diff --git a/modules/mail.nix b/modules/mail.nix index d047743..d362103 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -3,13 +3,6 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; rspamd-domain = "rspamd.${config.fsr.domain}"; - # brauchen wir das überhaupt? - #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' - #server_host = ldap://localhost - #search_base = dc=ifsr, dc=de - #query_filter = (&(objectClass=posixAccount)(uid=%n)) - #result_attribute=mail - #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost dn = uid=search, ou=users, dc=ifsr, dc=de @@ -19,20 +12,27 @@ let ldap_version = 3 scope = subtree base = dc=ifsr, dc=de - user_filter = (&(objectClass=posixAccount)(mail=%u)) - pass_filter = (&(objectClass=posixAccount)(mail=%u)) + user_filter = (&(objectClass=posixAccount)(uid=%n)) + pass_filter = (&(objectClass=posixAccount)(uid=%n)) ''; in { sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; + sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user; - networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + networking.firewall.allowedTCPPorts = [ + 25 # insecure SMTP + 465 + 587 # SMTP + 993 # IMAP + ]; users.users.postfix.extraGroups = [ "opendkim" ]; services = { postfix = { enable = true; + enableSubmission = true; enableSubmissions = true; hostname = "${hostname}"; domain = "${domain}"; @@ -67,21 +67,21 @@ in config = { home_mailbox = "Maildir/"; smtp_use_tls = true; - smtp_tls_security_level = "encrypt"; + # smtp_tls_security_level = "encrypt"; smtpd_use_tls = true; - smtpd_tls_security_level = lib.mkForce "encrypt"; - smtpd_tls_auth_only = true; + # smtpd_tls_security_level = lib.mkForce "encrypt"; + # smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" ]; + # "reject_non_fqdn_hostname" smtpd_recipient_restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" - "reject_non_fqdn_hostname" "reject_non_fqdn_sender" "reject_non_fqdn_recipient" "reject_unknown_sender_domain" @@ -95,7 +95,9 @@ in "permit_mynetworks" "reject_unauth_destination" ]; - #alias_maps = [ "ldap:${ldap-aliases}" ]; + # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ]; + alias_maps = [ "hash:/etc/aliases" ]; + # alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ]; smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; @@ -103,7 +105,7 @@ in smtpd_sasl_type = "dovecot"; #mailman stuff transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; - local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" ]; }; }; dovecot2 = { @@ -198,4 +200,10 @@ in }; }; }; + security.acme.certs."${domain}" = { + reloadServices = [ + "postfix.service" + "dovecot2.service" + ]; + }; } diff --git a/modules/mailman.nix b/modules/mailman.nix index a133729..8e111e3 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -10,7 +10,7 @@ webHosts = [ "lists.${config.fsr.domain}" ]; hyperkitty.enable = true; enablePostfix = true; - siteOwner = "root@${config.fsr.domain}"; + siteOwner = "mailman@${config.fsr.domain}"; ldap = { enable = true; serverUri = "ldap://localhost"; @@ -23,7 +23,9 @@ groupSearch = { ou = "ou=groups, dc=ifsr, dc=de"; query = "(objectClass=groupOfNames)"; + type = "groupOfNames"; }; + superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de"; }; }; services.nginx.virtualHosts."lists.