From aaf33e220b1412c03b5725abe7cf165c06588fb5 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 7 Jun 2025 13:00:03 +0200 Subject: ... --- hosts/sif/email/default.nix | 110 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 hosts/sif/email/default.nix (limited to 'hosts/sif/email/default.nix') diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix new file mode 100644 index 00000000..4eda236e --- /dev/null +++ b/hosts/sif/email/default.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: +{ + services.postfix = { + enable = true; + enableSmtp = false; + enableSubmission = false; + setSendmail = true; + networksStyle = "host"; + hostname = "sif.midgard.yggdrasil"; + destination = []; + recipientDelimiter = "+"; + config = { + mydomain = "yggdrasil.li"; + + local_transport = "error:5.1.1 No local delivery"; + alias_database = []; + alias_maps = []; + local_recipient_maps = []; + + inet_interfaces = "loopback-only"; + + message_size_limit = "0"; + + authorized_submit_users = "inline:{ gkleen= }"; + authorized_flush_users = "inline:{ gkleen= }"; + authorized_mailq_users = "inline:{ gkleen= }"; + + smtp_generic_maps = "inline:{ root=root+sif }"; + + mynetworks = ["127.0.0.0/8" "[::1]/128"]; + smtpd_client_restrictions = ["permit_mynetworks" "reject"]; + smtpd_relay_restrictions = ["permit_mynetworks" "reject"]; + + sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' + /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de + /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 + /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465 + /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de + ''}''; + sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" '' + /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de + /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de + ''}''; + relayhost = "[surtr.yggdrasil.li]:465"; + default_transport = "relay"; + + smtp_sasl_auth_enable = true; + smtp_sender_dependent_authentication = true; + smtp_sasl_tls_security_options = "noanonymous"; + smtp_sasl_mechanism_filter = ["plain"]; + smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd"; + smtp_cname_overrides_servername = false; + smtp_always_send_ehlo = true; + smtp_tls_security_level = "dane"; + + smtp_tls_loglevel = "1"; + smtp_dns_support_level = "dnssec"; + }; + masterConfig = { + submission = { + type = "inet"; + private = false; + command = "smtpd"; + args = [ + "-o" "syslog_name=postfix/$service_name" + ]; + }; + smtp = { }; + smtps = { + type = "unix"; + private = true; + privileged = true; + chroot = false; + command = "smtp"; + args = [ + "-o" "smtp_tls_wrappermode=yes" + "-o" "smtp_tls_security_level=encrypt" + ]; + }; + relay = { + command = "smtp"; + args = [ + "-o" "smtp_fallback_relay=" + "-o" "smtp_tls_security_level=verify" + "-o" "smtp_tls_wrappermode=yes" + "-o" "smtp_tls_cert_file=${./relay.crt}" + "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key" + ]; + }; + }; + }; + + systemd.services.postfix = { + serviceConfig.LoadCredential = [ + "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}" + "relay.key:${config.sops.secrets."relay-key".path}" + ]; + }; + + sops.secrets = { + postfix-sasl-passwd = { + key = "sasl-passwd"; + sopsFile = ./secrets.yaml; + }; + relay-key = { + format = "binary"; + sopsFile = ./relay.key; + }; + }; +} -- cgit v1.2.3