fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Enable TLS on mail relay

Browse source
This commit is contained in:
yuri 2023-09-19 16:49:00 +02:00
parent cae1284094
commit eb84404a10
4 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
config/hosts/mail-2/acme.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
security.acme.certs = {
"mail-2.grzb.de" = {
listenHTTP = ":80";
reloadServices = [ "postfix.service" ];
};
};
}

2
config/hosts/mail-2/configuration.nix
View file

@ -79,7 +79,7 @@
useDHCP = false; useDHCP = false;
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 25 ]; allowedTCPPorts = [ 25 80 ];
}; };
}; };

1
config/hosts/mail-2/default.nix
View file

@ -3,5 +3,6 @@
imports = [ imports = [
./configuration.nix ./configuration.nix
./postfix.nix ./postfix.nix
./acme.nix
]; ];
} }

5
config/hosts/mail-2/postfix.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { config, ... }:
{
# Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
services.postfix = { services.postfix = {
enable = true; enable = true;
@ -7,6 +8,8 @@
"grzb.de" "grzb.de"
"nekover.se" "nekover.se"
]; ];
sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
extraConfig = '' extraConfig = ''
message_size_limit = 20971520 message_size_limit = 20971520
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination