Merge branch 'master' of github.com:r-raymond/nixos-mailserver

This commit is contained in:
Robin Raymond 2017-09-20 15:31:37 +02:00
commit f123fa7fd3

View file

@ -48,6 +48,17 @@ let
# address though # address though
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix)); vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
### Removes sensitive headers from mails handed in via the submission port.
### See https://thomas-leister.de/mailserver-debian-stretch/
### Uses "pcre" style regex.
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Enigmail:/ IGNORE
'';
in in
{ {
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
@ -116,7 +127,13 @@ in
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts"; smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
smtpd_sender_restrictions = "reject_sender_login_mismatch"; smtpd_sender_restrictions = "reject_sender_login_mismatch";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
cleanup_service_name = "submission-header-cleanup";
}; };
extraMasterConf = ''
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=pcre:${submissionHeaderCleanupRules}
'';
}; };
}; };
} }