From 3d2b4f9663cda3c7df39dc48ccbc7f25ac7696b6 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 11 Mar 2015 03:10:47 +0100 Subject: Add rudimentary mail server config. A still unfinished version of @waaaaargh's ansible deployment: https://github.com/waaaaargh/mailserver-ansible The idea here is to create a NixOS profile specific to large-scole mail server deployments. All with a 100% fleshed out Postfix configuration of course :-) Signed-off-by: aszlig --- machines/mailserver.nix | 114 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 machines/mailserver.nix (limited to 'machines') diff --git a/machines/mailserver.nix b/machines/mailserver.nix new file mode 100644 index 00000000..e3f6f847 --- /dev/null +++ b/machines/mailserver.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, ... }: let + vhostMap = { + smtpd_sender_login_maps = [ + "SELECT username AS allowedUser" + "FROM mailbox" + "WHERE username='%s' AND active = 1" + "UNION SELECT goto FROM alias" + "WHERE address='%s' AND active = 1" + ]; + + virtual_alias_maps = [ + "SELECT goto" + "FROM alias" + "WHERE address='%s' AND active = '1'" + ]; + + virtual_mailbox_domains = [ + "SELECT domain" + "FROM domain" + "WHERE domain='%s' AND active = '1'" + ]; + + virtual_mailbox_maps = [ + "SELECT maildir" + "FROM mailbox" + "WHERE username='%s' AND active = '1'" + ]; + }; + + mkDbMap = query: "proxy:pgsql:${pkgs.writeText "database.cf" '' + hosts = localhost + user = postfix + dbname = postfix + query = ${query} + ''}"; + +in { + imports = [ ../modules/postfix/restrictions.nix ]; + services.spamassassin.enable = true; + + services.postfix.enable = true; + services.postfix.hostname = "mailtest.lan"; + + openlab.postfix.restrictions = { + sender = [ + "reject_authenticated_sender_login_mismatch" + "reject_unknown_sender_domain" + ]; + recipient = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + "reject_invalid_hostname" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_reverse_client_hostname" + ]; + helo = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_invalid_hostname" + "reject_unauth_pipelining" + "reject_non_fqdn_hostname" + ]; + }; + + services.postfix.extraConfig = '' + ${lib.concatStrings (lib.mapAttrsToList (cfgvar: query: '' + ${cfgvar} = ${mkDbMap (lib.concatStringsSep " " query)} + '') vhostMap)} + + # a bit more spam protection + disable_vrfy_command = yes + + smtpd_sasl_type=dovecot + smtpd_sasl_path=private/auth_dovecot XXXXXXXXXXXXXXX + smtpd_sasl_auth_enable = yes + smtpd_sasl_authenticated_header = yes + broken_sasl_auth_clients = yes + + proxy_read_maps = ${lib.concatStringsSep " " (map (s: "\$${s}") [ + "local_recipient_maps" "mydestination" "virtual_alias_maps" + "virtual_alias_domains" "virtual_mailbox_maps" "virtual_mailbox_domains" + "relay_recipient_maps" "relay_domains" "canonical_maps" + "sender_canonical_maps" "recipient_canonical_maps" "relocated_maps" + "transport_maps" "mynetworks" "smtpd_sender_login_maps" + ])} + + local_transport = virtual + virtual_transport = dovecot + + virtual_uid_maps = static:5000 XXXXXXXXXXXX + virtual_gid_maps = static:5000 XXXXXXXXXXXX + + smtpd_tls_cert_file=/etc/ssl/mail.crt XXXX: KEYS + smtpd_tls_key_file=/etc/ssl/mail.key XXXX: KEYS + smtpd_use_tls=yes + ''; + + services.postfix.extraMasterConf = '' + mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ''${nexthop} ''${user} + # ^^^ FIXME: maybe not needed! + + dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ''${recipient} + # ^^^ FIXME: maybe not needed! + + spamassassin unix - n n - - pipe + user=${toString config.ids.uids.spamd} argv=${pkgs.spamassassin}/bin/spamc -f -e /var/setuid-wrappers/sendmail -oi -f ''${sender} ''${recipient} + # ^^^ FIXME: maybe not needed! + ''; +} -- cgit 1.4.1