2024-09-22 23:34:52 +02:00
|
|
|
{ config, pkgs, ... }:
|
2024-03-12 11:34:16 +01:00
|
|
|
let
|
|
|
|
domain = config.networking.domain;
|
|
|
|
hostname = "mail.${config.networking.domain}";
|
|
|
|
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
|
|
|
|
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
|
|
|
|
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
|
|
|
|
/^\s*User-Agent/ IGNORE
|
|
|
|
/^\s*X-Enigmail/ IGNORE
|
|
|
|
/^\s*X-Mailer/ IGNORE
|
|
|
|
/^\s*X-Originating-IP/ IGNORE
|
|
|
|
/^\s*Mime-Version/ IGNORE
|
|
|
|
'';
|
|
|
|
# https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
|
|
|
|
login_maps = pkgs.writeText "login_maps.pcre" ''
|
|
|
|
# basic username => username@ifsr.de
|
|
|
|
/^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
25 # SMTP
|
|
|
|
465 # Submissions
|
|
|
|
587 # Submission
|
|
|
|
];
|
|
|
|
services = {
|
|
|
|
postfix = {
|
|
|
|
enable = true;
|
|
|
|
enableSubmission = true;
|
|
|
|
enableSubmissions = true;
|
|
|
|
hostname = "${hostname}";
|
|
|
|
domain = "${domain}";
|
|
|
|
origin = "${domain}";
|
|
|
|
destination = [ "${hostname}" "${domain}" "localhost" ];
|
|
|
|
networksStyle = "host"; # localhost and own public IP
|
|
|
|
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
|
|
|
sslKey = "/var/lib/acme/${hostname}/key.pem";
|
|
|
|
config = {
|
|
|
|
home_mailbox = "Maildir/";
|
|
|
|
# 25 MiB
|
|
|
|
message_size_limit = "26214400";
|
|
|
|
# hostname used in helo command. It is recommended to have this match the reverse dns entry
|
|
|
|
smtp_helo_name = config.networking.rDNS;
|
|
|
|
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
|
2024-09-22 23:01:32 +02:00
|
|
|
smtp_tls_security_level = "may";
|
2024-09-22 23:34:52 +02:00
|
|
|
smtpd_tls_security_level = "may";
|
2024-09-22 23:01:32 +02:00
|
|
|
smtpd_tls_auth_only = true;
|
2024-03-12 11:34:16 +01:00
|
|
|
smtpd_tls_protocols = [
|
|
|
|
"!SSLv2"
|
|
|
|
"!SSLv3"
|
|
|
|
"!TLSv1"
|
|
|
|
"!TLSv1.1"
|
|
|
|
];
|
|
|
|
# "reject_non_fqdn_hostname"
|
|
|
|
smtpd_recipient_restrictions = [
|
|
|
|
"permit_sasl_authenticated"
|
|
|
|
"permit_mynetworks"
|
|
|
|
"reject_unauth_destination"
|
|
|
|
"reject_non_fqdn_sender"
|
|
|
|
"reject_non_fqdn_recipient"
|
|
|
|
"reject_unknown_sender_domain"
|
|
|
|
"reject_unknown_recipient_domain"
|
|
|
|
"reject_unauth_destination"
|
|
|
|
"reject_unauth_pipelining"
|
|
|
|
"reject_invalid_hostname"
|
|
|
|
"check_policy_service inet:localhost:12340"
|
|
|
|
];
|
|
|
|
smtpd_relay_restrictions = [
|
|
|
|
"permit_sasl_authenticated"
|
|
|
|
"permit_mynetworks"
|
|
|
|
"reject_unauth_destination"
|
|
|
|
];
|
|
|
|
# https://www.postfix.org/smtp-smuggling.html
|
|
|
|
smtpd_data_restrictions = [
|
|
|
|
"reject_unauth_pipelining"
|
|
|
|
];
|
|
|
|
smtpd_sender_restrictions = [
|
|
|
|
"reject_authenticated_sender_login_mismatch"
|
|
|
|
];
|
|
|
|
smtpd_sender_login_maps = [
|
|
|
|
"pcre:/etc/special-aliases.pcre"
|
|
|
|
"pcre:${login_maps}"
|
|
|
|
];
|
|
|
|
smtp_header_checks = "pcre:${header_cleanup}";
|
|
|
|
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
|
|
|
|
alias_maps = [ "hash:/etc/aliases" ];
|
|
|
|
alias_database = [ "hash:/etc/aliases" ];
|
|
|
|
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
|
|
|
|
smtpd_sasl_auth_enable = true;
|
|
|
|
smtpd_sasl_path = "/var/lib/postfix/auth";
|
|
|
|
smtpd_sasl_type = "dovecot";
|
2024-03-14 00:09:06 +01:00
|
|
|
local_recipient_maps = [ "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
|
2024-03-12 11:34:16 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|