Switch from using postfix extraConfig to config

`services.postfix.extraConfig` is just a string while the `services.postfix.config` option configures the same thing but with a typed attrset instead which is easier to manipulate and override in Nix.
author: Brian Olsen <brian@maven-group.org> 2020-05-22 12:19:50 +0200
committer: Brian Olsen <brian@maven-group.org> 2020-05-22 12:19:50 +0200
commit: aed5d9e523de0e4be6ced3079b4c1f75203b0c07 (patch)
tree: 255790b73dde867f374b492d198b984eb24d5888 /mail-server
parent: c2ee9f217ad35a2d614cd978786b8418805ee4e0 (diff)
1 files changed, 51 insertions, 47 deletions
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 7df34d7..d3ca4fe 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -138,81 +138,85 @@ in
       virtual =
         (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix));
 
-      extraConfig =
-      ''
+      config = {
         # Extra Config
-        mydestination =
-        recipient_delimiter = +
-        smtpd_banner = ${fqdn} ESMTP NO UCE
-        disable_vrfy_command = yes
-        message_size_limit = ${builtins.toString cfg.messageSizeLimit}
+        mydestination = "";
+        recipient_delimiter = "+";
+        smtpd_banner = "${fqdn} ESMTP NO UCE";
+        disable_vrfy_command = true;
+        message_size_limit = toString cfg.messageSizeLimit;
 
         # virtual mail system
-        virtual_uid_maps = static:5000
-        virtual_gid_maps = static:5000
-        virtual_mailbox_base = ${mailDirectory}
-        virtual_mailbox_domains = ${vhosts_file}
-        virtual_mailbox_maps = ${mappedFile "valias"}
-        virtual_transport = lmtp:unix:/run/dovecot2/dovecot-lmtp
+        virtual_uid_maps = "static:5000";
+        virtual_gid_maps = "static:5000";
+        virtual_mailbox_base = mailDirectory;
+        virtual_mailbox_domains = vhosts_file;
+        virtual_mailbox_maps = mappedFile "valias";
+        virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
 
         # sasl with dovecot
-        smtpd_sasl_type = dovecot
-        smtpd_sasl_path = /run/dovecot2/auth
-        smtpd_sasl_auth_enable = yes
-        smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+        smtpd_sasl_type = "dovecot";
+        smtpd_sasl_path = "/run/dovecot2/auth";
+        smtpd_sasl_auth_enable = true;
+        smtpd_relay_restrictions = [
+          "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
+        ];
 
-        policy-spf_time_limit = 3600s
+        policy-spf_time_limit = "3600s";
 
         # reject selected senders
-        smtpd_sender_restrictions = check_sender_access ${mappedFile "reject_senders"}
+        smtpd_sender_restrictions = [
+          "check_sender_access ${mappedFile "reject_senders"}"
+        ];
 
         # quota and spf checking
-        smtpd_recipient_restrictions =
-          check_recipient_access ${mappedFile "denied_recipients"},
-          check_recipient_access ${mappedFile "reject_recipients"},
-          check_policy_service inet:localhost:12340,
-          check_policy_service unix:private/policy-spf
+        smtpd_recipient_restrictions = [
+          "check_recipient_access ${mappedFile "denied_recipients"}"
+          "check_recipient_access ${mappedFile "reject_recipients"}"
+          "check_policy_service inet:localhost:12340"
+          "check_policy_service unix:private/policy-spf"
+        ];
 
         # TLS settings, inspired by https://github.com/jeaye/nix-files
         # Submission by mail clients is handled in submissionOptions
-        smtpd_tls_security_level = may
+        smtpd_tls_security_level = "may";
 
         # strong might suffice and is computationally less expensive
-        smtpd_tls_eecdh_grade = ultra
+        smtpd_tls_eecdh_grade = "ultra";
 
         # Disable obselete protocols
-        smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
-        smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
-        smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
-        smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
 
-        smtp_tls_ciphers = high
-        smtpd_tls_ciphers = high
-        smtp_tls_mandatory_ciphers = high
-        smtpd_tls_mandatory_ciphers = high
+        smtp_tls_ciphers = "high";
+        smtpd_tls_ciphers = "high";
+        smtp_tls_mandatory_ciphers = "high";
+        smtpd_tls_mandatory_ciphers = "high";
 
         # Disable deprecated ciphers
-        smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-        smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-        smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-        smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+        smtpd_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
+        smtpd_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
+        smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
+        smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
 
-        tls_preempt_cipherlist = yes
+        tls_preempt_cipherlist = true;
 
         # Allowing AUTH on a non encrypted connection poses a security risk
-        smtpd_tls_auth_only = yes
+        smtpd_tls_auth_only = true;
         # Log only a summary message on TLS handshake completion
-        smtpd_tls_loglevel = 1
+        smtpd_tls_loglevel = "1";
 
         # Configure a non blocking source of randomness
-        tls_random_source = dev:/dev/urandom
+        tls_random_source = "dev:/dev/urandom";
 
-        smtpd_milters = ${lib.concatStringsSep "," smtpdMilters}
-        ${lib.optionalString cfg.dkimSigning "non_smtpd_milters = unix:/run/opendkim/opendkim.sock"}
-        milter_protocol = 6
-        milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
-      '';
+        smtpd_milters = smtpdMilters;
+        non_smtpd_milters = lib.mkIf cfg.dkimSigning ["unix:/run/opendkim/opendkim.sock"];
+        milter_protocol = "6";
+        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
 
+      };
       submissionOptions =
       {
         smtpd_tls_security_level = "encrypt";
author	Brian Olsen <brian@maven-group.org>	2020-05-22 12:19:50 +0200
committer	Brian Olsen <brian@maven-group.org>	2020-05-22 12:19:50 +0200
commit	aed5d9e523de0e4be6ced3079b4c1f75203b0c07 (patch)
tree	255790b73dde867f374b492d198b984eb24d5888 /mail-server
parent	c2ee9f217ad35a2d614cd978786b8418805ee4e0 (diff)