sp-config/sp-modules/simple-nixos-mailserver/auth-postfix.nix

{
  config,
  lib,
  pkgs,
  ...
}@nixos-args:
let
  inherit (import ./common.nix nixos-args)
    appendSetting
    auth-passthru
    is-auth-enabled
    ;

  cfg = config.mailserver;

  ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
  submissionOptions.smtpd_sender_login_maps = lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
  commonLdapConfig = ''
    server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
    start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
    version = 3
    tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
    tls_require_cert = yes

    search_base = ${cfg.ldap.searchBase}
    scope = ${cfg.ldap.searchScope}

    bind = yes
    bind_dn = ${cfg.ldap.bind.dn}
  '';
  ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
    ${commonLdapConfig}
    query_filter = ${cfg.ldap.postfix.filter}
    result_attribute = ${cfg.ldap.postfix.mailAttribute}
  '';
  appendPwdInSenderLoginMap = appendSetting {
    name = "ldap-sender-login-map";
    file = ldapSenderLoginMap;
    prefix = "bind_pw = ";
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapSenderLoginMapFile;
  };

  ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
    ${commonLdapConfig}
    query_filter = ${cfg.ldap.postfix.filter}
    result_attribute = ${cfg.ldap.postfix.uidAttribute}
  '';
  ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
  appendPwdInVirtualMailboxMap = appendSetting {
    name = "ldap-virtual-mailbox-map";
    file = ldapVirtualMailboxMap;
    prefix = "bind_pw = ";
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapVirtualMailboxMapFile;
  };
in
{
  mailserver.ldap = {
    postfix.mailAttribute = "mail";
    postfix.uidAttribute = "uid";
  };
  systemd.services.postfix-setup = {
    preStart = ''
      ${appendPwdInVirtualMailboxMap}
      ${appendPwdInSenderLoginMap}
    '';
    restartTriggers = [
      appendPwdInVirtualMailboxMap
      appendPwdInSenderLoginMap
    ];
    wants = [ auth-passthru.oauth2-systemd-service ];
    after = [ auth-passthru.oauth2-systemd-service ];
  };
  services.postfix = {
    # the list should be merged with other options from nixos-mailserver
    config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
    inherit submissionOptions;
    submissionsOptions = submissionOptions;
  };
}
style: format tree 2025-06-18 19:53:44 +03:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}@nixos-args:`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`let`
auth: ldap-dovecot.nix, clean code 2024-12-20 18:41:07 +04:00			`inherit (import ./common.nix nixos-args)`
roundcube & mailserver: fix oauth: mailserver is an OAuth secret donor Both of them use the same client ID and client secret, but Roundcube depends on mailserver generally, so mailserver is the one to share OAuth client id and secret. 2025-01-31 14:31:09 +04:00			`appendSetting`
chore: restructure LDAP related nix files 2024-12-26 18:27:25 +04:00			`auth-passthru`
fix auth: config.selfprivacy.modules.auth.enable or false 2025-01-17 15:53:21 +04:00			`is-auth-enabled`
auth: ldap-dovecot.nix, clean code 2024-12-20 18:41:07 +04:00			`;`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00
auth: ldap-dovecot.nix, clean code 2024-12-20 18:41:07 +04:00			`cfg = config.mailserver;`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00
			`ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";`
style: format tree 2025-06-18 19:53:44 +03:00			`submissionOptions.smtpd_sender_login_maps = lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`commonLdapConfig = ''`
			`server_host = ${lib.concatStringsSep " " cfg.ldap.uris}`
			`start_tls = ${if cfg.ldap.startTls then "yes" else "no"}`
			`version = 3`
chore dovecot&postfix: rename nix files, disable debug 2024-12-27 07:46:36 +04:00			`tls_ca_cert_file = ${cfg.ldap.tlsCAFile}`
			`tls_require_cert = yes`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00
			`search_base = ${cfg.ldap.searchBase}`
			`scope = ${cfg.ldap.searchScope}`

			`bind = yes`
			`bind_dn = ${cfg.ldap.bind.dn}`
			`'';`
			`ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''`
			`${commonLdapConfig}`
			`query_filter = ${cfg.ldap.postfix.filter}`
			`result_attribute = ${cfg.ldap.postfix.mailAttribute}`
			`'';`
roundcube & mailserver: fix oauth: mailserver is an OAuth secret donor Both of them use the same client ID and client secret, but Roundcube depends on mailserver generally, so mailserver is the one to share OAuth client id and secret. 2025-01-31 14:31:09 +04:00			`appendPwdInSenderLoginMap = appendSetting {`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`name = "ldap-sender-login-map";`
			`file = ldapSenderLoginMap;`
			`prefix = "bind_pw = ";`
			`passwordFile = cfg.ldap.bind.passwordFile;`
			`destination = ldapSenderLoginMapFile;`
			`};`

			`ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''`
			`${commonLdapConfig}`
			`query_filter = ${cfg.ldap.postfix.filter}`
			`result_attribute = ${cfg.ldap.postfix.uidAttribute}`
			`'';`
			`ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";`
roundcube & mailserver: fix oauth: mailserver is an OAuth secret donor Both of them use the same client ID and client secret, but Roundcube depends on mailserver generally, so mailserver is the one to share OAuth client id and secret. 2025-01-31 14:31:09 +04:00			`appendPwdInVirtualMailboxMap = appendSetting {`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`name = "ldap-virtual-mailbox-map";`
			`file = ldapVirtualMailboxMap;`
			`prefix = "bind_pw = ";`
			`passwordFile = cfg.ldap.bind.passwordFile;`
			`destination = ldapVirtualMailboxMapFile;`
			`};`
			`in`
fix mailserver: evaluate without auth module 2025-01-25 01:08:41 +04:00			`{`
auth: ldap-dovecot.nix, clean code 2024-12-20 18:41:07 +04:00			`mailserver.ldap = {`
			`postfix.mailAttribute = "mail";`
			`postfix.uidAttribute = "uid";`
			`};`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`systemd.services.postfix-setup = {`
			`preStart = ''`
			`${appendPwdInVirtualMailboxMap}`
			`${appendPwdInSenderLoginMap}`
			`'';`
style: format tree 2025-06-18 19:53:44 +03:00			`restartTriggers = [`
			`appendPwdInVirtualMailboxMap`
			`appendPwdInSenderLoginMap`
			`];`
chore: restructure LDAP related nix files 2024-12-26 18:27:25 +04:00			`wants = [ auth-passthru.oauth2-systemd-service ];`
chore dovecot&postfix: rename nix files, disable debug 2024-12-27 07:46:36 +04:00			`after = [ auth-passthru.oauth2-systemd-service ];`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`};`
			`services.postfix = {`
			`# the list should be merged with other options from nixos-mailserver`
			`config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];`
auth: ldap-dovecot.nix, clean code 2024-12-20 18:41:07 +04:00			`inherit submissionOptions;`
WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port 2024-12-20 16:13:59 +04:00			`submissionsOptions = submissionOptions;`
			`};`
			`}`