From 34a82fe1c8135b2d480f36fe4e57fdef9f5aff6f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 26 Jul 2017 15:29:18 +0200 Subject: Formulate postfix config for nix --- ymir.nix | 169 ++++++++++++++++++++++++++++----------------------------------- 1 file changed, 76 insertions(+), 93 deletions(-) diff --git a/ymir.nix b/ymir.nix index b55df52e..f6197e5a 100644 --- a/ymir.nix +++ b/ymir.nix @@ -443,72 +443,72 @@ in rec { ''}'']; sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; sslKey = "/var/lib/acme/yggdrasil.li/key.pem"; - extraConfig = '' + config = { #the dh params - smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem - smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem + smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem; + smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem; #enable ECDH - smtpd_tls_eecdh_grade = strong + smtpd_tls_eecdh_grade = "strong"; #enabled SSL protocols, don't allow SSLv2 and SSLv3 - smtpd_tls_protocols= !SSLv2, !SSLv3 - smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3 + smtpd_tls_protocols = [ "!SSLv2" "!SSLv3"]; + smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3"]; #allowed ciphers for smtpd_tls_security_level=encrypt - smtpd_tls_mandatory_ciphers = high + smtpd_tls_mandatory_ciphers = "high"; #allowed ciphers for smtpd_tls_security_level=may #smtpd_tls_ciphers = high #enforce the server cipher preference - tls_preempt_cipherlist = yes + tls_preempt_cipherlist = true; #disable following ciphers for smtpd_tls_security_level=encrypt - smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL + smtpd_tls_mandatory_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; #disable following ciphers for smtpd_tls_security_level=may - #smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL + smtpd_tls_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; #enable TLS logging to see the ciphers for inbound connections - smtpd_tls_loglevel = 1 + smtpd_tls_loglevel = 1; #enable TLS logging to see the ciphers for outbound connections - smtp_tls_loglevel = 1 + smtp_tls_loglevel = 1; - smtp_dns_support_level = dnssec - smtp_tls_security_level = dane + smtp_dns_support_level = "dnssec"; + smtp_tls_security_level = "dane"; - transport_maps = regexp:${pkgs.writeText "transport" '' + transport_maps = ''regexp:${pkgs.writeText "transport" '' /@(lists?|l)\./ mlmmj: /@subs?\.(lists?|l)\./ mlmmj-subs: - ''} regexp:/srv/mail/transport pipemap:{texthash:/srv/mail/discard,static:{discard:}} + ''} regexp:/srv/mail/transport pipemap:{texthash:/srv/mail/discard,static:{discard:}}''; - local_recipient_maps = + local_recipient_maps = ""; - luser_relay = gkleen+''${local} + luser_relay = "gkleen+${local}"; # 10 GiB - message_size_limit = 10737418240 + message_size_limit = 10737418240; # 10 GiB - mailbox_size_limit = 10737418240 + mailbox_size_limit = 10737418240; - mailbox_transport_maps = pipemap:{unix:passwd.byname, static:{lmtp:unix:private/dovecot-lmtp}} + mailbox_transport_maps = "pipemap:{unix:passwd.byname, static:{lmtp:unix:private/dovecot-lmtp}}"; #mailbox_command = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" - smtpd_sasl_type = dovecot - smtpd_sasl_path = private/dovecot-auth - - smtpd_sasl_auth_enable = yes - smtpd_sasl_security_options = noanonymous, noplaintext - smtpd_sasl_tls_security_options = noanonymous - smtpd_tls_auth_only = yes - - smtpd_delay_reject = yes - smtpd_helo_required = yes - smtpd_helo_restrictions = permit - - smtpd_recipient_restrictions = - reject_unauth_pipelining, - reject_non_fqdn_recipient, - reject_unknown_recipient_domain, - permit_mynetworks, - permit_sasl_authenticated, - reject_non_fqdn_helo_hostname, - reject_invalid_helo_hostname, - reject_unauth_destination, - check_client_access regexp:${pkgs.writeText "spfpolicy" '' + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = private/dovecot-auth; + + smtpd_sasl_auth_enable = true; + smtpd_sasl_security_options = ["noanonymous" "noplaintext"]; + smtpd_sasl_tls_security_options = "noanonymous"; + smtpd_tls_auth_only = true; + + smtpd_delay_reject = true; + smtpd_helo_required = true; + smtpd_helo_restrictions = "permit"; + + smtpd_recipient_restrictions = [ + "reject_unauth_pipelining" + "reject_non_fqdn_recipient" + "reject_unknown_recipient_domain" + "permit_mynetworks" + "permit_sasl_authenticated" + "reject_non_fqdn_helo_hostname" + "reject_invalid_helo_hostname" + "reject_unauth_destination" + ''check_client_access regexp:${pkgs.writeText "spfpolicy" '' /(^|\.)tu-muenchen\.de$/ DUNNO /(^|\.)tum\.de$/ DUNNO /(^|\.)lmu\.de$/ DUNNO @@ -521,27 +521,28 @@ in rec { /(^|\.)mhn\.de$/ DUNNO /(^|\.)mwn\.de$/ DUNNO /.*/ spfcheck - ''} - smtpd_restriction_classes = spfcheck - spfcheck = - check_policy_service unix:private/policy-spf - - smtpd_relay_restrictions = - permit_mynetworks, - permit_sasl_authenticated, - reject_unauth_destination - - mlmmj_destination_recipient_limit = 1 - mlmmj-subs_destination_recipient_limit = 1 - policy-spf_time_limit = 3600s - propagate_unmatched_extensions = canonical, virtual, alias - - milter_default_action = accept - milter_protocol = 2 - smtpd_milters = local:private/dkim - non_smtpd_milters = local:private/dkim - - alias_maps = texthash:${pkgs.writeText "aliases" '' + ''}'' + ]; + smtpd_restriction_classes = "spfcheck"; + spfcheck = "check_policy_service unix:private/policy-spf"; + + smtpd_relay_restrictions = [ + "permit_mynetworks" + "permit_sasl_authenticated" + "reject_unauth_destination" + ]; + + mlmmj_destination_recipient_limit = 1; + mlmmj-subs_destination_recipient_limit = 1; + policy-spf_time_limit = "3600s"; + propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; + + milter_default_action = "accept"; + milter_protocol = 2; + smtpd_milters = "local:private/dkim"; + non_smtpd_milters = "local:private/dkim"; + + alias_maps = ''texthash:${pkgs.writeText "aliases" '' postmaster gkleen webmaster gkleen abuse gkleen @@ -555,18 +556,19 @@ in rec { ftp gkleen root gkleen ''} texthash:/srv/mail/spm + ''; - queue_run_delay = 10s - minimal_backoff_time = 1m - maximal_backoff_time = 10m - maximal_queue_lifetime = 100m - bounce_queue_lifetime = 20m + queue_run_delay = "10s"; + minimal_backoff_time = "1m"; + maximal_backoff_time = "10m"; + maximal_queue_lifetime = "100m"; + bounce_queue_lifetime = "20m"; - sender_canonical_maps = tcp:localhost:10001 - sender_canonical_classes = envelope_sender - recipient_canonical_maps = tcp:localhost:10002 - recipient_canonical_classes= envelope_recipient,header_recipient - ''; + sender_canonical_maps = "tcp:localhost:10001"; + sender_canonical_classes = "envelope_sender"; + recipient_canonical_maps = "tcp:localhost:10002"; + recipient_canonical_classes = ["envelope_recipient" "header_recipient"]; + }; masterConfig = { uucp = { type = "unix"; @@ -601,25 +603,6 @@ in rec { args = [ "user=nobody" ''argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf}'' ]; }; }; - # extraMasterConf = '' - # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient) - # mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L /var/spool/lists/''${user} - # mlmmj-subs unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj-exposed}/bin/mlmmj-exposed /var/spool/lists/''${user} ''${extension} - # policy-spf unix - n n - - spawn user=nobody argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf} - # logEmail unix - n n - 10 pipe flags=Rq user=nobody null_sender= argv=${pkgs.writeScript "logEmail" '' - # #!${pkgs.stdenv.shell} - - # export PATH=${config.security.wrapperDir}:/run/current-system/sw/bin - - # mailFile=/tmp/logEmail/$(date +"%F-%H%M%S").$$ - - # mkdir -p -m 700 /tmp/logEmail - - # cat >$mailFile - - # sendmail -G -i "$@" <$mailFile - # ''} -f ''${sender} -- ''${recipient} - # ''; networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; }; -- cgit v1.2.3