about summary refs log tree commit diff
path: root/nixos/modules/services/mail/clamsmtp.nix
blob: 5bcf8ecdde1ace7bf6d2ee952b6088fadd3a8a8e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.services.clamsmtp;
  clamdSocket = "/run/clamav/clamd.ctl"; # See services/security/clamav.nix
in
{
  ##### interface
  options = {
    services.clamsmtp = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable clamsmtp.";
      };

      instances = mkOption {
        description = "Instances of clamsmtp to run.";
        type = types.listOf (types.submodule { options = {
          action = mkOption {
            type = types.enum [ "bounce" "drop" "pass" ];
            default = "drop";
            description = ''
                Action to take when a virus is detected.

                Note that viruses often spoof sender addresses, so bouncing is
                in most cases not a good idea.
              '';
          };

          header = mkOption {
            type = types.str;
            default = "";
            example = "X-Virus-Scanned: ClamAV using ClamSMTP";
            description = ''
                A header to add to scanned messages. See clamsmtpd.conf(5) for
                more details. Empty means no header.
              '';
          };

          keepAlives = mkOption {
            type = types.int;
            default = 0;
            description = ''
                Number of seconds to wait between each NOOP sent to the sending
                server. 0 to disable.

                This is meant for slow servers where the sending MTA times out
                waiting for clamd to scan the file.
              '';
          };

          listen = mkOption {
            type = types.str;
            example = "127.0.0.1:10025";
            description = ''
                Address to wait for incoming SMTP connections on. See
                clamsmtpd.conf(5) for more details.
              '';
          };

          quarantine = mkOption {
            type = types.bool;
            default = false;
            description = ''
                Whether to quarantine files that contain viruses by leaving them
                in the temporary directory.
              '';
          };

          maxConnections = mkOption {
            type = types.int;
            default = 64;
            description = "Maximum number of connections to accept at once.";
          };

          outAddress = mkOption {
            type = types.str;
            description = ''
                Address of the SMTP server to send email to once it has been
                scanned.
              '';
          };

          tempDirectory = mkOption {
            type = types.str;
            default = "/tmp";
            description = ''
                Temporary directory that needs to be accessible to both clamd
                and clamsmtpd.
              '';
          };

          timeout = mkOption {
            type = types.int;
            default = 180;
            description = "Time-out for network connections.";
          };

          transparentProxy = mkOption {
            type = types.bool;
            default = false;
            description = "Enable clamsmtp's transparent proxy support.";
          };

          virusAction = mkOption {
            type = with types; nullOr path;
            default = null;
            description = ''
                Command to run when a virus is found. Please see VIRUS ACTION in
                clamsmtpd(8) for a discussion of this option and its safe use.
              '';
          };

          xClient = mkOption {
            type = types.bool;
            default = false;
            description = ''
                Send the XCLIENT command to the receiving server, for forwarding
                client addresses and connection information if the receiving
                server supports this feature.
              '';
          };
        };});
      };
    };
  };

  ##### implementation
  config = let
    configfile = conf: pkgs.writeText "clamsmtpd.conf"
      ''
        Action: ${conf.action}
        ClamAddress: ${clamdSocket}
        Header: ${conf.header}
        KeepAlives: ${toString conf.keepAlives}
        Listen: ${conf.listen}
        Quarantine: ${if conf.quarantine then "on" else "off"}
        MaxConnections: ${toString conf.maxConnections}
        OutAddress: ${conf.outAddress}
        TempDirectory: ${conf.tempDirectory}
        TimeOut: ${toString conf.timeout}
        TransparentProxy: ${if conf.transparentProxy then "on" else "off"}
        User: clamav
        ${optionalString (conf.virusAction != null) "VirusAction: ${conf.virusAction}"}
        XClient: ${if conf.xClient then "on" else "off"}
      '';
  in
    mkIf cfg.enable {
      assertions = [
        { assertion = config.services.clamav.daemon.enable;
          message = "clamsmtp requires clamav to be enabled";
        }
      ];

      systemd.services = listToAttrs (imap1 (i: conf:
        nameValuePair "clamsmtp-${toString i}" {
          description = "ClamSMTP instance ${toString i}";
          wantedBy = [ "multi-user.target" ];
          script = "exec ${pkgs.clamsmtp}/bin/clamsmtpd -f ${configfile conf}";
          after = [ "clamav-daemon.service" ];
          requires = [ "clamav-daemon.service" ];
          serviceConfig.Type = "forking";
          serviceConfig.PrivateTmp = "yes";
          unitConfig.JoinsNamespaceOf = "clamav-daemon.service";
        }
      ) cfg.instances);
    };

  meta.maintainers = with lib.maintainers; [ ekleog ];
}