From b95aebf3664cbcb92f36855cf498f1efc6dac065 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 24 Jun 2025 12:23:55 +0200 Subject: ... --- hosts/surtr/email/default.nix | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) (limited to 'hosts/surtr/email/default.nix') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index ff0c5e2a..2879c4a6 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -130,13 +130,11 @@ in { postmasterAlias = ""; rootAlias = ""; extraAliases = ""; destination = []; networks = []; - config = let - relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; - in { + config = { smtpd_tls_security_level = "may"; smtpd_tls_chain_files = [ - "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem" "/run/credentials/postfix.service/surtr.yggdrasil.li.pem" + "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem" ]; #the dh params @@ -173,12 +171,7 @@ in { smtp_tls_connection_reuse = true; - tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ( - concatMapStringsSep "\n\n" (domain: - concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem") - [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"] - ) emailDomains - )}''; + tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}"; smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; @@ -202,7 +195,6 @@ in { dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' ''}" - "check_ccert_access ${relay_ccert}" "reject_non_fqdn_helo_hostname" "reject_invalid_helo_hostname" "reject_unauth_destination" @@ -223,7 +215,6 @@ in { address_verify_sender_ttl = "30045s"; smtpd_relay_restrictions = [ - "check_ccert_access ${relay_ccert}" "reject_unauth_destination" ]; @@ -800,13 +791,11 @@ in { ]) emailDomains); systemd.services.postfix = { - serviceConfig.LoadCredential = [ - "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" - "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" - ] ++ concatMap (domain: - map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem") - [domain "mailin.${domain}" "mailsub.${domain}"] - ) emailDomains; + serviceConfig.LoadCredential = let + tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem"; + in [ + (tlsCredential "surtr.yggdrasil.li") + ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains; }; systemd.services.dovecot2 = { -- cgit v1.2.3