From a44c2e04e2b61463765c8ad7f38209ec06807b5d Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 12 May 2023 15:25:14 +0200 Subject: [PATCH 1/8] update mailman ssh settings and add root alias --- config/aliases | 1 + modules/mail.nix | 2 +- modules/mailman.nix | 5 ++++- 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 config/aliases diff --git a/config/aliases b/config/aliases new file mode 100644 index 0000000..d90ab72 --- /dev/null +++ b/config/aliases @@ -0,0 +1 @@ +root: mathias_stuhlbein diff --git a/modules/mail.nix b/modules/mail.nix index d047743..88b5f5a 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -95,7 +95,7 @@ in "permit_mynetworks" "reject_unauth_destination" ]; - #alias_maps = [ "ldap:${ldap-aliases}" ]; + alias_maps = [ "hash:${../config/aliases}" ]; smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; diff --git a/modules/mailman.nix b/modules/mailman.nix index a133729..1841e53 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -10,7 +10,10 @@ webHosts = [ "lists.${config.fsr.domain}" ]; hyperkitty.enable = true; enablePostfix = true; - siteOwner = "root@${config.fsr.domain}"; + siteOwner = "mailman@${config.fsr.domain}"; + settings = { + mta.smtp_secure_mode = "SecureMode.SMTPS"; + }; ldap = { enable = true; serverUri = "ldap://localhost"; From a9b8875563d44615de0a9bb4023593ee8b6df227 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 25 May 2023 22:43:16 +0200 Subject: [PATCH 2/8] reload mail services upon acme renew --- modules/mail.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/mail.nix b/modules/mail.nix index 88b5f5a..2491c4d 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -198,4 +198,10 @@ in }; }; }; + security.acme.certs."${domain}" = { + reloadServices = [ + "postfix.service" + "dovecot2.service" + ]; + }; } From 666e6b4425741ac4629518281ab3195c4acbb725 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 31 May 2023 14:58:26 +0200 Subject: [PATCH 3/8] enable submission on port 587 --- modules/mail.nix | 3 ++- modules/mailman.nix | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 2491c4d..408c03a 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -27,12 +27,13 @@ in sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; - networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + networking.firewall.allowedTCPPorts = [ 25 465 587 993 ]; users.users.postfix.extraGroups = [ "opendkim" ]; services = { postfix = { enable = true; + enableSubmission = true; enableSubmissions = true; hostname = "${hostname}"; domain = "${domain}"; diff --git a/modules/mailman.nix b/modules/mailman.nix index 1841e53..e0cfc4c 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -12,7 +12,7 @@ enablePostfix = true; siteOwner = "mailman@${config.fsr.domain}"; settings = { - mta.smtp_secure_mode = "SecureMode.SMTPS"; + mta.smtp_secure_mode = "SecureMode.STARTTLS"; }; ldap = { enable = true; From 0dd03b096554eacb0bcb531f99743701eba8aeac Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 31 May 2023 15:14:14 +0200 Subject: [PATCH 4/8] enable acme for the ifsr base domain --- modules/nginx.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nginx.nix b/modules/nginx.nix index 7cc17f2..5f5a79e 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -2,6 +2,10 @@ { services.nginx = { enable = true; + virtualHosts."