config/mail-server.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

{ config, lib, pkgs, ... }:
{
  networking.firewall.allowedTCPPorts = [ 25 465 587 ];
  services.dovecot2 = {
    enable = true;
    sslServerCert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem";
    sslServerKey = "${config.security.acme.directory}/shape.orbekk.com/key.pem";
    enablePAM = false;
    config = ''
      passdb {
        driver = passwd-file
        args = username_format=%n /opt/secret/dovecot-passwd
      }
      userdb {
        driver = passwd-file
        args = username_format=%n /opt/secret/dovecot-passwd
      }
      mail_debug = yes
      service auth {
          unix_listener auth-client-postfix {
              group = postfix
              mode = 0660
              user = postfix
          }
          user = root
      }
    '';
  };

  services.postfix = {
    enable = true;

    hostname = "shape";
    domain = "orbekk.com";
    destination = ["orbekk.com" "kj.orbekk.com" "orbekk.no" "kj.orbekk.no" "kufieta.net"];

    lookupMX = true;  # This causes it to use the relayhost verbatim.
    relayHost = "[smtp.sendgrid.net]:2525";

    enableSubmission = true;
    submissionOptions = {
      "smtpd_tls_security_level" = "encrypt";
      "smtpd_sasl_auth_enable" = "yes";
      "smtpd_sasl_type" = "dovecot";
      "smtpd_sasl_path" = "/var/run/dovecot2/auth-client-postfix";
      "smtpd_client_restrictions" = "permit_sasl_authenticated,reject";
      "milter_macro_daemon_name" = "ORIGINATING";
    };

    extraConfig = ''
      smtp_tls_security_level = encrypt
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/opt/secret/postfix-sasl-passwd
      header_size_limit = 4096000
      smtp_sasl_security_options = noanonymous
    '';

    extraAliases = let
        erik = "erikorbekk@gmail.com";
        kjetil = "kjetil.orbekk@gmail.com";
        lise = "lise.orbekk@gmail.com";
        katharina = "katharina.kufieta@gmail.com";
      in ''
        eo: ${erik}
        erik: ${erik}
  
        orbekk: ${kjetil}
        k: ${kjetil}
        kj: ${kjetil}
        kjetil: ${kjetil}
        root: ${kjetil}
        postmaster: ${kjetil}
  
        katharina: ${katharina}
        kathi: ${katharina}
        kasiunia: ${katharina}

        lise: ${lise}
      '';
    sslCert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem";
    sslCACert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem";
    sslKey = "${config.security.acme.directory}/shape.orbekk.com/key.pem";
  };
}