2 files changed, 21 insertions, 1 deletions

diff --git a/users/gkleen.nix b/users/gkleen.nix
index 8ee951d6..8be90851 100644
--- a/users/gkleen.nix
+++ b/users/gkleen.nix
@@ -1,7 +1,7 @@
 {
   name = "gkleen";
   description = "Gregor Kleen";
-  extraGroups = [ "wheel" "wlan" "lp" "dialout" "audio" "xmpp" ];
+  extraGroups = [ "wheel" "wlan" "lp" "dialout" "audio" "xmpp" "mail" ];
   group = "users";
   uid = 1000;
   createHome = true;
diff --git a/ymir.nix b/ymir.nix
index e90e59f7..2eedb641 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -327,6 +327,14 @@ in rec {
       mailbox_size_limit = 10737418240
 
       mailbox_command = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
+
+      smtpd_sasl_type = dovecot
+      smtpd_sasl_path = ../data/auth
+
+      smtpd_sasl_auth_enable = yes
+      smtpd_sasl_security_options = noanonymous, noplaintext
+      smtpd_sasl_tls_security_options = noanonymous
+      smtpd_tls_auth_only = yes
     '';
     extraMasterConf = ''
       uucp unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a$sender - $nexthop!rmail ($recipient)
@@ -343,8 +351,20 @@ in rec {
     sslServerKey = "/var/lib/acme/yggdrasil.li/key.pem";
     extraConfig = ''
       postmaster_address = postmaster@yggdrasil.li
+
+      service auth {
+        unix_listener /var/lib/postfix/data/auth {
+          mode = 0660
+          user = postfix
+          group = postfix
+        }
+      }
     '';
   };
+  security.pam.services.dovecot2.text = ''
+    auth requisite  pam_succeed_if.so user ingroup mail
+    auth required   pam_unix.so audit
+  '';
 
   security.acme = {
     certs = {