{ pkgs, ... }: { services.postfix.enable = true; services.postfix.enableSubmission = true; services.postfix.hostname = "atuin.qyliss.net"; services.postfix.config.smtp_tls_loglevel = "1"; services.postfix.config.smtpd_forbid_bare_newline = true; services.postfix.config.disable_mime_output_conversion = true; services.postfix.sslCert = "/var/lib/acme/spectrum-os.org/fullchain.pem"; services.postfix.sslKey = "/var/lib/acme/spectrum-os.org/key.pem"; services.postfix.rootAlias = "hi@alyssa.is"; services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; services.postfix.localRecipients = []; # empty array causes NixOS to add $alias_maps services.postfix.config.mailbox_command = "${pkgs.coreutils}/bin/false"; services.postfix.config.local_recipient_maps = [ "proxy:unix:passwd.byname" "hash:/var/lib/mailman/data/postfix_lmtp" ]; services.postfix.destination = [ "atuin.qyliss.net" "qyliss.net" "spectrumos.org" "spectrum-os.org" ]; services.postfix.extraAliases = '' abuse: root noc: root security: root hostmaster: root usenet: root news: root webmaster: root www: root uucp: root ftp: root ''; services.postfix.enableHeaderChecks = true; # Local mail can be submitted without being filtered through SpamAssassin. services.postfix.masterConfig."::1:smtp" = { type = "inet"; private = false; command = "smtpd"; }; services.postfix.masterConfig.smtp_inet.args = [ "-o" "content_filter=spamassassin" ]; services.postfix.masterConfig.spamassassin = { privileged = true; chroot = false; command = "pipe"; args = [ "user=postfix-spamc" "argv=${pkgs.spamassassin}/bin/spamc" "-f" "-e" "/run/wrappers/bin/sendmail" "-oi" "-f" "\${sender}" "\${recipient}" ]; }; networking.firewall.allowedTCPPorts = [ 25 ]; users.groups.postfix-spamc = {}; users.users.postfix-spamc = { group = "postfix-spamc"; isSystemUser = true; }; }