${config.fsr.domain}" = { + enableACME = true; + forceSSL = true; + }; appendHttpConfig = '' map $remote_addr $remote_addr_anon { ~(?P\d+\.\d+\.\d+)\. $ip.0; From 3ddab16dae4ed68c8db0f3bbe838a82e0c9696b6 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 13 Jun 2023 20:17:20 +0200 Subject: [PATCH 5/8] use uid as lpad in --- modules/mail.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 408c03a..5d82838 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -19,8 +19,8 @@ let ldap_version = 3 scope = subtree base = dc=ifsr, dc=de - user_filter = (&(objectClass=posixAccount)(mail=%u)) - pass_filter = (&(objectClass=posixAccount)(mail=%u)) + user_filter = (&(objectClass=posixAccount)(uid=%n)) + pass_filter = (&(objectClass=posixAccount)(uid=%n)) ''; in { From 15319c9b2b25e66a66181a57379aafdb455b1f0c Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Mon, 3 Jul 2023 18:22:37 +0200 Subject: [PATCH 6/8] various fixes - fix mailman's confirmation emails not sending - introduce a stateful /etc/aliases - configure ldap for postfix --- modules/mail.nix | 29 +++++++++++++++-------------- modules/mailman.nix | 3 --- secrets/quitte.yaml | 5 +++-- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 5d82838..d362103 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -3,13 +3,6 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; rspamd-domain = "rspamd.${config.fsr.domain}"; - # brauchen wir das überhaupt? - #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' - #server_host = ldap://localhost - #search_base = dc=ifsr, dc=de - #query_filter = (&(objectClass=posixAccount)(uid=%n)) - #result_attribute=mail - #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost dn = uid=search, ou=users, dc=ifsr, dc=de @@ -26,8 +19,14 @@ in { sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; + sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user; - networking.firewall.allowedTCPPorts = [ 25 465 587 993 ]; + networking.firewall.allowedTCPPorts = [ + 25 # insecure SMTP + 465 + 587 # SMTP + 993 # IMAP + ]; users.users.postfix.extraGroups = [ "opendkim" ]; services = { @@ -68,21 +67,21 @@ in config = { home_mailbox = "Maildir/"; smtp_use_tls = true; - smtp_tls_security_level = "encrypt"; + # smtp_tls_security_level = "encrypt"; smtpd_use_tls = true; - smtpd_tls_security_level = lib.mkForce "encrypt"; - smtpd_tls_auth_only = true; + # smtpd_tls_security_level = lib.mkForce "encrypt"; + # smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" ]; + # "reject_non_fqdn_hostname" smtpd_recipient_restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" - "reject_non_fqdn_hostname" "reject_non_fqdn_sender" "reject_non_fqdn_recipient" "reject_unknown_sender_domain" @@ -96,7 +95,9 @@ in "permit_mynetworks" "reject_unauth_destination" ]; - alias_maps = [ "hash:${../config/aliases}" ]; + # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ]; + alias_maps = [ "hash:/etc/aliases" ]; + # alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ]; smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; @@ -104,7 +105,7 @@ in smtpd_sasl_type = "dovecot"; #mailman stuff transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; - local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" ]; }; }; dovecot2 = { diff --git a/modules/mailman.nix b/modules/mailman.nix index e0cfc4c..b85fb83 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -11,9 +11,6 @@ hyperkitty.enable = true; enablePostfix = true; siteOwner = "mailman@${config.fsr.domain}"; - settings = { - mta.smtp_secure_mode = "SecureMode.STARTTLS"; - }; ldap = { enable = true; serverUri = "ldap://localhost"; diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index b26742a..3bf0826 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -15,6 +15,7 @@ mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] ldapprovider: ENC[AES256_GCM,data:CPsrWmUviUpFIVVN/2a1lRjJCoZCWR9zrHm3T5Tv/YuXSYXStZGfBgXN96zhJUUpZcwiJq95o1sajyit+6itZCcGAPu0BTHSnNXRu1fgifonXE0ghw6rvzwkYpfBS+rfmBcG2wxX+7uZG3ulANYpvvGMxpKgM5IzQjE1sAytRDir6QeMGcFHP2gV4xQAdTNUZK2V+EKOlrcV5vTSzDSy3eXg18TVUgZqdxaQFfwnr2UN0eEEZ4Dn83G3QWsROZ0A7R3tuEmdAzmR8AdWBxfqCcOA8vZaOIOWb1AyobLCUaqQOj/SbGdgehMOQn1UcbRHpYQ2E9mvxD572uc/U5kzy/TbOLM34pkvckNrGfxwvqwbvXZrVP3gONY5CnJpk5XfVdT5Au/uwE5ZRs83ZEx31+85mpK3HecyBWRfWID0z2XS8PAU6G7ASQsXCh6sd5LFhL7zhxBQ4ENjT8pDi0OLYvw9VzPhPrdzooULeMytGitVWRtLsSzCn/D+U4x6EJLivLW6jv9SAIKg54fAjNEBYHh7GuHbr/VGtmiWKj6av2e3/BLgPOIyINzNv+X5QSsopZ2/yamPs+ARTOqAZvSyRgqereYoLZ5ZV15jIWiGc7HVfj/+Bk7cN4+VwFhzSuttp1DmvNNIWueeX69rdSqe41Y2lqKZ4ajOSIJ+YLP/dR0wvrVbd7QSP2OVRAnMugmeekbIuyIKPNsNJ183Z4y1m/ihIdRAzLnjSYuYCdWw3LXl5gM0ZTtGb7K+cIYcyJrS3fcaErDmqyI/LJoXNTo5CJI=,iv:ycKt8/awCo3HoO6Oa8H77GH9+m+xgR4kiXb7Cbf0wSY=,tag:b6pBoZs+E4CP+V9oZXrcoQ==,type:str] +postfix_ldap_aliases: ENC[AES256_GCM,data:SFCncYQAY2ZOA4d8YO58HQvUIRpevU6dX3BDv/pnB1JlvNmQH7oy4NZ4zf24/1i11EV7Z0NvPsa4sAqj8xRR++yyzeG9RQk3Pcst3AkFtA+MkNP0ueZJYsvLKyUE6G7UpzVVuLI+L5R121JrRp6+r5xqckOBNCBo73ulb7tC67hSfLA+ZNmDw+bKbshHej4l3hvM/c2sHLbcPp/+vxLXqthPR+y8lf6J/QgZ8Yzw1JxFVDO8ypaWpWZZvA3HbAzRJXxk2zxg+lpmgFsyzTXLZGhvf7NdRHUmTP9OgDFt/efhxpUvDYpDinzVOuFrYJGL/4U0LLvxtGQQaQ==,iv:dUx+BsJWaiZ6MeNB+OhrSxQf+co2USjJM5rKt7OP5GI=,tag:nOVLxEyIRSNnxGa8eHMmFQ==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +31,8 @@ sops: NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk +LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-03T21:29:19Z" - mac: ENC[AES256_GCM,data:rpUgxzTSUAHjCJKIvCXRGSiJF3G4LyTqQXL1x9yUeEe18WHEBWowllMF4S2sqKDU4WLwElCjz/vU8/W3HjrhHK8DHBRIw+7ztol7e3KZdiRJuj+3yazsxo34DkM4mMvA125llFJhhys3w+9WOrdlY9mVITv8uVfLbSYBDLZ6dAg=,iv:K7QXSE7YixdZcPAJo7vXkPvjFuOzkglIxHQefCFYHig=,tag:7gsDdVKLOvjfTQVU0orreA==,type:str] + lastmodified: "2023-07-03T16:18:44Z" + mac: ENC[AES256_GCM,data:USYbcrCkagxH2fMkkYab6kviwvaM9dC6BHd+uomsjQQwp2aSElxrz7yJZgHiiWuODwLqC6Cg+i/1NLY1JDyGy1IBehmaW/PFEjpq5RjcY4oIiHWDLBKlVBryZGMlDCc1o5Q5ispK8TksCDP567ogEV1AeFb/f/l4Lp/0lsstQlk=,iv:oyIndbLisTKyJezd0ndpuHesAur57g5d0vZb/nliGfs=,tag:K/hWbcikN1ATgJrzABWD9Q==,type:str] pgp: - created_at: "2023-04-23T17:48:54Z" enc: | From 13020f8ce38d379443b2947ae0835cd18c9a7f6f Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 4 Jul 2023 09:36:08 +0200 Subject: [PATCH 7/8] fix ldap group search --- config/aliases | 1 - modules/mailman.nix | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) delete mode 100644 config/aliases diff --git a/config/aliases b/config/aliases deleted file mode 100644 index d90ab72..0000000 --- a/config/aliases +++ /dev/null @@ -1 +0,0 @@ -root: mathias_stuhlbein diff --git a/modules/mailman.nix b/modules/mailman.nix index b85fb83..8e111e3 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -23,7 +23,9 @@ groupSearch = { ou = "ou=groups, dc=ifsr, dc=de"; query = "(objectClass=groupOfNames)"; + type = "groupOfNames"; }; + superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de"; }; }; services.nginx.virtualHosts."lists.