nixos-config/config/services/postfix.nix

67 lines
2.3 KiB
Nix
Raw Normal View History

2022-08-17 19:35:06 +00:00
{lib, pkgs, ...}: {
2022-01-22 17:26:11 +00:00
nixpkgs.overlays = [
(curr: prev: {
postfix = prev.postfix.override {
withPgSQL = true;
};
})
];
services.postfix = {
enable = true;
enableSubmission = true;
enableSubmissions = true;
destination = [
"localhost"
];
domain = "chir.rs";
hostname = "mail.chir.rs";
masterConfig = {
submission = {
2022-06-12 15:39:15 +00:00
args = ["-o" "smtpd_tls_security_level=encrypt"];
2022-01-22 17:26:11 +00:00
type = "inet";
};
};
origin = "mail.chir.rs";
sslCert = "/var/lib/acme/chir.rs/cert.pem";
sslKey = "/var/lib/acme/chir.rs/key.pem";
config = {
2022-08-17 19:35:06 +00:00
smtpd_tls_security_level = lib.mkForce "encrypt";
2022-01-22 17:26:11 +00:00
smtp_tls_security_level = "encrypt";
2022-01-23 10:31:54 +00:00
virtual_alias_domains = "pgsql:/run/secrets/services/postfix/virtual_alias_domains.cf";
virtual_alias_maps = "pgsql:/run/secrets/services/postfix/virtual_alias_maps.cf";
virtual_mailbox_domains = "pgsql:/run/secrets/services/postfix/virtual_mailbox_domains.cf";
2022-01-23 11:00:17 +00:00
virtual_transport = "lmtp:unix:/run/dovecot2/lmtp";
2022-04-28 14:37:09 +00:00
smtpd_milters = "inet:rspamd.int.chir.rs:11332";
non_smtpd_milters = "inet:rspamd.int.chir.rs:11332";
2022-01-22 17:26:11 +00:00
disable_vrfy_command = "yes";
smtpd_banner = "mail.chir.rs ESMTP NO UCE NO UBE NO RELAYCLIENT=yes YES OwO";
message_size_limit = "20971520";
biff = "no";
smtpd_helo_restrictions = "permit_mynetworks, permit_sasl_authenticated";
smtpd_helo_required = "yes";
smtpd_sasl_type = "dovecot";
2022-01-23 11:09:30 +00:00
smtpd_sasl_path = "/run/dovecot2/auth";
2022-01-22 17:26:11 +00:00
smtpd_sasl_auth_enable = "yes";
smtpd_tls_auth_only = "yes";
smtpd_tls_mandatory_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
tls_preempt_cipherlist = "no";
2022-08-17 14:07:28 +00:00
smtputf8_enable="yes";
2022-01-22 17:26:11 +00:00
};
};
2022-06-12 15:39:15 +00:00
services.postgresql.ensureUsers = [
{
name = "postfix";
ensurePermissions = {
"DATABASE \"postfix\"" = "CONNECT";
};
}
];
sops.secrets."services/postfix/virtual_alias_domains.cf" = {owner = "postfix";};
sops.secrets."services/postfix/virtual_alias_maps.cf" = {owner = "postfix";};
sops.secrets."services/postfix/virtual_mailbox_domains.cf" = {owner = "postfix";};
networking.firewall.allowedTCPPorts = [25 465 587];
security.acme.certs."chir.rs".reloadServices = ["postfix.service"];
2022-01-22 17:26:11 +00:00
}