diff --git a/modules/mail.nix b/modules/mail.nix index 6457c47..8a4db0e 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; @@ -6,7 +6,9 @@ let # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #server_host = ldap://localhost - #search_base = ou=mail, dc=ifsr, dc=de + #search_base = dc=ifsr, dc=de + #query_filter = (&(objectClass=posixAccount)(uid=%n)) + #result_attribute=mail #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost @@ -17,8 +19,8 @@ let ldap_version = 3 scope = subtree base = dc=ifsr, dc=de - user_filter = (&(objectClass=posixAccount)(uid=%n)) - pass_filter = (&(objectClass=posixAccount)(uid=%n)) + user_filter = (&(objectClass=posixAccount)(mail=%u)) + pass_filter = (&(objectClass=posixAccount)(mail=%u)) ''; in { @@ -26,33 +28,85 @@ in sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + users.users.postfix.extraGroups = [ "opendkim" ]; services = { postfix = { enable = true; + enableSubmissions = true; hostname = "${hostname}"; domain = "${domain}"; - relayHost = ""; origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; + networks = [ "127.0.0.1" "141.30.30.169" ]; sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; + extraAliases = '' + # Taken from kaki, maybe we can throw out some at some point + # General redirections for pseudo accounts + bin: root + daemon: root + named: root + nobody: root + uucp: root + www: root + ftp-bugs: root + postfix: root + + # Well-known aliases + manager: root + dumper: root + operator: root + abuse: postmaster + + # trap decode to catch security attacks + decode: root + ''; config = { + home_mailbox = "Maildir/"; + smtp_use_tls = true; + smtp_tls_security_level = "encrypt"; + smtpd_use_tls = true; + smtpd_tls_security_level = lib.mkForce "encrypt"; + smtpd_tls_auth_only = true; + smtpd_tls_protocols = [ + "!SSLv2" + "!SSLv3" + "!TLSv1" + "!TLSv1.1" + ]; smtpd_recipient_restrictions = [ - "reject_unauth_destination" "permit_sasl_authenticated" "permit_mynetworks" + "reject_unauth_destination" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_sender_domain" + "reject_unknown_recipient_domain" + "reject_unauth_destination" + "reject_unauth_pipelining" + "reject_invalid_hostname" + ]; + smtpd_relay_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" ]; #alias_maps = [ "ldap:${ldap-aliases}" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - virtual_mailbox_base = "/var/mail"; + smtpd_sasl_type = "dovecot"; + # virtual_mailbox_base = "/var/mail"; }; }; dovecot2 = { enable = true; enableImap = true; enableQuota = false; + mailLocation = "maildir:~/Maildir"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { @@ -74,7 +128,6 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/mail/%u passdb { driver = ldap args = ${dovecot-ldap-args} @@ -92,6 +145,14 @@ in } ''; }; + opendkim = { + enable = true; + domains = "csl:${config.fsr.domain}"; + selector = config.networking.hostName; + configFile = pkgs.writeText "opendkim-config" '' + UMask 0117 + ''; + }; rspamd = { enable = true; postfix.enable = true; @@ -101,12 +162,6 @@ in read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; ''; - "dkim_signing.conf".text = '' - path = "/var/lib/rspamd/dkim/$domain.$selector.key"; - selector = "quitte"; - sign_authenticated = true; - use_domain = "header"; - ''; }; }; redis = { @@ -140,27 +195,3 @@ in }; }; } - - - - - - - - - - - - - - - - - - - - - - - -