nix-infra/config/hosts/mail-2/postfix.nix

{ config, ... }:
{
  # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
  services.postfix = {
    enable = true;
    hostname = "mail-2.grzb.de";
    relayDomains = [
      "grzb.de"
      "nekover.se"
    ];
    sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
    sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
    extraConfig = ''
      message_size_limit = 20971520
      smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
      proxy_interfaces = 217.160.117.160
      relay_recipient_maps =
      smtp_tls_ciphers = high
      smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtp_tls_mandatory_ciphers = high
      smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      smtpd_tls_auth_only = yes
      smtpd_tls_ciphers = high
      smtpd_tls_eecdh_grade = ultra
      smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtpd_tls_loglevel = 1
      smtpd_tls_mandatory_ciphers = high
      smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      tls_preempt_cipherlist = yes
      tls_random_source = dev:/dev/urandom
    '';
  };
}
Enable TLS on mail relay 2024-11-20 05:46:40 +01:00			`{ config, ... }:`
			`{`
Fix WireGuard nat rules 2024-11-20 05:46:40 +01:00			`# Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup`
			`services.postfix = {`
			`enable = true;`
			`hostname = "mail-2.grzb.de";`
			`relayDomains = [`
			`"grzb.de"`
			`"nekover.se"`
			`];`
Enable TLS on mail relay 2024-11-20 05:46:40 +01:00			`sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";`
			`sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";`
Fix WireGuard nat rules 2024-11-20 05:46:40 +01:00			`extraConfig = ''`
			`message_size_limit = 20971520`
			`smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination`
			`proxy_interfaces = 217.160.117.160`
			`relay_recipient_maps =`
Configure TLS settings on mail relay 2024-11-20 05:46:40 +01:00			`smtp_tls_ciphers = high`
			`smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL`
			`smtp_tls_mandatory_ciphers = high`
			`smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL`
			`smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3`
			`smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3`
			`smtpd_tls_auth_only = yes`
			`smtpd_tls_ciphers = high`
			`smtpd_tls_eecdh_grade = ultra`
			`smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL`
			`smtpd_tls_loglevel = 1`
			`smtpd_tls_mandatory_ciphers = high`
			`smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL`
			`smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3`
			`smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3`
			`tls_preempt_cipherlist = yes`
			`tls_random_source = dev:/dev/urandom`
Fix WireGuard nat rules 2024-11-20 05:46:40 +01:00			`'';`
			`};`
			`}`