I’ve finally solved it. The problem was vaultwarden systemd service hardening in NixOS. In particular, these three parameters prevented vaultwarden from correctly calling nullmailer with SUID/SGID:
PrivateUsers = true;
NoNewPrivileges = true;
SystemCallFilter = [
"@system-service"
"~@privileged"
];
I had to remove all three to get mails going. Here is my final working NixOS config for vaultwarden and nullmailer:
services.nullmailer = {
enable = true;
setSendmail = true;
remotesFile = remotesFile;
config = {
me = domain;
defaulthost = domain;
defaultdomain = domain;
allmailfrom = admin;
adminaddr = admin;
};
};
services.vaultwarden = {
enable = true;
environmentFile = "${internalDir}/secrets.env";
config = {
DOMAIN = "https://${fqdn}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = port;
SMTP_FROM = smtpFrom;
USE_SENDMAIL = true;
SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
};
};
users.users.vaultwarden.extraGroups = [ "nullmailer" ];
systemd.services.vaultwarden = {
path = [ "/run/wrappers" ];
serviceConfig = {
NoNewPrivileges = lib.mkForce false;
PrivateUsers = lib.mkForce false;
SystemCallFilter = lib.mkForce [ "@system-service" ];
RestrictAddressFamilies = [
"AF_LOCAL"
"AF_NETLINK"
];
ReadWritePaths = [ "/var/spool/nullmailer/" ];
};
};