summaryrefslogtreecommitdiff
path: root/hosts/surtr/email
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/email')
-rw-r--r--hosts/surtr/email/default.nix27
1 files changed, 8 insertions, 19 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index ff0c5e2a..2879c4a6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -130,13 +130,11 @@ in {
130 postmasterAlias = ""; rootAlias = ""; extraAliases = ""; 130 postmasterAlias = ""; rootAlias = ""; extraAliases = "";
131 destination = []; 131 destination = [];
132 networks = []; 132 networks = [];
133 config = let 133 config = {
134 relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
135 in {
136 smtpd_tls_security_level = "may"; 134 smtpd_tls_security_level = "may";
137 135
138 smtpd_tls_chain_files = [ 136 smtpd_tls_chain_files = [
139 "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem" "/run/credentials/postfix.service/surtr.yggdrasil.li.pem" 137 "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
140 ]; 138 ];
141 139
142 #the dh params 140 #the dh params
@@ -173,12 +171,7 @@ in {
173 171
174 smtp_tls_connection_reuse = true; 172 smtp_tls_connection_reuse = true;
175 173
176 tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ( 174 tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}";
177 concatMapStringsSep "\n\n" (domain:
178 concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem")
179 [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
180 ) emailDomains
181 )}'';
182 175
183 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; 176 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
184 177
@@ -202,7 +195,6 @@ in {
202 dbname = email 195 dbname = email
203 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' 196 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
204 ''}" 197 ''}"
205 "check_ccert_access ${relay_ccert}"
206 "reject_non_fqdn_helo_hostname" 198 "reject_non_fqdn_helo_hostname"
207 "reject_invalid_helo_hostname" 199 "reject_invalid_helo_hostname"
208 "reject_unauth_destination" 200 "reject_unauth_destination"
@@ -223,7 +215,6 @@ in {
223 address_verify_sender_ttl = "30045s"; 215 address_verify_sender_ttl = "30045s";
224 216
225 smtpd_relay_restrictions = [ 217 smtpd_relay_restrictions = [
226 "check_ccert_access ${relay_ccert}"
227 "reject_unauth_destination" 218 "reject_unauth_destination"
228 ]; 219 ];
229 220
@@ -800,13 +791,11 @@ in {
800 ]) emailDomains); 791 ]) emailDomains);
801 792
802 systemd.services.postfix = { 793 systemd.services.postfix = {
803 serviceConfig.LoadCredential = [ 794 serviceConfig.LoadCredential = let
804 "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" 795 tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem";
805 "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" 796 in [
806 ] ++ concatMap (domain: 797 (tlsCredential "surtr.yggdrasil.li")
807 map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem") 798 ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
808 [domain "mailin.${domain}" "mailsub.${domain}"]
809 ) emailDomains;
810 }; 799 };
811 800
812 systemd.services.dovecot2 = { 801 systemd.services.dovecot2 = {
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-28 14:30:11 +0000