From aed5d9e523de0e4be6ced3079b4c1f75203b0c07 Mon Sep 17 00:00:00 2001 From: Brian Olsen Date: Fri, 22 May 2020 12:19:50 +0200 Subject: Switch from using postfix extraConfig to config `services.postfix.extraConfig` is just a string while the `services.postfix.config` option configures the same thing but with a typed attrset instead which is easier to manipulate and override in Nix. --- mail-server/postfix.nix | 98 +++++++++++++++++++++++++------------------------ 1 file changed, 51 insertions(+), 47 deletions(-) (limited to 'mail-server') diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 7df34d7..d3ca4fe 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -138,81 +138,85 @@ in virtual = (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix)); - extraConfig = - '' + config = { # Extra Config - mydestination = - recipient_delimiter = + - smtpd_banner = ${fqdn} ESMTP NO UCE - disable_vrfy_command = yes - message_size_limit = ${builtins.toString cfg.messageSizeLimit} + mydestination = ""; + recipient_delimiter = "+"; + smtpd_banner = "${fqdn} ESMTP NO UCE"; + disable_vrfy_command = true; + message_size_limit = toString cfg.messageSizeLimit; # virtual mail system - virtual_uid_maps = static:5000 - virtual_gid_maps = static:5000 - virtual_mailbox_base = ${mailDirectory} - virtual_mailbox_domains = ${vhosts_file} - virtual_mailbox_maps = ${mappedFile "valias"} - virtual_transport = lmtp:unix:/run/dovecot2/dovecot-lmtp + virtual_uid_maps = "static:5000"; + virtual_gid_maps = "static:5000"; + virtual_mailbox_base = mailDirectory; + virtual_mailbox_domains = vhosts_file; + virtual_mailbox_maps = mappedFile "valias"; + virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; # sasl with dovecot - smtpd_sasl_type = dovecot - smtpd_sasl_path = /run/dovecot2/auth - smtpd_sasl_auth_enable = yes - smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "/run/dovecot2/auth"; + smtpd_sasl_auth_enable = true; + smtpd_relay_restrictions = [ + "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination" + ]; - policy-spf_time_limit = 3600s + policy-spf_time_limit = "3600s"; # reject selected senders - smtpd_sender_restrictions = check_sender_access ${mappedFile "reject_senders"} + smtpd_sender_restrictions = [ + "check_sender_access ${mappedFile "reject_senders"}" + ]; # quota and spf checking - smtpd_recipient_restrictions = - check_recipient_access ${mappedFile "denied_recipients"}, - check_recipient_access ${mappedFile "reject_recipients"}, - check_policy_service inet:localhost:12340, - check_policy_service unix:private/policy-spf + smtpd_recipient_restrictions = [ + "check_recipient_access ${mappedFile "denied_recipients"}" + "check_recipient_access ${mappedFile "reject_recipients"}" + "check_policy_service inet:localhost:12340" + "check_policy_service unix:private/policy-spf" + ]; # TLS settings, inspired by https://github.com/jeaye/nix-files # Submission by mail clients is handled in submissionOptions - smtpd_tls_security_level = may + smtpd_tls_security_level = "may"; # strong might suffice and is computationally less expensive - smtpd_tls_eecdh_grade = ultra + smtpd_tls_eecdh_grade = "ultra"; # Disable obselete protocols - smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; + smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; + smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; + smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; - smtp_tls_ciphers = high - smtpd_tls_ciphers = high - smtp_tls_mandatory_ciphers = high - smtpd_tls_mandatory_ciphers = high + smtp_tls_ciphers = "high"; + smtpd_tls_ciphers = "high"; + smtp_tls_mandatory_ciphers = "high"; + smtpd_tls_mandatory_ciphers = "high"; # Disable deprecated ciphers - smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; + smtpd_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; + smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; + smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; - tls_preempt_cipherlist = yes + tls_preempt_cipherlist = true; # Allowing AUTH on a non encrypted connection poses a security risk - smtpd_tls_auth_only = yes + smtpd_tls_auth_only = true; # Log only a summary message on TLS handshake completion - smtpd_tls_loglevel = 1 + smtpd_tls_loglevel = "1"; # Configure a non blocking source of randomness - tls_random_source = dev:/dev/urandom + tls_random_source = "dev:/dev/urandom"; - smtpd_milters = ${lib.concatStringsSep "," smtpdMilters} - ${lib.optionalString cfg.dkimSigning "non_smtpd_milters = unix:/run/opendkim/opendkim.sock"} - milter_protocol = 6 - milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} - ''; + smtpd_milters = smtpdMilters; + non_smtpd_milters = lib.mkIf cfg.dkimSigning ["unix:/run/opendkim/opendkim.sock"]; + milter_protocol = "6"; + milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}"; + }; submissionOptions = { smtpd_tls_security_level = "encrypt"; -- cgit v1.2.3