maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity
nixos-config/nixos/machines/hera/mail.nix
Malte Brandy 51c98925d1 Switch from kresd to unbound
2022-02-04 13:39:02 +01:00

99 lines
3.4 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ pkgs, config, lib, ... }:
let
certPath = "/var/lib/acme/hera.m-0.eu";
nonMailboxDomains = [ "lists.maralorn.de" ];
inherit (config.m-0) hosts;
in
{
m-0.monitoring = [
{
name = "postfix on hera";
host = "hera-intern:9154";
}
];
imports = [ ../../roles "${(import ../../../nix/sources.nix).nixos-mailserver}" ];
services = {
unbound.enable = true;
prometheus.exporters = {
postfix = {
enable = true;
systemd.enable = true;
showqPath = "/var/lib/postfix/queue/public/showq";
user = "postfix";
};
};
rspamd.locals = {
"multimap.conf".text =
let
allow-ip = builtins.toFile "allow-ip.map" ''
'';
allow-host = builtins.toFile "allow-host.map" ''
gmx.de
web.de
google.com
meteosafe.com # Wetterwarnungen
# tu-darmstadt.de # Not safe because of spam via cda
ccc.de
discourse.cloud
haskell.org
github.com
vocalensemble-darmstadt.de
sit-mainz.info # Bistum Mainz
'';
in
''
# local.d/multimap.conf
# allow lists
LOCAL_AL_IP {
type = "ip"; # matches IP of the host that performed message handoff (against radix map)
map = "${allow-ip}";
group = "local_al_ip";
score = -15;
description = "Submitting IP listed in local allow list";
}
LOCAL_AL_HOST {
type = "hostname"; # matches reverse DNS name of the host that performed message handoff
filter = "tld" ; # matches eSLD (effective second level domain - a second-level domain or something thats effectively so like example.com or example.za.org)
score = -15;
map = "${allow-host}";
description = "Submitting host RDNS listed in local allow list";
}
'';
};
postfix = {
networks = [ "[::1]/128" "127.0.0.1/32" "[${config.m-0.prefix}::]/64" "[${hosts.vpn.prefix}::]/64" "10.0.0.0/24" ];
transport = "email2matrix.maralorn.de smtp:[::1]:2525";
config = {
# Allow TLSv1 because we need to be able to receive mail from legacy servers.
smtpd_tls_protocols = lib.mkForce "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
virtual_mailbox_domains = lib.mkForce (builtins.toFile "vhosts" (lib.concatStringsSep "\n" (builtins.filter (x: !builtins.elem x nonMailboxDomains) config.mailserver.domains)));
smtp_bind_address = hosts.hera-v4;
smtp_bind_address6 = hosts.hera;
};
};
};
mailserver = {
dkimKeyDirectory = "/var/lib/opendkim/keys";
enable = true;
localDnsResolver = false; # Use unbound instead.
openFirewall = true;
enableImapSsl = true;
enableManageSieve = true;
fqdn = "hera.m-0.eu";
rewriteMessageId = true;
domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" "lists.maralorn.de" "malte-und-clai.re" ];
forwards = pkgs.privateValue { } "mail/forwards";
loginAccounts = pkgs.privateValue { } "mail/users";
hierarchySeparator = "/";
certificateScheme = 1;
certificateFile = "${certPath}/fullchain.pem";
keyFile = "${certPath}/key.pem";
policydSPFExtraConfig = ''
Mail_From_reject = False
HELO_Whitelist = hosteurope.de
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,130.83.0.0/16
'';
};
}
View git blame Copy permalink