${config.fsr.domain}" = { diff --git a/modules/nginx.nix b/modules/nginx.nix index 7cc17f2..5f5a79e 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -2,6 +2,10 @@ { services.nginx = { enable = true; + virtualHosts."${config.fsr.domain}" = { + enableACME = true; + forceSSL = true; + }; appendHttpConfig = '' map $remote_addr $remote_addr_anon { ~(?P\d+\.\d+\.\d+)\. $ip.0; diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 57392af..70daf77 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -15,7 +15,8 @@ mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] ldapprovider: ENC[AES256_GCM,data:CPsrWmUviUpFIVVN/2a1lRjJCoZCWR9zrHm3T5Tv/YuXSYXStZGfBgXN96zhJUUpZcwiJq95o1sajyit+6itZCcGAPu0BTHSnNXRu1fgifonXE0ghw6rvzwkYpfBS+rfmBcG2wxX+7uZG3ulANYpvvGMxpKgM5IzQjE1sAytRDir6QeMGcFHP2gV4xQAdTNUZK2V+EKOlrcV5vTSzDSy3eXg18TVUgZqdxaQFfwnr2UN0eEEZ4Dn83G3QWsROZ0A7R3tuEmdAzmR8AdWBxfqCcOA8vZaOIOWb1AyobLCUaqQOj/SbGdgehMOQn1UcbRHpYQ2E9mvxD572uc/U5kzy/TbOLM34pkvckNrGfxwvqwbvXZrVP3gONY5CnJpk5XfVdT5Au/uwE5ZRs83ZEx31+85mpK3HecyBWRfWID0z2XS8PAU6G7ASQsXCh6sd5LFhL7zhxBQ4ENjT8pDi0OLYvw9VzPhPrdzooULeMytGitVWRtLsSzCn/D+U4x6EJLivLW6jv9SAIKg54fAjNEBYHh7GuHbr/VGtmiWKj6av2e3/BLgPOIyINzNv+X5QSsopZ2/yamPs+ARTOqAZvSyRgqereYoLZ5ZV15jIWiGc7HVfj/+Bk7cN4+VwFhzSuttp1DmvNNIWueeX69rdSqe41Y2lqKZ4ajOSIJ+YLP/dR0wvrVbd7QSP2OVRAnMugmeekbIuyIKPNsNJ183Z4y1m/ihIdRAzLnjSYuYCdWw3LXl5gM0ZTtGb7K+cIYcyJrS3fcaErDmqyI/LJoXNTo5CJI=,iv:ycKt8/awCo3HoO6Oa8H77GH9+m+xgR4kiXb7Cbf0wSY=,tag:b6pBoZs+E4CP+V9oZXrcoQ==,type:str] -mautrix-telegram_env: ENC[AES256_GCM,data:aksa5kx1fwRz9gu8rNsR6MclUFIttJxMchwLi7yH99T1cYn9YUskeORkvNcgaIPpd4dSPUZMbfWU3gbTlWh8ettI1uCdChg5EXbdOv2CIXfXCsvHx8a6lZPUOcWjoUXGh3693a5xiGv6jeKH4D0Hu50KN70a0XcMyLuW9mBcRnNqpHnzHkFWQNLYw7aHpNOYOz9D0s14DypHkJnVh43SjWvhFZF3tZjGI+kr/I/ZMvQ3/ujx42nuDqNSzT6Qk5e9,iv:JBijgTMjuXhUI2e8RqkLAr/ZRbJJtZTYOYSSX8zsflA=,tag:o1GY3LP7Jk/NnX1EMgEXfg==,type:str] +postfix_ldap_aliases: ENC[AES256_GCM,data:SFCncYQAY2ZOA4d8YO58HQvUIRpevU6dX3BDv/pnB1JlvNmQH7oy4NZ4zf24/1i11EV7Z0NvPsa4sAqj8xRR++yyzeG9RQk3Pcst3AkFtA+MkNP0ueZJYsvLKyUE6G7UpzVVuLI+L5R121JrRp6+r5xqckOBNCBo73ulb7tC67hSfLA+ZNmDw+bKbshHej4l3hvM/c2sHLbcPp/+vxLXqthPR+y8lf6J/QgZ8Yzw1JxFVDO8ypaWpWZZvA3HbAzRJXxk2zxg+lpmgFsyzTXLZGhvf7NdRHUmTP9OgDFt/efhxpUvDYpDinzVOuFrYJGL/4U0LLvxtGQQaQ==,iv:dUx+BsJWaiZ6MeNB+OhrSxQf+co2USjJM5rKt7OP5GI=,tag:nOVLxEyIRSNnxGa8eHMmFQ==,type:str] +mautrix-telegram_env: ENC[AES256_GCM,data:2p5vYV+/vEDrrZItTcT1vxddv2tM7dLGBUmG+OXHccTzJ2UhyYpDGgUMr5KgObxvyssYBZTsvbV7QFN3sjcU/jVPx1qEUn6zyKO0HBQjrviVU3urx5zNOnCEHwDKyDrZ1Hu/CE6lpGNrtGlpewgOs/+84JZIZhC9qSuzDhN38sr4OGfMr29fMzafYC+TGHoZyA64GI9xz0KvXhwg6ci1hLtVWYEOFW2Nf8uLY8qkNLuDzA6bYx8rn3CEXoxiv0n4,iv:jmcWTyVkqu9nDc1ws2NxkMKrHPZ13i3jqDkk4Y0kejw=,tag:BjhmPc4lSbsZBmZ/q2CqGg==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +32,8 @@ sops: NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk +LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-04T14:41:24Z" - mac: