{ config, pkgs, ... }: let domain = config.networking.domain; hostname = "mail.${config.networking.domain}"; # see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/ header_cleanup = pkgs.writeText "header_cleanup_outgoing" '' /^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2 /^\s*User-Agent/ IGNORE /^\s*X-Enigmail/ IGNORE /^\s*X-Mailer/ IGNORE /^\s*X-Originating-IP/ IGNORE /^\s*Mime-Version/ IGNORE ''; # https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address login_maps = pkgs.writeText "login_maps.pcre" '' # basic username => username@ifsr.de /^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1} ''; in { sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user; networking.firewall.allowedTCPPorts = [ 25 # SMTP 465 # Submissions 587 # Submission ]; services = { postfix = { enable = true; enableSubmission = true; enableSubmissions = true; hostname = "${hostname}"; domain = "${domain}"; origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; networksStyle = "host"; # localhost and own public IP sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { home_mailbox = "Maildir/"; # 25 MiB message_size_limit = "26214400"; # hostname used in helo command. It is recommended to have this match the reverse dns entry smtp_helo_name = config.networking.rDNS; smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name"; smtp_use_tls = true; # smtp_tls_security_level = "encrypt"; smtpd_use_tls = true; # smtpd_tls_security_level = lib.mkForce "encrypt"; # smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" ]; # "reject_non_fqdn_hostname" smtpd_recipient_restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" "reject_non_fqdn_sender" "reject_non_fqdn_recipient" "reject_unknown_sender_domain" "reject_unknown_recipient_domain" "reject_unauth_destination" "reject_unauth_pipelining" "reject_invalid_hostname" "check_policy_service inet:localhost:12340" ]; smtpd_relay_restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ]; # https://www.postfix.org/smtp-smuggling.html smtpd_data_restrictions = [ "reject_unauth_pipelining" ]; smtpd_sender_restrictions = [ "reject_authenticated_sender_login_mismatch" ]; smtpd_sender_login_maps = [ "pcre:/etc/special-aliases.pcre" "pcre:${login_maps}" ]; smtp_header_checks = "pcre:${header_cleanup}"; # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ]; alias_maps = [ "hash:/etc/aliases" ]; alias_database = [ "hash:/etc/aliases" ]; # alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_type = "dovecot"; local_recipient_maps = [ "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ]; }; }; }; }