...

1 files changed, 8 insertions, 19 deletions

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index ff0c5e2a..2879c4a6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -130,13 +130,11 @@ in {
       postmasterAlias = ""; rootAlias = ""; extraAliases = "";
       destination = [];
       networks = [];
-      config = let
-        relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
-      in {
+      config = {
         smtpd_tls_security_level = "may";
 
         smtpd_tls_chain_files = [
-          "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem" "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"
+          "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
         ];
 
         #the dh params
@@ -173,12 +171,7 @@ in {
 
         smtp_tls_connection_reuse = true;
 
-        tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
-          concatMapStringsSep "\n\n" (domain:
-            concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem")
-              [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
-          ) emailDomains
-        )}'';
+        tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}";
 
         smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
 
@@ -202,7 +195,6 @@ in {
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
           ''}"
-          "check_ccert_access ${relay_ccert}"
           "reject_non_fqdn_helo_hostname"
           "reject_invalid_helo_hostname"
           "reject_unauth_destination"
@@ -223,7 +215,6 @@ in {
         address_verify_sender_ttl = "30045s";
 
         smtpd_relay_restrictions = [
-          "check_ccert_access ${relay_ccert}"
           "reject_unauth_destination"
         ];
 
@@ -800,13 +791,11 @@ in {
     ]) emailDomains);
 
     systemd.services.postfix = {
-      serviceConfig.LoadCredential = [
-        "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
-        "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
-      ] ++ concatMap (domain:
-        map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
-          [domain "mailin.${domain}" "mailsub.${domain}"]
-      ) emailDomains;
+      serviceConfig.LoadCredential = let
+        tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem";
+      in [
+        (tlsCredential "surtr.yggdrasil.li")
+      ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
     };
 
     systemd.services.dovecot2 = {