Fix postfix settings so it should load successfully and accept and send messages through tunnel

Signed-off-by: Egor Savkin <es@m-labs.hk>

nixbld-etc-nixos/configuration.nix

@@ -228,6 +228,29 @@ in
         }
       ];
     };
+    greTunnels.intl0 = {
+      dev = netifWan;
+      remote = "5.78.86.156";
+      local = "94.190.212.123";
+      ttl = 255;
+      type = "tun";
+    };
+    interfaces.intl0 = {
+      ipv4.addresses = [
+        {
+          address = "10.47.3.1";
+          prefixLength = 31;
+        }
+      ];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "10.47.3.0";
+          options.table = "3";
+        }
+      ];
+    };
     vlans = {
       "${netifAltVlan}" = {
         id = 2;
@@ -280,6 +303,27 @@ in
     after = [ "network-addresses-${netifAlt}.service" ];
     requires = [ "network-addresses-${netifAlt}.service" ];
   };
+  services.strongswan-swanctl.swanctl.connections.intl = {
+    local_addrs = [ "94.190.212.123" ];
+    remote_addrs = [ "5.78.86.156" ];
+    local.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs.hk";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
+    };
+    remote.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs-intl.com";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
+    };
+    children.intl0 = {
+      mode = "transport";
+      ah_proposals = [ "sha256-curve25519" ];
+      remote_ts = [ "5.78.86.156[gre]" ];
+      local_ts = [ "94.190.212.123[gre]" ];
+      start_action = "start";
+    };
+  };
 
   systemd.services.network-custom-route-backup = {
     wantedBy = [ "network.target" ];
@@ -299,6 +343,15 @@ in
       ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
     };
   };
+  systemd.services.network-custom-route-intl = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
+    };
+  };
 
   # https://kb.isc.org/docs/dnssec-key-and-signing-policy
   # chown named.named /etc/nixos/named
@@ -1207,6 +1260,18 @@ in
     };
   };
 
+  services.postfix.mapFiles.sender_transport = pkgs.writeText "sender_transport" ''
+      @m-labs-intl.com intltunnel:
+      * :
+  '';
+  systemd.services.postfix-rebuild-sender-relay = {
+      description = "Postfix Rebuild Sender Dependent Transport Maps";
+      serviceConfig = {
+        ExecStart = "${pkgs.postfix}/sbin/postmap /var/lib/postfix/conf/sender_transport";
+      };
+      wantedBy = [ "multi-user.target" ];
+  };
+
   mailserver = {
     enable = true;
     localDnsResolver = false;  # conflicts with dnsmasq
@@ -1215,8 +1280,22 @@ in
     enablePop3 = true;
     enablePop3Ssl = true;
     certificateScheme = "acme-nginx";
-    policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
   } // (import /etc/nixos/secret/email_settings.nix);
+  services.postfix = {
+    config = {
+      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
+    };
+    masterConfig."intltunnel" = {
+      type = "unix";
+      command = "smtp";
+      args = [
+        "-o" "smtp_bind_address=10.47.3.1"
+        "-o" "inet_interfaces=10.47.3.1"
+        "-o" "inet_protocols=ipv4"
+       ];
+    };
+  };
+
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";

nixbld-etc-nixos/named/m-labs-intl.com

@@ -23,7 +23,6 @@ ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2
 
 mail					A		5.78.86.156
-mail					AAAA	2a01:4ff:1f0:83de::1
 mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"