nixos-config/config/services/postfix.nix

79 lines
2.4 KiB
Nix

{ pkgs, ... }:
let
virtual_alias_domains = pkgs.writeText "virtual_alias_domains.cf" ''
user = postfix
dbname = postfix
query = SELECT target_domain FROM alias_domain WHERE alias_domain = '%s' AND active='t';
'';
virtual_alias_maps = pkgs.writeText "virtual_alias_maps.cf" ''
user = postfix
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active='t';
'';
virtual_mailbox_domains = pkgs.writeText "virtual_mailbox_domains.cf" ''
user = postfix
dbname = postfix
query = SELECT domain FROM domain WHERE domain = '%s' AND active='t';
'';
in
{
nixpkgs.overlays = [
(curr: prev: {
postfix = prev.postfix.override {
withPgSQL = true;
};
})
];
services.postfix = {
enable = true;
enableSubmission = true;
enableSubmissions = true;
destination = [
"localhost"
"darkkirb.de"
"miifox.net"
"chir.rs"
];
domain = "chir.rs";
hostname = "mail.chir.rs";
masterConfig = {
submission = {
args = [ "-o" "smtpd_tls_security_level=encrypt" ];
type = "inet";
};
};
origin = "mail.chir.rs";
sslCert = "/var/lib/acme/chir.rs/cert.pem";
sslKey = "/var/lib/acme/chir.rs/key.pem";
config = {
smtp_tls_security_level = "encrypt";
virtual_alias_domains = "pgsql:${virtual_mailbox_domains}";
virtual_alias_maps = "pgsql:${virtual_alias_maps}";
virtual_mailbox_domains = "pgsql:${virtual_mailbox_domains}";
virtual_transport = "lmtp:unix:/run/dovecot/lmtp";
smtpd_milters = "[fd00:e621:e621:2::2]:11332";
non_smtpd_milters = "[fd00:e621:e621:2::2]:11332";
disable_vrfy_command = "yes";
smtpd_banner = "mail.chir.rs ESMTP NO UCE NO UBE NO RELAYCLIENT=yes YES OwO";
message_size_limit = "20971520";
biff = "no";
smtpd_helo_restrictions = "permit_mynetworks, permit_sasl_authenticated";
smtpd_helo_required = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/run/dovecot/auth";
smtpd_sasl_auth_enable = "yes";
smtpd_tls_auth_only = "yes";
smtpd_tls_mandatory_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
tls_preempt_cipherlist = "no";
};
};
services.postgresql.ensureUsers = [{
name = "postfix";
ensurePermissions = {
"DATABASE \"postfix\"" = "CONNECT";
};
}];
}