wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

Merge pull request #22 from fsr/mail

Browse source 
[Draft] Fixes for the mail configuration
This commit is contained in:
Tassilo Tanneberger 2023-04-03 23:19:32 +02:00 committed by GitHub
parent 78dbad50f8 e6461fff1c
commit b9c58f5363
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 69 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
modules/mail.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
let let
hostname = "mail.${config.fsr.domain}"; hostname = "mail.${config.fsr.domain}";
domain = config.fsr.domain; domain = config.fsr.domain;
@ -6,7 +6,9 @@ let
# brauchen wir das überhaupt? # brauchen wir das überhaupt?
#ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #ldap-aliases = pkgs.writeText "ldap-aliases.cf" ''
#server_host = ldap://localhost #server_host = ldap://localhost
#search_base = ou=mail, dc=ifsr, dc=de #search_base = dc=ifsr, dc=de
#query_filter = (&(objectClass=posixAccount)(uid=%n))
#result_attribute=mail
#''; #'';
dovecot-ldap-args = pkgs.writeText "ldap-args" '' dovecot-ldap-args = pkgs.writeText "ldap-args" ''
uris = ldap://localhost uris = ldap://localhost
@ -17,8 +19,8 @@ let
ldap_version = 3 ldap_version = 3
scope = subtree scope = subtree
base = dc=ifsr, dc=de base = dc=ifsr, dc=de
user_filter = (&(objectClass=posixAccount)(uid=%n)) user_filter = (&(objectClass=posixAccount)(mail=%u))
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_filter = (&(objectClass=posixAccount)(mail=%u))
''; '';
in in
{ {
@ -26,33 +28,85 @@ in
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
networking.firewall.allowedTCPPorts = [ 25 465 993 ]; networking.firewall.allowedTCPPorts = [ 25 465 993 ];
users.users.postfix.extraGroups = [ "opendkim" ];
services = { services = {
postfix = { postfix = {
enable = true; enable = true;
enableSubmissions = true;
hostname = "${hostname}"; hostname = "${hostname}";
domain = "${domain}"; domain = "${domain}";
relayHost = "";
origin = "${domain}"; origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ]; destination = [ "${hostname}" "${domain}" "localhost" ];
networks = [ "127.0.0.1" "141.30.30.169" ];
sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem";
extraAliases = ''
# Taken from kaki, maybe we can throw out some at some point
# General redirections for pseudo accounts
bin: root
daemon: root
named: root
nobody: root
uucp: root
www: root
ftp-bugs: root
postfix: root
# Well-known aliases
manager: root
dumper: root
operator: root
abuse: postmaster
# trap decode to catch security attacks
decode: root
'';
config = { config = {
home_mailbox = "Maildir/";
smtp_use_tls = true;
smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
smtpd_tls_security_level = lib.mkForce "encrypt";
smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"
"!TLSv1"
"!TLSv1.1"
];
smtpd_recipient_restrictions = [ smtpd_recipient_restrictions = [
"reject_unauth_destination"
"permit_sasl_authenticated" "permit_sasl_authenticated"
"permit_mynetworks" "permit_mynetworks"
"reject_unauth_destination"
"reject_non_fqdn_hostname"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_invalid_hostname"
];
smtpd_relay_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
]; ];
#alias_maps = [ "ldap:${ldap-aliases}" ]; #alias_maps = [ "ldap:${ldap-aliases}" ];
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
smtpd_sasl_auth_enable = true; smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_path = "/var/lib/postfix/auth";
virtual_mailbox_base = "/var/mail"; smtpd_sasl_type = "dovecot";
# virtual_mailbox_base = "/var/mail";
}; };
}; };
dovecot2 = { dovecot2 = {
enable = true; enable = true;
enableImap = true; enableImap = true;
enableQuota = false; enableQuota = false;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem";
mailboxes = { mailboxes = {
@ -74,7 +128,6 @@ in
}; };
}; };
extraConfig = '' extraConfig = ''
mail_location = maildir:/var/mail/%u
passdb { passdb {
driver = ldap driver = ldap
args = ${dovecot-ldap-args} args = ${dovecot-ldap-args}
@ -92,6 +145,14 @@ in
} }
''; '';
}; };
opendkim = {
enable = true;
domains = "csl:${config.fsr.domain}";
selector = config.networking.hostName;
configFile = pkgs.writeText "opendkim-config" ''
UMask 0117
'';
};
rspamd = { rspamd = {
enable = true; enable = true;
postfix.enable = true; postfix.enable = true;
@ -101,12 +162,6 @@ in
read_servers = "127.0.0.1"; read_servers = "127.0.0.1";
write_servers = "127.0.0.1"; write_servers = "127.0.0.1";
''; '';
"dkim_signing.conf".text = ''
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "quitte";
sign_authenticated = true;
use_domain = "header";
'';
}; };
}; };
redis = { redis = {
@ -140,27 +195,3 @@ in
}; };
}; };
} }