Porting my postfix gmail smtp to nixos

Hello, I am trying converting from debian to nixos.

I use gmail to send system notification. I usually set it up like this:

I set this options at /etc/postfix/main.cf

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
relayhost = [smtp.gmail.com]:587

Create a password file like this

# cat /etc/postfix/sasl_passwd
[smtp.gmail.com]:587    here_is_your_mail@gmail.com:pasw0rd_from_google_app_unique_passwords
#  postmap /etc/postfix/sasl_passwd

And add some aliases in /etc/aliases

as far I have this

  services.postfix = {
    enable    = true;
    submissionOptions.smtp_sasl_auth_enable = "yes";
    relayHost = "smtp.gmail.com";
    relayPort = 587;

How do I setup those configurations and how I use sops-nix to store the credentials? I already have a working sops storing rsa keys.


I’d bet

submissionOptions.smtp_sasl_password_maps = "hash:${config.sops.secrets.sasl_passwd.path}";

Sops docs also say you should make sure it start after sops, and configure user

{config, ...}: {
  systemd.services.postfix.after = [ "sops-nix.service" ];
  sops.secrets.sasl_passwd = {
    owner = config.services.postfix.user;
    key  = "sasl_passwd";


services.postfix (implementation)
sops-nix docs

Thanks I will try that!

Mostly I was wondering how the password file is hashed on configuration.
How to run postmap /etc/postfix/sasl_passwd

  • You encrypt the sasl_passwd with sops:
  • You configure sops-nix to use encrypted files
  • You configure your service to use ‘sops-nix’ path (ie config.sops.secrets.sasl_passwd.path)
  • When nix evaluates it, it change this path to ‘/run/sops/sasl_passwd’ (or something like that
  • When system starts, sops service decrypts that file at ‘/run/sops/sasl_passwd’
  • Then postfix, starts reading config that also points to that file


submissionOptions.smtp_sasl_password_maps = "hash:${config.sops.secrets.postfix_sasl_passwd.path}"; 

I don’t see any entry for the smtp_sasl_password_maps in the /etc/postfix/main.cf

Here is my current config if it helps:

I have sops working ok, but I thought that postfix accepts only a hashed password file (sasl_passwd.db) that is created from the clear text sasl_passwd file running an extra command (postman). I can not store the sasl_passwd.db in binary, in sops secrets.

Sorry If I am missing something. I am not familiar with postfix, I just needed, so my systems can send notification to my email.

Thanks for your time!