${config.fsr.domain}" = { From 08cff48ba6c8aeea15f8c52394fede97738da3dd Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 4 Jul 2023 09:49:14 +0200 Subject: [PATCH 8/8] add test secret --- secrets/test.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/secrets/test.yaml b/secrets/test.yaml index 22f0d57..7696999 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -16,6 +16,7 @@ mediawiki: initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] ldapprovider: ENC[AES256_GCM,data:dVrCFVgm4BDtUhcj9rSKXwnaIKsC5GGsDUoPJH1q5F4inskuSbFigcLM/UJFNOcr5R1dL+mYUOvnmIcoWA5AsuFKs3NzSYJVtVAm0x7vYSkHnfXu93V2F8Lc1xX/kZrFfnmNUXwhv2I+hknPUApY7wpmZOdk9NLKv4tbsgVTbfmR/WM6soOurh3b6b4cknfxqSeLZLeOIKL5WL8842t5SethyCfPsCm74JCpwHmflkCyT/lzIP1Kghab+xGWWyN9OAENlDZrJE6VAdctR+MKYZnhA7dXKeQPjKii9MZsDYFYTL5YDRysam4r7Jog/fozgWkXNrCUan29efnnBwpLz5hgV1MguIpvU8ccDQLNvgJCOdp6FgH45ZRlCxx29EWzh9iTDGPqmNsctUknFdfUVfIg9ziz/97i/kGcwy5N1oOsoUf7iRj5zLyLP6OlXGNThowF4jlNdI2b+caQGz7H6ZkJfUPWULotBUrjxrZo3pSYRkpJ77xbGUZf35ysxTHpfsmhyyO9HRhhgNkilEHlcsi8u+AC0su+Htg/Io332tSX+W6Gj6R6Q23hQ0gf8on5Y2xx34ysobEh8cMS4+Kj0nwasMHjW70g3qWpKkG1LSOIgXiA7hcusGCo8xPZ1y3gIyRiTxVTPJHh63Ecd0O37P4NWVSKEpsIM5pkngMN5L5K/ymtZ0kjREX2q4qpXf2xJiTTdAkeTMcmDs9HHjOzIIynYouY7P6qdXUpXjyGwqfovmnIv5icQ6sqFA==,iv:sPRnnIEif6W1SPy5SKiUuY681HeLPcR19U4p1mdUGdc=,tag:zeMdtTRk8ULP4GYDQLIU7A==,type:str] mautrix-telegram_env: ENC[AES256_GCM,data:vqHmM3mRrIYMT4760sglAlBZoOb7siqx3alvQE5rpq8z6FgOqJxHqGaN1quhpAVVe9ugtlvezVh8eSFX+45Y5rtqJ7iylxmC+y8JGsyLIflf674Si7h07bedCcT0wBg1ioI/JILDwICiAf0=,iv:BAPKiVt2l3E7z1Wk9ky6WFYr6hn62d+X5r0NMdUYwJQ=,tag:CRddpVMHQLwhwUF1hn0JKA==,type:str] +postfix_ldap_aliases: ENC[AES256_GCM,data:cpMrQE7cQafsB+cBJWhj+XrMKntZvYle19d4JojAoLKXT/D7XauR6IPYhiT+X3g6iQI1HZ6BGbEp9CnhK3KvPdx5R7S6vs0wZYdcRHh0HImI1P/j6ffALlYTVojJ7AazDM/DEf53+qndbU1sqykjAOhXRkBfZnlDLooETuPsRpLL/4ZE1NuntVyKLlG/u10/moUgS/Gsrkk0K7ns5WFJjUcQq8P9gakc9mcJw32DHTiVV0UbZoFqkMI3LD7zFr17klXtKYYWcOcH5ZGmJax1X+PaAzogOf2/JFVNSae2Uvk=,iv:eSE+ADQI9QeN083ECwcekPJIKGEImoJrP7b/JSemDkY=,tag:g9V3ZDXi1x0wNVvGyA/wnQ==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +32,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-04T14:41:09Z" - mac: ENC[AES256_GCM,data:qY1fcRl53tcvgYAqhvWLfAxe6MRvcXcbkeLMtQShQtyKRv4BW0AMOh0OOKFcxxcMbucG4j9yufvK18Q8COIslsOtm5wZhEjK8+sK0RT3l6uX0EPn/aNwGWwScXjMOeKJEBEozA4xPHt7+flTsRDAzjRz+ixC/cevm1Iu/ok17lE=,iv:OTtpuinzQXZ6nykpH8/XwIUYDNf+DNWrbDxCmJpdqAc=,tag:ng3dWwOdj60iy4yT4Ux8Cw==,type:str] + lastmodified: "2023-07-04T07:48:57Z" + mac: ENC[AES256_GCM,data:eJH7Ng7qBO8XtKjAn2grHYlgOhivsD20QqFrUXncte8REpcUac7Td3OSogjXdky7DLhk9Pw0HML/fUu3DmtSFpdPkfg+kpprRXIK8QjYCB3OlDVqsnZiDkUitELtonNLddUKPOJW8B6EOiLPFyESJzBKGA0NqY7GVVFe7JSI1P4=,iv:G0ug1InP53pWOcVFTkhEa1l3HLS3w8RDZi3HXSBK9/8=,tag:cDwqTw4z0ideXewB/M0hHg==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: |