diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 918d0f3b245..e0e806e690d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -263,6 +263,7 @@ ./services/mail/offlineimap.nix ./services/mail/opendkim.nix ./services/mail/opensmtpd.nix + ./services/mail/pfix-srsd.nix ./services/mail/postfix.nix ./services/mail/postsrsd.nix ./services/mail/postgrey.nix diff --git a/nixos/modules/services/mail/pfix-srsd.nix b/nixos/modules/services/mail/pfix-srsd.nix new file mode 100644 index 00000000000..ab5f4c39e8c --- /dev/null +++ b/nixos/modules/services/mail/pfix-srsd.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.pfix-srsd = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to run the postfix sender rewriting scheme daemon."; + }; + + domain = mkOption { + description = "The domain for which to enable srs"; + type = types.str; + example = "example.com"; + }; + + secretsFile = mkOption { + description = '' + The secret data used to encode the SRS address. + to generate, use a command like: + for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/ -$//' | sed 's/^/ /'; done + ''; + type = types.path; + default = "/var/lib/pfix-srsd/secrets"; + }; + }; + }; + + ###### implementation + + config = mkIf config.services.pfix-srsd.enable { + environment = { + systemPackages = [ pkgs.pfixtools ]; + }; + + systemd.services."pfix-srsd" = { + description = "Postfix sender rewriting scheme daemon"; + before = [ "postfix.service" ]; + #note that we use requires rather than wants because postfix + #is unable to process (almost) all mail without srsd + requiredBy = [ "postfix.service" ]; + serviceConfig = { + Type = "forking"; + PIDFile = "/var/run/pfix-srsd.pid"; + ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}"; + }; + }; + }; +} \ No newline at end of file diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 01ae49d4909..461d4a62138 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -79,6 +79,12 @@ let // optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; } // optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; } // optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; } + // optionalAttrs cfg.useSrs { + sender_canonical_maps = "tcp:127.0.0.1:10001"; + sender_canonical_classes = "envelope_sender"; + recipient_canonical_maps = "tcp:127.0.0.1:10002"; + recipient_canonical_classes= "envelope_recipient"; + } // optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; } // optionalAttrs (cfg.sslCert != "") { smtp_tls_CAfile = cfg.sslCACert; @@ -626,6 +632,12 @@ in description = "Maps to be compiled and placed into /var/lib/postfix/conf."; }; + useSrs = mkOption { + type = types.bool; + default = false; + description = "Whether to enable sender rewriting scheme"; + }; + }; }; @@ -646,6 +658,8 @@ in systemPackages = [ pkgs.postfix ]; }; + services.pfix-srsd.enable = config.services.postfix.useSrs; + services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail { program = "sendmail"; source = "${pkgs.postfix}/bin/sendmail";