From dd6374d37170cbe805c8d32aee27cd6e166d1049 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 1 Mar 2023 15:44:04 +0100 Subject: [PATCH] postfix security enhancements --- modules/mail.nix | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index ac7f163..5d9c1b3 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -28,7 +28,7 @@ in sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; - users.users.postfix.extraGroups = ["opendkim"]; + users.users.postfix.extraGroups = [ "opendkim" ]; services = { postfix = { @@ -42,10 +42,29 @@ in sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { + smtp_use_tls = true; + smtp_tls_security_level = "encrypt"; + smtpd_use_tls = true; + smtpd_tls_security_level = lib.mkForce "encrypt"; + smtpd_tls_auth_only = true; + smtpd_tls_protocols = [ + "!SSLv2" + "!SSLv3" + "!TLSv1" + "!TLSv1.1" + ]; smtpd_recipient_restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_sender_domain" + "reject_unknown_recipient_domain" + "reject_unauth_destination" + "reject_unauth_pipelining" + "reject_invalid_hostname" ]; smtpd_relay_restrictions = [ "permit_sasl_authenticated" @@ -53,7 +72,7 @@ in "reject_unauth_destination" ]; #alias_maps = [ "ldap:${ldap-aliases}" ]; - smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth";