2 files changed, 99 insertions, 0 deletions
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..29bfb4f1
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = true;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    relayHost = "uucp:ymir";
+    recipientDelimiter = "+";
+    masterConfig = {
+      uucp = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "pipe";
+        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+      };
+    };
+    transport = ''
+      odin.asgard.yggdrasil uucp:odin
+    '';
+    config = {
+      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+      default_transport = "uucp:ymir";
+      inet_interfaces = "loopback-only";
+      authorized_submit_users = ["!uucp" "static:anyone"];
+      message_size_limit = "0";
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+  };
+  sops.secrets.postfix-sasl-passwd = {
+    key = "sasl-passwd";
+    path = "/var/db/postfix/sasl_passwd";
+    owner = "postfix";
+    sopsFile = ./secrets.yaml;
+  };
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..06a2ad40
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
+sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-18T09:46:15Z'
+    mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
+            4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
+            0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
+            Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
+            =7rOv
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
+            8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
+            0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
+            ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
+            =E/qh
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1

diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix new file mode 100644 index 00000000..29bfb4f1 --- /dev/null +++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
	1	{ config, pkgs, ... }:
	2	{
	3	services.postfix = {
	4	enable = true;
	5	enableSmtp = true;
	6	enableSubmission = false;
	7	setSendmail = true;
	8	networksStyle = "host";
	9	hostname = "sif.midgard.yggdrasil";
	10	destination = [];
	11	relayHost = "uucp:ymir";
	12	recipientDelimiter = "+";
	13	masterConfig = {
	14	uucp = {
	15	type = "unix";
	16	private = true;
	17	privileged = true;
	18	chroot = false;
	19	command = "pipe";
	20	args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
	21	};
	22	};
	23	transport = ''
	24	odin.asgard.yggdrasil uucp:odin
	25	'';
	26	config = {
	27	always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
	28
	29	default_transport = "uucp:ymir";
	30
	31	inet_interfaces = "loopback-only";
	32
	33	authorized_submit_users = ["!uucp" "static:anyone"];
	34	message_size_limit = "0";
	35
	36	sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
	37	/@(cip\|stud)\.ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
	38	/@ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
	39	/@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
	40	''}'';
	41	sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
	42	/^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
	43	/@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
	44	''}'';
	45
	46	smtp_sasl_auth_enable = true;
	47	smtp_sender_dependent_authentication = true;
	48	smtp_sasl_tls_security_options = "noanonymous";
	49	smtp_sasl_mechanism_filter = ["plain"];
	50	smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
	51	smtp_cname_overrides_servername = false;
	52	smtp_always_send_ehlo = true;
	53	smtp_tls_security_level = "dane";
	54
	55	smtp_tls_loglevel = "1";
	56	smtp_dns_support_level = "dnssec";
	57	};
	58	};
	59
	60	sops.secrets.postfix-sasl-passwd = {
	61	key = "sasl-passwd";
	62	path = "/var/db/postfix/sasl_passwd";
	63	owner = "postfix";
	64	sopsFile = ./secrets.yaml;
	65	};
	66	}


diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml new file mode 100644 index 00000000..06a2ad40 --- /dev/null +++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
	1	sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
	2	sops:
	3	kms: []
	4	gcp_kms: []
	5	azure_kv: []
	6	hc_vault: []
	7	lastmodified: '2021-01-18T09:46:15Z'
	8	mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
	9	pgp:
	10	- created_at: '2021-01-02T19:29:14Z'
	11	enc: \|
	12	-----BEGIN PGP MESSAGE-----
	13
	14	hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
	15	4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
	16	0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
	17	Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
	18	=7rOv
	19	-----END PGP MESSAGE-----
	20	fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
	21	- created_at: '2021-01-02T19:29:14Z'
	22	enc: \|
	23	-----BEGIN PGP MESSAGE-----
	24
	25	hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
	26	8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
	27	0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
	28	++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
	29	=E/qh
	30	-----END PGP MESSAGE-----
	31	fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
	32	unencrypted_suffix: _unencrypted
	33	version: 3.6.1