From 1f70d58853bd87bf0d4fccfd0d32c7fb01af3eaf Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 25 Nov 2022 15:24:05 +0100 Subject: [PATCH 01/14] Initial Email config Bare-minimum config consisting of postfix and dovecot2. For testing, passwd is used as userdb. Definitely NOT Production ready! --- modules/mail.nix | 69 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 modules/mail.nix diff --git a/modules/mail.nix b/modules/mail.nix new file mode 100644 index 0000000..078a4fb --- /dev/null +++ b/modules/mail.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + let hostname = "mail.test.stramke.com"; + in { + networking.firewall.allowedTCPPorts = [ 25 587 143]; + services = { + postfix = { + enable = true; + hostname = "${hostname}"; + config = { + myorigin = "mail.test.stramke.com"; + mydestination = "127.0.0.1"; + smtpd_recipient_restrictions = [ + "reject_unauth_destination" + "permit_sasl_authenticated" + + ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; + smtpd_sasl_type = "dovecot"; + smtpd_relay_restrictions = [ + "reject_unauth_destination" + # "relay_domains = "${hostname}" + "permit_sasl_authenticated" + ]; + }; + }; + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = false; + mailboxes = { + Spam = { + auto = "create"; + specialUse = "Junk"; + }; + Sent = { + auto = "create"; + specialUse = "Sent"; + }; + Drafts = { + auto = "create"; + specialUse = "Drafts"; + }; + Trash = { + auto = "create"; + specialUse = "Trash"; + }; + }; + extraConfig = '' + mail_location = mbox:~/mail:INBOX=/var/mail/%u + # auth_mechanisms = plain login + # disable_plaintext_auth = no + userdb { + driver = passwd + args = blocking=no + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + user = dovecot2 + } + ''; + }; + }; + } + -- 2.44.2 From ffae1bc8c5c122df7b802cb94431c055ac789631 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 2 Dec 2022 16:13:18 +0100 Subject: [PATCH 02/14] receiving emails works now --- modules/mail.nix | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 078a4fb..abfe0ec 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,27 +1,25 @@ { config, pkgs, ... }: let hostname = "mail.test.stramke.com"; in { - networking.firewall.allowedTCPPorts = [ 25 587 143]; + networking.firewall.allowedTCPPorts = [ 25 587 143 ]; services = { postfix = { enable = true; hostname = "${hostname}"; + domain = "test.stramke.com"; + relayHost = ""; + origin = "test.stramke.com"; + destination = ["mail.test.stramke.com" "test.stramke.com" "localhost"]; config = { - myorigin = "mail.test.stramke.com"; - mydestination = "127.0.0.1"; + mynetworks = "168.119.135.69/32 10.0.0.0/24 0.0.0.0/0 127.0.0.1"; smtpd_recipient_restrictions = [ - "reject_unauth_destination" - "permit_sasl_authenticated" - - ]; + "reject_unauth_destination" + "permit_sasl_authenticated" + "permit_mynetworks" + ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - smtpd_sasl_type = "dovecot"; - smtpd_relay_restrictions = [ - "reject_unauth_destination" - # "relay_domains = "${hostname}" - "permit_sasl_authenticated" - ]; + # smtpd_sasl_type = "dovecot"; }; }; dovecot2 = { @@ -47,9 +45,9 @@ }; }; extraConfig = '' - mail_location = mbox:~/mail:INBOX=/var/mail/%u - # auth_mechanisms = plain login - # disable_plaintext_auth = no + mail_location = maildir:/var/spool/mail/%u + auth_mechanisms = plain login + disable_plaintext_auth = no userdb { driver = passwd args = blocking=no @@ -60,7 +58,7 @@ mode = 0660 user = postfix } - user = dovecot2 + } ''; }; -- 2.44.2 From 14ad30e65d1c99eeeb93704542ae733f8983d452 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 12:58:27 +0100 Subject: [PATCH 03/14] beautified the file and added opendkim --- modules/mail.nix | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index abfe0ec..e03672c 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,15 +1,17 @@ { config, pkgs, ... }: - let hostname = "mail.test.stramke.com"; + let + hostname = "mail.test.stramke.com"; + domain = "test.stramke.com"; in { networking.firewall.allowedTCPPorts = [ 25 587 143 ]; services = { postfix = { enable = true; hostname = "${hostname}"; - domain = "test.stramke.com"; + domain = "${domain}"; relayHost = ""; - origin = "test.stramke.com"; - destination = ["mail.test.stramke.com" "test.stramke.com" "localhost"]; + origin = "${domain}"; + destination = ["${hostname}" "${domain}" "localhost"]; config = { mynetworks = "168.119.135.69/32 10.0.0.0/24 0.0.0.0/0 127.0.0.1"; smtpd_recipient_restrictions = [ @@ -62,6 +64,14 @@ } ''; }; + rspamd = { + enable = true; + }; + opendkim = { + enable = true; + selector = "mail"; + domains = "csl:${domain}"; + }; }; } -- 2.44.2 From 2a0e2c662380ea7790bfd76ae0d4ca71d59babf0 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 19:45:36 +0100 Subject: [PATCH 04/14] add mail filters --- modules/mail.