ENC[AES256_GCM,data:fdQazIIIZJWo5QjbMC9kH1Bu8s9L229q60Zg+8H85JVVpfgwATDTjfg2XcDTEFglpTQAUXCh34AkkX3We5faGb9W6GhX9kc4vc6qwOusX849cojNOVussnZYDSBRmlOLMtQKcArG2yVTjRtOm9jf8Lbff5xts2lsZkXS2iz6qb8=,iv:QWmNyKUCY2LoE0c3dEIsvlg50o0txMjhCvnwjy4xwA8=,tag:JIJ5vEiKoEJ08oehVZZ5Bw==,type:str] + lastmodified: "2023-07-04T07:41:45Z" + mac: ENC[AES256_GCM,data:YLC02dhSSLl9C1B7wo/AJcY4a4zc1LIaA0PKH0H8uZ8I9Kh105yk4sc2cz15FVMLtkMeIdfnhmWxbnPyLbM0mA9bAYT9MQn65quEgDumr+XH0UW6m1e2S23/2fxTFH1xRWsu7/Kon/gdzLb5hf2m30eJAP7MrdpxDz28Q7ut1P4=,iv:9UC71WxpDt1bxWSu16Sc+OKpy6KmX0Ru+Q54LYuQCBU=,tag:CpNKSJem+XHimm+yzRpwaw==,type:str] pgp: - created_at: "2023-04-23T17:48:54Z" enc: | diff --git a/secrets/test.yaml b/secrets/test.yaml index 22f0d57..7696999 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -16,6 +16,7 @@ mediawiki: initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] ldapprovider: ENC[AES256_GCM,data:dVrCFVgm4BDtUhcj9rSKXwnaIKsC5GGsDUoPJH1q5F4inskuSbFigcLM/UJFNOcr5R1dL+mYUOvnmIcoWA5AsuFKs3NzSYJVtVAm0x7vYSkHnfXu93V2F8Lc1xX/kZrFfnmNUXwhv2I+hknPUApY7wpmZOdk9NLKv4tbsgVTbfmR/WM6soOurh3b6b4cknfxqSeLZLeOIKL5WL8842t5SethyCfPsCm74JCpwHmflkCyT/lzIP1Kghab+xGWWyN9OAENlDZrJE6VAdctR+MKYZnhA7dXKeQPjKii9MZsDYFYTL5YDRysam4r7Jog/fozgWkXNrCUan29efnnBwpLz5hgV1MguIpvU8ccDQLNvgJCOdp6FgH45ZRlCxx29EWzh9iTDGPqmNsctUknFdfUVfIg9ziz/97i/kGcwy5N1oOsoUf7iRj5zLyLP6OlXGNThowF4jlNdI2b+caQGz7H6ZkJfUPWULotBUrjxrZo3pSYRkpJ77xbGUZf35ysxTHpfsmhyyO9HRhhgNkilEHlcsi8u+AC0su+Htg/Io332tSX+W6Gj6R6Q23hQ0gf8on5Y2xx34ysobEh8cMS4+Kj0nwasMHjW70g3qWpKkG1LSOIgXiA7hcusGCo8xPZ1y3gIyRiTxVTPJHh63Ecd0O37P4NWVSKEpsIM5pkngMN5L5K/ymtZ0kjREX2q4qpXf2xJiTTdAkeTMcmDs9HHjOzIIynYouY7P6qdXUpXjyGwqfovmnIv5icQ6sqFA==,iv:sPRnnIEif6W1SPy5SKiUuY681HeLPcR19U4p1mdUGdc=,tag:zeMdtTRk8ULP4GYDQLIU7A==,type:str] mautrix-telegram_env: ENC[AES256_GCM,data:vqHmM3mRrIYMT4760sglAlBZoOb7siqx3alvQE5rpq8z6FgOqJxHqGaN1quhpAVVe9ugtlvezVh8eSFX+45Y5rtqJ7iylxmC+y8JGsyLIflf674Si7h07bedCcT0wBg1ioI/JILDwICiAf0=,iv:BAPKiVt2l3E7z1Wk9ky6WFYr6hn62d+X5r0NMdUYwJQ=,tag:CRddpVMHQLwhwUF1hn0JKA==,type:str] +postfix_ldap_aliases: ENC[AES256_GCM,data:cpMrQE7cQafsB+cBJWhj+XrMKntZvYle19d4JojAoLKXT/D7XauR6IPYhiT+X3g6iQI1HZ6BGbEp9CnhK3KvPdx5R7S6vs0wZYdcRHh0HImI1P/j6ffALlYTVojJ7AazDM/DEf53+qndbU1sqykjAOhXRkBfZnlDLooETuPsRpLL/4ZE1NuntVyKLlG/u10/moUgS/Gsrkk0K7ns5WFJjUcQq8P9gakc9mcJw32DHTiVV0UbZoFqkMI3LD7zFr17klXtKYYWcOcH5ZGmJax1X+PaAzogOf2/JFVNSae2Uvk=,iv:eSE+ADQI9QeN083ECwcekPJIKGEImoJrP7b/JSemDkY=,tag:g9V3ZDXi1x0wNVvGyA/wnQ==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +32,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-04T14:41:09Z" - mac: ENC[AES256_GCM,data:qY1fcRl53tcvgYAqhvWLfAxe6MRvcXcbkeLMtQShQtyKRv4BW0AMOh0OOKFcxxcMbucG4j9yufvK18Q8COIslsOtm5wZhEjK8+sK0RT3l6uX0EPn/aNwGWwScXjMOeKJEBEozA4xPHt7+flTsRDAzjRz+ixC/cevm1Iu/ok17lE=,iv:OTtpuinzQXZ6nykpH8/XwIUYDNf+DNWrbDxCmJpdqAc=,tag:ng3dWwOdj60iy4yT4Ux8Cw==,type:str] + lastmodified: "2023-07-04T07:48:57Z" + mac: ENC[AES256_GCM,data:eJH7Ng7qBO8XtKjAn2grHYlgOhivsD20QqFrUXncte8REpcUac7Td3OSogjXdky7DLhk9Pw0HML/fUu3DmtSFpdPkfg+kpprRXIK8QjYCB3OlDVqsnZiDkUitELtonNLddUKPOJW8B6EOiLPFyESJzBKGA0NqY7GVVFe7JSI1P4=,iv:G0ug1InP53pWOcVFTkhEa1l3HLS3w8RDZi3HXSBK9/8=,tag:cDwqTw4z0ideXewB/M0hHg==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: |