Enable TLS on mail relay

2023-09-19 16:49:00 +02:00 · 2023-09-19 16:49:00 +02:00 · eb84404a10
parent cae1284094
commit eb84404a10
4 changed files with 15 additions and 2 deletions
--- a/config/hosts/mail-2/acme.nix
+++ b/config/hosts/mail-2/acme.nix
@ -0,0 +1,9 @@
+{ ... }:
+{
+  security.acme.certs = {
+    "mail-2.grzb.de" = {
+      listenHTTP = ":80";
+      reloadServices = [ "postfix.service" ];
+    };
+  };
+}
--- a/config/hosts/mail-2/configuration.nix
+++ b/config/hosts/mail-2/configuration.nix
@ -79,7 +79,7 @@
    useDHCP = false;
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 25 ];
+      allowedTCPPorts = [ 25 80 ];
    };
  };

--- a/config/hosts/mail-2/default.nix
+++ b/config/hosts/mail-2/default.nix
@ -3,5 +3,6 @@
  imports = [
    ./configuration.nix
    ./postfix.nix
+    ./acme.nix
  ];
 }
--- a/config/hosts/mail-2/postfix.nix
+++ b/config/hosts/mail-2/postfix.nix
@ -1,4 +1,5 @@
-{ ... }: {
+{ config, ... }:
+{
  # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
  services.postfix = {
    enable = true;
@ -7,6 +8,8 @@
      "grzb.de"
      "nekover.se"
    ];
+    sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
+    sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
    extraConfig = ''
      message_size_limit = 20971520
      smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination