Porting my postfix gmail smtp to nixos

thanasisn · July 11, 2023, 3:13am

Hello, I am trying converting from debian to nixos.

I use gmail to send system notification. I usually set it up like this:

I set this options at /etc/postfix/main.cf

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
relayhost = [smtp.gmail.com]:587

Create a password file like this

# cat /etc/postfix/sasl_passwd
[smtp.gmail.com]:587    here_is_your_mail@gmail.com:pasw0rd_from_google_app_unique_passwords
#  postmap /etc/postfix/sasl_passwd

And add some aliases in /etc/aliases

as far I have this

  services.postfix = {
    enable    = true;
    submissionOptions.smtp_sasl_auth_enable = "yes";
    relayHost = "smtp.gmail.com";
    relayPort = 587;
  };

How do I setup those configurations and how I use sops-nix to store the credentials? I already have a working sops storing rsa keys.

Thanks

hugosenari · July 18, 2023, 6:03pm

I’d bet

submissionOptions.smtp_sasl_password_maps = "hash:${config.sops.secrets.sasl_passwd.path}";

Sops docs also say you should make sure it start after sops, and configure user

{config, ...}: {
  systemd.services.postfix.after = [ "sops-nix.service" ];
  sops.secrets.sasl_passwd = {
    owner = config.services.postfix.user;
    key  = "sasl_passwd";
}

References:

services.postfix
services.postfix (implementation)
sops-nix docs

thanasisn · July 18, 2023, 6:27pm

Thanks I will try that!

Mostly I was wondering how the password file is hashed on configuration.
How to run postmap /etc/postfix/sasl_passwd

hugosenari · July 18, 2023, 9:29pm

You encrypt the sasl_passwd with sops:
You configure sops-nix to use encrypted files
You configure your service to use ‘sops-nix’ path (ie config.sops.secrets.sasl_passwd.path)
When nix evaluates it, it change this path to ‘/run/sops/sasl_passwd’ (or something like that
When system starts, sops service decrypts that file at ‘/run/sops/sasl_passwd’
Then postfix, starts reading config that also points to that file

thanasisn · July 19, 2023, 4:31am

With

submissionOptions.smtp_sasl_password_maps = "hash:${config.sops.secrets.postfix_sasl_passwd.path}";

I don’t see any entry for the smtp_sasl_password_maps in the /etc/postfix/main.cf

Here is my current config if it helps:

github.com

thanasisn/nixos/blob/671e7ec0d1d7dc38da39b3c61fbb9c54e8edfc6d/config.d/common_options.nix#L43


      
          };
          
          
# NTP servises
          networking.timeServers = 
            options.networking.timeServers.default ++
              [
                "ntp.fastpath.gr"
                "time.cloudflare.com"
              ]; 
           
          ### TODO
          systemd.services.postfix.after = [ "sops-nix.service" ];
          sops.secrets.postfix_sasl_passwd = {
            owner = config.services.postfix.user;
            key   = "postfix_sasl_passwd";
          };  
          services.postfix = {
            enable    = true;
            submissionOptions.smtp_sasl_auth_enable = "yes";
            submissionOptions.smtp_sasl_password_maps = "hash:${config.sops.secrets.postfix_sasl_passwd.path}"; 
            relayHost = "smtp.gmail.com";

Also.
I have sops working ok, but I thought that postfix accepts only a hashed password file (sasl_passwd.db) that is created from the clear text sasl_passwd file running an extra command (postman). I can not store the sasl_passwd.db in binary, in sops secrets.

Sorry If I am missing something. I am not familiar with postfix, I just needed, so my systems can send notification to my email.

Thanks for your time!