summaryrefslogtreecommitdiff
path: root/hosts/sif/mail/default.nix
blob: f36cd599e1b08e5c17052dab11b77d3c891f698c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
{ config, pkgs, ... }:
{
  services.postfix = {
    enable = true;
    enableSmtp = true;
    enableSubmission = false;
    setSendmail = true;
    networksStyle = "host";
    hostname = "sif.midgard.yggdrasil";
    destination = [];
    relayHost = "uucp:ymir";
    recipientDelimiter = "+";
    masterConfig = {
      uucp = {
        type = "unix";
        private = true;
        privileged = true;
        chroot = false;
        command = "pipe";
        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
      };
      smtps = {
        type = "unix";
        private = true;
        privileged = true;
        chroot = false;
        command = "smtp";
        args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
      };
    };
    config = {
      default_transport = "uucp:ymir";

      inet_interfaces = "loopback-only";

      authorized_submit_users = ["!uucp" "static:anyone"];
      message_size_limit = "0";

      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
      ''}'';
      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
      ''}'';

      smtp_sasl_auth_enable = true;
      smtp_sender_dependent_authentication = true;
      smtp_sasl_tls_security_options = "noanonymous";
      smtp_sasl_mechanism_filter = ["plain"];
      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
      smtp_cname_overrides_servername = false;
      smtp_always_send_ehlo = true;
      smtp_tls_security_level = "dane";

      smtp_tls_loglevel = "1";
      smtp_dns_support_level = "dnssec";
    };
  };

  sops.secrets.postfix-sasl-passwd = {
    key = "sasl-passwd";
    path = "/var/db/postfix/sasl_passwd";
    owner = "postfix";
    sopsFile = ./secrets.yaml;
  };
}