diff options
author | aszlig <aszlig@redmoonstudios.org> | 2015-03-18 01:12:15 +0100 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2015-03-18 01:12:15 +0100 |
commit | 692b0772223074133c5fe74d84ea727fb00499e3 (patch) | |
tree | d3d20d087665377ef0f7622e66bd6557fbaebcc9 /labernix/machines/mailserver.nix | |
parent | 0182c32769f18926489847bb21636e7b394b5b30 (diff) | |
parent | 6b857eebbafba660cc57b19bd11f6484c91f8fd7 (diff) |
Subtree-merge labernix into vuizvui.
This is the first step of generalizing the configurations into a big repository where people can track their NixOS configurations and write modules. In the next few steps I'm going to gradually refactor everything in labernix/ into the main tree and factor out personal stuff into separate namespaces. Also, this will involve a license change from APACHE-2.0 to GPL-3.0.
Diffstat (limited to 'labernix/machines/mailserver.nix')
-rw-r--r-- | labernix/machines/mailserver.nix | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/labernix/machines/mailserver.nix b/labernix/machines/mailserver.nix new file mode 100644 index 00000000..7d4bd397 --- /dev/null +++ b/labernix/machines/mailserver.nix @@ -0,0 +1,119 @@ +{ config, pkgs, lib, ... }: let + vhostMap = { + smtpd_sender_login_maps = [ + "SELECT username AS allowedUser" + "FROM mailbox" + "WHERE username='%s' AND active = 1" + "UNION SELECT goto FROM alias" + "WHERE address='%s' AND active = 1" + ]; + + virtual_alias_maps = [ + "SELECT goto" + "FROM alias" + "WHERE address='%s' AND active = '1'" + ]; + + virtual_mailbox_domains = [ + "SELECT domain" + "FROM domain" + "WHERE domain='%s' AND active = '1'" + ]; + + virtual_mailbox_maps = [ + "SELECT maildir" + "FROM mailbox" + "WHERE username='%s' AND active = '1'" + ]; + }; + + mkDbMap = query: "proxy:pgsql:${pkgs.writeText "database.cf" '' + hosts = localhost + user = postfix + dbname = postfix + query = ${query} + ''}"; + +in { + imports = [ ../common.nix ]; + + services.spamassassin.enable = true; + + services.postfix.enable = true; + services.postfix.hostname = "mailtest.lan"; + + # TODO: This is a dummy, replace it once we know about the real root fs. + fileSystems."/".label = "root"; + boot.loader.grub.device = "nodev"; + + labernix.postfix.restrictions = { + sender = [ + "reject_authenticated_sender_login_mismatch" + "reject_unknown_sender_domain" + ]; + recipient = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + "reject_invalid_hostname" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_reverse_client_hostname" + ]; + helo = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_invalid_hostname" + "reject_unauth_pipelining" + "reject_non_fqdn_hostname" + ]; + }; + + services.postfix.extraConfig = '' + ${lib.concatStrings (lib.mapAttrsToList (cfgvar: query: '' + ${cfgvar} = ${mkDbMap (lib.concatStringsSep " " query)} + '') vhostMap)} + + # a bit more spam protection + disable_vrfy_command = yes + + smtpd_sasl_type=dovecot + smtpd_sasl_path=private/auth_dovecot XXXXXXXXXXXXXXX + smtpd_sasl_auth_enable = yes + smtpd_sasl_authenticated_header = yes + broken_sasl_auth_clients = yes + + proxy_read_maps = ${lib.concatStringsSep " " (map (s: "\$${s}") [ + "local_recipient_maps" "mydestination" "virtual_alias_maps" + "virtual_alias_domains" "virtual_mailbox_maps" "virtual_mailbox_domains" + "relay_recipient_maps" "relay_domains" "canonical_maps" + "sender_canonical_maps" "recipient_canonical_maps" "relocated_maps" + "transport_maps" "mynetworks" "smtpd_sender_login_maps" + ])} + + local_transport = virtual + virtual_transport = dovecot + + virtual_uid_maps = static:5000 XXXXXXXXXXXX + virtual_gid_maps = static:5000 XXXXXXXXXXXX + + smtpd_tls_cert_file=/etc/ssl/mail.crt XXXX: KEYS + smtpd_tls_key_file=/etc/ssl/mail.key XXXX: KEYS + smtpd_use_tls=yes + ''; + + services.postfix.extraMasterConf = '' + mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ''${nexthop} ''${user} + # ^^^ FIXME: maybe not needed! + + dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ''${recipient} + # ^^^ FIXME: maybe not needed! + + spamassassin unix - n n - - pipe + user=${toString config.ids.uids.spamd} argv=${pkgs.spamassassin}/bin/spamc -f -e /var/setuid-wrappers/sendmail -oi -f ''${sender} ''${recipient} + # ^^^ FIXME: maybe not needed! + ''; +} |