189 lines
6 KiB
Nix
189 lines
6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.services.clamsmtp;
|
|
clamdSocket = "/run/clamav/clamd.ctl"; # See services/security/clamav.nix
|
|
in
|
|
{
|
|
##### interface
|
|
options = {
|
|
services.clamsmtp = {
|
|
enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "Whether to enable clamsmtp.";
|
|
};
|
|
|
|
instances = lib.mkOption {
|
|
description = "Instances of clamsmtp to run.";
|
|
type = lib.types.listOf (
|
|
lib.types.submodule {
|
|
options = {
|
|
action = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"bounce"
|
|
"drop"
|
|
"pass"
|
|
];
|
|
default = "drop";
|
|
description = ''
|
|
Action to take when a virus is detected.
|
|
|
|
Note that viruses often spoof sender addresses, so bouncing is
|
|
in most cases not a good idea.
|
|
'';
|
|
};
|
|
|
|
header = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
example = "X-Virus-Scanned: ClamAV using ClamSMTP";
|
|
description = ''
|
|
A header to add to scanned messages. See clamsmtpd.conf(5) for
|
|
more details. Empty means no header.
|
|
'';
|
|
};
|
|
|
|
keepAlives = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 0;
|
|
description = ''
|
|
Number of seconds to wait between each NOOP sent to the sending
|
|
server. 0 to disable.
|
|
|
|
This is meant for slow servers where the sending MTA times out
|
|
waiting for clamd to scan the file.
|
|
'';
|
|
};
|
|
|
|
listen = lib.mkOption {
|
|
type = lib.types.str;
|
|
example = "127.0.0.1:10025";
|
|
description = ''
|
|
Address to wait for incoming SMTP connections on. See
|
|
clamsmtpd.conf(5) for more details.
|
|
'';
|
|
};
|
|
|
|
quarantine = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to quarantine files that contain viruses by leaving them
|
|
in the temporary directory.
|
|
'';
|
|
};
|
|
|
|
maxConnections = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 64;
|
|
description = "Maximum number of connections to accept at once.";
|
|
};
|
|
|
|
outAddress = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = ''
|
|
Address of the SMTP server to send email to once it has been
|
|
scanned.
|
|
'';
|
|
};
|
|
|
|
tempDirectory = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/tmp";
|
|
description = ''
|
|
Temporary directory that needs to be accessible to both clamd
|
|
and clamsmtpd.
|
|
'';
|
|
};
|
|
|
|
timeout = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 180;
|
|
description = "Time-out for network connections.";
|
|
};
|
|
|
|
transparentProxy = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "Enable clamsmtp's transparent proxy support.";
|
|
};
|
|
|
|
virusAction = lib.mkOption {
|
|
type = with lib.types; nullOr path;
|
|
default = null;
|
|
description = ''
|
|
Command to run when a virus is found. Please see VIRUS ACTION in
|
|
clamsmtpd(8) for a discussion of this option and its safe use.
|
|
'';
|
|
};
|
|
|
|
xClient = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Send the XCLIENT command to the receiving server, for forwarding
|
|
client addresses and connection information if the receiving
|
|
server supports this feature.
|
|
'';
|
|
};
|
|
};
|
|
}
|
|
);
|
|
};
|
|
};
|
|
};
|
|
|
|
##### implementation
|
|
config =
|
|
let
|
|
configfile =
|
|
conf:
|
|
pkgs.writeText "clamsmtpd.conf" ''
|
|
Action: ${conf.action}
|
|
ClamAddress: ${clamdSocket}
|
|
Header: ${conf.header}
|
|
KeepAlives: ${toString conf.keepAlives}
|
|
Listen: ${conf.listen}
|
|
Quarantine: ${if conf.quarantine then "on" else "off"}
|
|
MaxConnections: ${toString conf.maxConnections}
|
|
OutAddress: ${conf.outAddress}
|
|
TempDirectory: ${conf.tempDirectory}
|
|
TimeOut: ${toString conf.timeout}
|
|
TransparentProxy: ${if conf.transparentProxy then "on" else "off"}
|
|
User: clamav
|
|
${lib.optionalString (conf.virusAction != null) "VirusAction: ${conf.virusAction}"}
|
|
XClient: ${if conf.xClient then "on" else "off"}
|
|
'';
|
|
in
|
|
lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = config.services.clamav.daemon.enable;
|
|
message = "clamsmtp requires clamav to be enabled";
|
|
}
|
|
];
|
|
|
|
systemd.services = lib.listToAttrs (
|
|
lib.imap1 (
|
|
i: conf:
|
|
lib.nameValuePair "clamsmtp-${toString i}" {
|
|
description = "ClamSMTP instance ${toString i}";
|
|
wantedBy = [ "multi-user.target" ];
|
|
script = "exec ${pkgs.clamsmtp}/bin/clamsmtpd -f ${configfile conf}";
|
|
after = [ "clamav-daemon.service" ];
|
|
requires = [ "clamav-daemon.service" ];
|
|
serviceConfig.Type = "forking";
|
|
serviceConfig.PrivateTmp = "yes";
|
|
unitConfig.JoinsNamespaceOf = "clamav-daemon.service";
|
|
}
|
|
) cfg.instances
|
|
);
|
|
};
|
|
|
|
meta.maintainers = with lib.maintainers; [ ekleog ];
|
|
}
|