From e7c24f90e6092bff156600c4a056bdaef5a55de4 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Sat, 27 Feb 2021 16:29:33 +0000
Subject: modules/spectrum/postfix: init

---
 modules/server/spectrum/postfix/default.nix | 60 +++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 modules/server/spectrum/postfix/default.nix

(limited to 'modules/server/spectrum/postfix')

diff --git a/modules/server/spectrum/postfix/default.nix b/modules/server/spectrum/postfix/default.nix
new file mode 100644
index 000000000000..eef4bc36c79e
--- /dev/null
+++ b/modules/server/spectrum/postfix/default.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+{
+  services.postfix.enable = true;
+  services.postfix.enableSubmission = true;
+  services.postfix.hostname = "atuin.qyliss.net";
+  services.postfix.config.smtp_tls_loglevel = "1";
+  services.postfix.sslCert = "/var/lib/acme/spectrum-os.org/fullchain.pem";
+  services.postfix.sslKey = "/var/lib/acme/spectrum-os.org/key.pem";
+  services.postfix.rootAlias = "hi@alyssa.is";
+  services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
+  services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
+  services.postfix.localRecipients = []; # empty array causes NixOS to add $alias_maps
+  services.postfix.config.mailbox_command = "${pkgs.coreutils}/bin/false";
+  services.postfix.config.local_recipient_maps =
+    [ "proxy:unix:passwd.byname" "hash:/var/lib/mailman/data/postfix_lmtp" ];
+
+  services.postfix.destination =
+    [ "atuin.qyliss.net" "qyliss.net" "spectrumos.org" "spectrum-os.org" ];
+  services.postfix.extraAliases = ''
+    abuse: root
+    noc: root
+    security: root
+    hostmaster: root
+    usenet: root
+    news: root
+    webmaster: root
+    www: root
+    uucp: root
+    ftp: root
+  '';
+
+  services.postfix.enableHeaderChecks = true;
+  services.postfix.headerChecks = [
+    { pattern = ''/^Content-Type:\s*text\/html/'';
+      action = "REJECT HTML mail is not supported.  See https://useplaintext.email for instructions."; }
+  ];
+
+  services.postfix.masterConfig.smtp_inet.args =
+    [ "-o" "content_filter=spamassassin" ];
+
+  services.postfix.masterConfig.spamassassin = {
+    privileged = true;
+    chroot = false;
+    command = "pipe";
+    args = [
+      "user=public-inbox" # FIXME: this is a hack because public-inbox has ~/.spamassassin
+      "argv=${pkgs.spamassassin}/bin/spamc"
+      "-f"
+      "-e"
+      "/run/wrappers/bin/sendmail"
+      "-oi"
+      "-f"
+      "\${sender}"
+      "\${recipient}"
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 25 ];
+}
-- 
cgit 1.4.1