70 lines
2.3 KiB
Nix
70 lines
2.3 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: {
|
|
nixpkgs.overlays = [
|
|
(curr: prev: {
|
|
postfix = prev.postfix.override {
|
|
withPgSQL = true;
|
|
};
|
|
})
|
|
];
|
|
services.postfix = {
|
|
enable = true;
|
|
enableSubmission = true;
|
|
enableSubmissions = true;
|
|
destination = [
|
|
"localhost"
|
|
];
|
|
domain = "chir.rs";
|
|
hostname = "mail.chir.rs";
|
|
masterConfig = {
|
|
submission = {
|
|
args = ["-o" "smtpd_tls_security_level=encrypt"];
|
|
type = "inet";
|
|
};
|
|
};
|
|
origin = "mail.chir.rs";
|
|
sslCert = "/var/lib/acme/chir.rs/cert.pem";
|
|
sslKey = "/var/lib/acme/chir.rs/key.pem";
|
|
config = {
|
|
smtpd_tls_security_level = lib.mkForce "encrypt";
|
|
smtp_tls_security_level = "encrypt";
|
|
|
|
virtual_alias_domains = "pgsql:/run/secrets/services/postfix/virtual_alias_domains.cf";
|
|
virtual_alias_maps = "pgsql:/run/secrets/services/postfix/virtual_alias_maps.cf";
|
|
virtual_mailbox_domains = "pgsql:/run/secrets/services/postfix/virtual_mailbox_domains.cf";
|
|
virtual_transport = "lmtp:unix:/run/dovecot2/lmtp";
|
|
smtpd_milters = "inet:rspamd.int.chir.rs:11332";
|
|
non_smtpd_milters = "inet:rspamd.int.chir.rs:11332";
|
|
disable_vrfy_command = "yes";
|
|
smtpd_banner = "mail.chir.rs ESMTP NO UCE NO UBE NO RELAYCLIENT=yes YES OwO";
|
|
message_size_limit = "20971520";
|
|
biff = "no";
|
|
smtpd_helo_restrictions = "permit_mynetworks, permit_sasl_authenticated";
|
|
smtpd_helo_required = "yes";
|
|
smtpd_sasl_type = "dovecot";
|
|
smtpd_sasl_path = "/run/dovecot2/auth";
|
|
smtpd_sasl_auth_enable = "yes";
|
|
smtpd_tls_auth_only = "yes";
|
|
smtpd_tls_mandatory_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
|
|
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
|
|
tls_preempt_cipherlist = "no";
|
|
smtputf8_enable = "yes";
|
|
};
|
|
};
|
|
services.postgresql.ensureUsers = [
|
|
{
|
|
name = "postfix";
|
|
ensurePermissions = {
|
|
"DATABASE \"postfix\"" = "CONNECT";
|
|
};
|
|
}
|
|
];
|
|
sops.secrets."services/postfix/virtual_alias_domains.cf" = {owner = "postfix";};
|
|
sops.secrets."services/postfix/virtual_alias_maps.cf" = {owner = "postfix";};
|
|
sops.secrets."services/postfix/virtual_mailbox_domains.cf" = {owner = "postfix";};
|
|
networking.firewall.allowedTCPPorts = [25 465 587];
|
|
security.acme.certs."chir.rs".reloadServices = ["postfix.service"];
|
|
}
|