Switch from using postfix extraConfig to config

`services.postfix.extraConfig` is just a string while the
`services.postfix.config` option configures the same thing but with a
typed attrset instead which is easier to manipulate and override in Nix.
This commit is contained in:
Brian Olsen 2020-05-22 12:19:50 +02:00
parent c2ee9f217a
commit aed5d9e523
No known key found for this signature in database
GPG key ID: 029DD8E8B95882E8

View file

@ -138,81 +138,85 @@ in
virtual = virtual =
(lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix)); (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix));
extraConfig = config = {
''
# Extra Config # Extra Config
mydestination = mydestination = "";
recipient_delimiter = + recipient_delimiter = "+";
smtpd_banner = ${fqdn} ESMTP NO UCE smtpd_banner = "${fqdn} ESMTP NO UCE";
disable_vrfy_command = yes disable_vrfy_command = true;
message_size_limit = ${builtins.toString cfg.messageSizeLimit} message_size_limit = toString cfg.messageSizeLimit;
# virtual mail system # virtual mail system
virtual_uid_maps = static:5000 virtual_uid_maps = "static:5000";
virtual_gid_maps = static:5000 virtual_gid_maps = "static:5000";
virtual_mailbox_base = ${mailDirectory} virtual_mailbox_base = mailDirectory;
virtual_mailbox_domains = ${vhosts_file} virtual_mailbox_domains = vhosts_file;
virtual_mailbox_maps = ${mappedFile "valias"} virtual_mailbox_maps = mappedFile "valias";
virtual_transport = lmtp:unix:/run/dovecot2/dovecot-lmtp virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
# sasl with dovecot # sasl with dovecot
smtpd_sasl_type = dovecot smtpd_sasl_type = "dovecot";
smtpd_sasl_path = /run/dovecot2/auth smtpd_sasl_path = "/run/dovecot2/auth";
smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = true;
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_relay_restrictions = [
"permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
];
policy-spf_time_limit = 3600s policy-spf_time_limit = "3600s";
# reject selected senders # reject selected senders
smtpd_sender_restrictions = check_sender_access ${mappedFile "reject_senders"} smtpd_sender_restrictions = [
"check_sender_access ${mappedFile "reject_senders"}"
];
# quota and spf checking # quota and spf checking
smtpd_recipient_restrictions = smtpd_recipient_restrictions = [
check_recipient_access ${mappedFile "denied_recipients"}, "check_recipient_access ${mappedFile "denied_recipients"}"
check_recipient_access ${mappedFile "reject_recipients"}, "check_recipient_access ${mappedFile "reject_recipients"}"
check_policy_service inet:localhost:12340, "check_policy_service inet:localhost:12340"
check_policy_service unix:private/policy-spf "check_policy_service unix:private/policy-spf"
];
# TLS settings, inspired by https://github.com/jeaye/nix-files # TLS settings, inspired by https://github.com/jeaye/nix-files
# Submission by mail clients is handled in submissionOptions # Submission by mail clients is handled in submissionOptions
smtpd_tls_security_level = may smtpd_tls_security_level = "may";
# strong might suffice and is computationally less expensive # strong might suffice and is computationally less expensive
smtpd_tls_eecdh_grade = ultra smtpd_tls_eecdh_grade = "ultra";
# Disable obselete protocols # Disable obselete protocols
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_ciphers = high smtp_tls_ciphers = "high";
smtpd_tls_ciphers = high smtpd_tls_ciphers = "high";
smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_ciphers = "high";
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = "high";
# Disable deprecated ciphers # Disable deprecated ciphers
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtpd_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtpd_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
tls_preempt_cipherlist = yes tls_preempt_cipherlist = true;
# Allowing AUTH on a non encrypted connection poses a security risk # Allowing AUTH on a non encrypted connection poses a security risk
smtpd_tls_auth_only = yes smtpd_tls_auth_only = true;
# Log only a summary message on TLS handshake completion # Log only a summary message on TLS handshake completion
smtpd_tls_loglevel = 1 smtpd_tls_loglevel = "1";
# Configure a non blocking source of randomness # Configure a non blocking source of randomness
tls_random_source = dev:/dev/urandom tls_random_source = "dev:/dev/urandom";
smtpd_milters = ${lib.concatStringsSep "," smtpdMilters} smtpd_milters = smtpdMilters;
${lib.optionalString cfg.dkimSigning "non_smtpd_milters = unix:/run/opendkim/opendkim.sock"} non_smtpd_milters = lib.mkIf cfg.dkimSigning ["unix:/run/opendkim/opendkim.sock"];
milter_protocol = 6 milter_protocol = "6";
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
'';
};
submissionOptions = submissionOptions =
{ {
smtpd_tls_security_level = "encrypt"; smtpd_tls_security_level = "encrypt";