases_file :: Path
2017-12-18 16:26:54 +05:00
valiases_file = builtins.toFile "valias"
(lib.concatStringsSep "\n" (all_valiases_postfix ++
catchAllPostfix));
reject_senders_postfix = (map
(sender:
"${sender} REJECT")
(cfg.rejectSender));
reject_senders_file = builtins.toFile "reject_senders" (lib.concatStringsSep "\n" (reject_senders_postfix)) ;
reject_recipients_postfix = (map
(recipient:
"${recipient} REJECT")
(cfg.rejectRecipients));
# rejectRecipients :: [ Path ]
reject_recipients_file = builtins.toFile "reject_recipients" (lib.concatStringsSep "\n" (reject_recipients_postfix)) ;
# vhosts_file :: Path
vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains);
2017-08-12 21:27:22 +05:00
2017-08-13 17:05:40 +05:00
# vaccounts_file :: Path
# see
# https://blog.grimneko.de/2011/12/24/a-bunch-of-tips-for-improving-your-postfix-setup/
# for details on how this file looks. By using the same file as valiases,
# every alias is owned (uniquely) by its user.
# The user's own address is already in all_valiases_postfix.
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" all_valiases_postfix);
2017-11-10 02:13:27 +05:00
2018-04-08 23:58:30 +05:00
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" (''
2017-09-23 12:56:09 +05:00
# Removes sensitive headers from mails handed in via the submission port.
# See https://thomas-leister.de/mailserver-debian-stretch/
# Uses "pcre" style regex.
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Enigmail:/ IGNORE
2018-04-08 23:58:30 +05:00
'' + lib.optionalString cfg.rewriteMessageId ''
# Replaces the user submitted hostname with the server's FQDN to hide the
# user's host or network.
/^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}>
'');
inetSocket = addr: port: "inet:[${toString port}@${addr}]";
unixSocket = sock: "unix:${sock}";
smtpdMilters =
(lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
2018-05-13 06:35:03 +05:00
++ [ "unix:/run/rspamd/rspamd-milter.sock" ];
policyd-spf = pkgs.writeText "policyd-spf.conf" cfg.policydSPFExtraConfig;
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
2020-07-06 13:38:12 +05:00
submissionOptions =
{
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/run/dovecot2/auth";
smtpd_sasl_security_options = "noanonymous";
smtpd_sasl_local_domain = "$myhostname";
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
smtpd_sender_restrictions = "reject_sender_login_mismatch";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
cleanup_service_name = "submission-header-cleanup";
};
in
2016-07-25 20:48:40 +05:00
{
2017-09-03 14:13:34 +05:00
config = with cfg; lib.mkIf enable {
2017-09-03 14:13:34 +05:00
services.postfix = {
enable = true;
2020-09-06 01:23:15 +05:00
hostname = "${sendingFqdn}";
2017-09-03 14:13:34 +05:00
networksStyle = "host";
mapFiles."valias" = valiases_file;
2017-11-10 02:13:27 +05:00
mapFiles."vaccounts" = vaccounts_file;
2019-10-17 00:51:45 +05:00
mapFiles."denied_recipients" = denied_recipients_file;
mapFiles."reject_senders" = reject_senders_file;
mapFiles."reject_recipients" = reject_recipients_file;
2017-09-03 14:13:34 +05:00
sslCert = certificatePath;
sslKey = keyPath;
2020-07-06 13:38:12 +05:00
enableSubmission = cfg.enableSubmission;
enableSubmissions = cfg.enableSubmissionSsl;
virtual =
(lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards));
config = {
2017-09-13 01:47:13 +05:00
# Extra Config
mydestination = "";
recipient_delimiter = "+";
smtpd_banner = "${fqdn} ESMTP NO UCE";
disable_vrfy_command = true;
message_size_limit = toString cfg.messageSizeLimit;
2017-09-03 14:13:34 +05:00
# virtual mail system
virtual_uid_maps = "static:5000";
virtual_gid_maps = "static:5000";
virtual_mailbox_base = mailDirectory;
virtual_mailbox_domains = vhosts_file;
virtual_mailbox_maps = mappedFile "valias";
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
2017-09-03 14:13:34 +05:00
# sasl with dovecot
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/run/dovecot2/auth";
smtpd_sasl_auth_enable = true;
smtpd_relay_restrictions = [
"permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
];
2017-09-20 12:26:42 +05:00
policy-spf_time_limit = "3600s";
# reject selected senders
smtpd_sender_restrictions = [
"check_sender_access ${mappedFile "reject_senders"}"
];
# quota and spf checking
smtpd_recipient_restrictions = [
"check_recipient_access ${mappedFile "denied_recipients"}"
"check_recipient_access ${mappedFile "reject_recipients"}"
"check_policy_service inet:localhost:12340"
"check_policy_service unix:private/policy-spf"
];
2017-12-22 20:58:35 +05:00
2017-09-20 02:54:40 +05:00
# TLS settings, inspired by https://github.com/jeaye/nix-files
2017-09-20 12:26:42 +05:00
# Submission by mail clients is handled in submissionOptions
smtpd_tls_security_level = "may";
2017-09-20 12:26:42 +05:00
# strong might suffice and is computationally less expensive
smtpd_tls_eecdh_grade = "ultra";
# Disable obselete protocols
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_ciphers = "high";
smtpd_tls_ciphers = "high";
smtp_tls_mandatory_ciphers = "high";
smtpd_tls_mandatory_ciphers = "high";
# Disable deprecated ciphers
smtpd_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
smtpd_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
tls_preempt_cipherlist = true;
2017-09-20 12:26:42 +05:00
# Allowing AUTH on a non encrypted connection poses a security risk
smtpd_tls_auth_only = true;
2017-09-20 12:26:42 +05:00
# Log only a summary message on TLS handshake completion
smtpd_tls_loglevel = "1";
2017-09-20 12:26:42 +05:00
2017-09-20 02:54:40 +05:00
# Configure a non blocking source of randomness
tls_random_source = "dev:/dev/urandom";
smtpd_milters = smtpdMilters;
non_smtpd_milters = lib.mkIf cfg.dkimSigning ["unix:/run/opendkim/opendkim.sock"];
milter_protocol = "6";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
};
2020-07-06 13:38:12 +05:00
submissionOptions = submissionOptions;
submissionsOptions = submissionOptions;
masterConfig = {
"policy-spf" = {
type = "unix";
privileged = true;
chroot = false;
command = "spawn";
args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
};
"submission-header-cleanup" = {
type = "unix";
private = false;
chroot = false;
maxproc = 0;
command = "cleanup";
args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"];
};
};
2017-09-03 14:13:34 +05:00
};
2017-08-13 17:05:40 +05:00
};
2016-07-25 20:48:40 +05:00
}