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index e03672c..2cd49f5 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -3,7 +3,8 @@ hostname = "mail.test.stramke.com"; domain = "test.stramke.com"; in { - networking.firewall.allowedTCPPorts = [ 25 587 143 ]; + networking.firewall.allowedTCPPorts = [ 25 587 143 11334]; + users.users.postfix.extraGroups = ["rspamd"]; # doesn't seem to work services = { postfix = { enable = true; @@ -13,7 +14,6 @@ origin = "${domain}"; destination = ["${hostname}" "${domain}" "localhost"]; config = { - mynetworks = "168.119.135.69/32 10.0.0.0/24 0.0.0.0/0 127.0.0.1"; smtpd_recipient_restrictions = [ "reject_unauth_destination" "permit_sasl_authenticated" @@ -21,7 +21,11 @@ ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - # smtpd_sasl_type = "dovecot"; + + # put in opendkim (port 8891) and rspamd (port 11334) as mail filter + smtpd_milters = ["inet:localhost:8891" "/run/rspamd/rspamd.sock"]; + non_smtpd_milters = "$smtpd_milters"; + milter_default_action = "accept"; }; }; dovecot2 = { @@ -69,8 +73,9 @@ }; opendkim = { enable = true; - selector = "mail"; + selector = "default"; domains = "csl:${domain}"; + socket = "inet:8891"; }; }; } -- 2.44.2 From fb8b55b2c9d45d018e14c51ab54913b8888b6094 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 19:46:25 +0100 Subject: [PATCH 05/14] add the mail module to flake.nix --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 335440c..ef4e809 100755 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,7 @@ ./modules/sops.nix ./modules/ldap.nix # ./modules/keycloak.nix replaced by portunus + ./modules/mail.nix ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix -- 2.44.2 From e569bdec5023d1afa4580e87b026b108c42ae414 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 21:33:45 +0100 Subject: [PATCH 06/14] formatting --- modules/mail.nix | 164 +++++++++++++++++++++++++---------------------- 1 file changed, 86 insertions(+), 78 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 2cd49f5..7a48656 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,82 +1,90 @@ { config, pkgs, ... }: - let - hostname = "mail.test.stramke.com"; - domain = "test.stramke.com"; - in { - networking.firewall.allowedTCPPorts = [ 25 587 143 11334]; - users.users.postfix.extraGroups = ["rspamd"]; # doesn't seem to work - services = { - postfix = { - enable = true; - hostname = "${hostname}"; - domain = "${domain}"; - relayHost = ""; - origin = "${domain}"; - destination = ["${hostname}" "${domain}" "localhost"]; - config = { - smtpd_recipient_restrictions = [ - "reject_unauth_destination" - "permit_sasl_authenticated" - "permit_mynetworks" - ]; - smtpd_sasl_auth_enable = true; - smtpd_sasl_path = "/var/lib/postfix/auth"; +let + hostname = "mail.test.stramke.com"; + domain = "test.stramke.com"; +in +{ + networking.firewall.allowedTCPPorts = [ 25 587 143 ]; + services = { + postfix = { + enable = true; + hostname = "${hostname}"; + domain = "${domain}"; + relayHost = ""; + origin = "${domain}"; + destination = [ "${hostname}" "${domain}" "localhost" ]; + config = { + smtpd_recipient_restrictions = [ + "reject_unauth_destination" + "permit_sasl_authenticated" + "permit_mynetworks" + ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; - # put in opendkim (port 8891) and rspamd (port 11334) as mail filter - smtpd_milters = ["inet:localhost:8891" "/run/rspamd/rspamd.sock"]; - non_smtpd_milters = "$smtpd_milters"; - milter_default_action = "accept"; - }; - }; - dovecot2 = { - enable = true; - enableImap = true; - enableQuota = false; - mailboxes = { - Spam = { - auto = "create"; - specialUse = "Junk"; - }; - Sent = { - auto = "create"; - specialUse = "Sent"; - }; - Drafts = { - auto = "create"; - specialUse = "Drafts"; - }; - Trash = { - auto = "create"; - specialUse = "Trash"; - }; - }; - extraConfig = '' - mail_location = maildir:/var/spool/mail/%u - auth_mechanisms = plain login - disable_plaintext_auth = no - userdb { - driver = passwd - args = blocking=no - } - service auth { - unix_listener /var/lib/postfix/auth { - group = postfix - mode = 0660 - user = postfix - } - - } - ''; - }; - rspamd = { - enable = true; - }; - opendkim = { - enable = true; - selector = "default"; - domains = "csl:${domain}"; - socket = "inet:8891"; - }; + # put in opendkim (port 8891) and rspamd (port 11333) as mail filter + smtpd_milters = [ "inet:localhost:8891" "inet:localhost:11333" ]; + non_smtpd_milters = "$smtpd_milters"; + milter_default_action = "accept"; + }; + }; + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = false; + mailboxes = { + Spam = { + auto = "create"; + specialUse = "Junk"; }; - } + Sent = { + auto = "create"; + specialUse = "Sent"; + }; + Drafts = { + auto = "create"; + specialUse = "Drafts"; + }; + Trash = { + auto = "create"; + specialUse = "Trash"; + }; + }; + extraConfig = '' + mail_location = maildir:/var/spool/mail/%u + auth_mechanisms = plain login + disable_plaintext_auth = no + userdb { + driver = passwd + args = blocking=no + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + + } + ''; + }; + rspamd = { + enable = true; + workers = { + normal = { + bindSockets = [ "*:11333" ]; # interface for the mailfilter + }; + controller = { + bindSockets = [ "*:11334" ]; # webinterface + }; + }; + }; + opendkim = { + enable = true; + selector = "default"; + domains = "csl:${domain}"; + socket = "inet:8891"; + }; + }; +} -- 2.44.2 From a11a3614a9a83107c9c0252d66217417a350d638 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 6 Jan 2023 16:57:26 +0100 Subject: [PATCH 07/14] configured tls and rspamd --- modules/mail.nix | 48 ++++++++++++++++++++++----------------------- secrets/quitte.yaml | 7 ++++--- secrets/test.yaml | 5 +++-- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 7a48656..b2eefaa 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,10 +1,13 @@ { config, pkgs, ... }: let - hostname = "mail.test.stramke.com"; - domain = "test.stramke.com"; + hostname = "mail.${config.fsr.domain}"; + domain = config.fsr.domain; in { - networking.firewall.allowedTCPPorts = [ 25 587 143 ]; + sops.secrets."rspamd-password".owner = config.users.user.rspamd.name; + + networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + services = { postfix = { enable = true; @@ -13,6 +16,8 @@ in relayHost = ""; origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; + sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { smtpd_recipient_restrictions = [ "reject_unauth_destination" @@ -21,17 +26,15 @@ in ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - - # put in opendkim (port 8891) and rspamd (port 11333) as mail filter - smtpd_milters = [ "inet:localhost:8891" "inet:localhost:11333" ]; - non_smtpd_milters = "$smtpd_milters"; - milter_default_action = "accept"; + virtual_mailbox_base = "/var/spool/mail"; }; }; dovecot2 = { enable = true; enableImap = true; enableQuota = false; + sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { Spam = { auto = "create"; @@ -51,40 +54,35 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/spool/mail/%u + mail_location = maildir:/var/mail/%u auth_mechanisms = plain login disable_plaintext_auth = no userdb { - driver = passwd - args = blocking=no + driver = passwd + args = blocking=no } service auth { - unix_listener /var/lib/postfix/auth { + unix_listener /var/lib/postfix/auth { group = postfix mode = 0660 user = postfix } - } ''; }; rspamd = { enable = true; - workers = { - normal = { - bindSockets = [ "*:11333" ]; # interface for the mailfilter - }; - controller = { - bindSockets = [ "*:11334" ]; # webinterface - }; + postfix.enable = true; + locals = { + "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; }; }; - opendkim = { + nginx = { enable = true; - selector = "default"; - domains = "csl:${domain}"; - socket = "inet:8891"; + virtualHosts."${hostname}" = { + forceSSL = true; + enableACME = true; + }; }; }; } - diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index c01f749..9a186ee 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -5,7 +5,8 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] -portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str] +portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str] +rspamd-password: ENC[AES256_GCM,data:bOW6eAwr18Guq+BQt68It6O6i3aAthDv1ANZ02Q8zAZgV+UlfsJk9IELIA==,iv:7O48+wB7zJUIp3lQDTC7tkP1UFvmDfjs50x1Zo3hOhw=,tag:MNdiDF22a3n1ZrE6qTDVLA==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -25,8 +26,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-17T22:50:14Z" - mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str] + lastmodified: "2023-02-03T14:46:12Z" + mac: ENC[AES256_GCM,data:Bg5S8lSYnCUhlYFObVpmPXsp2IVxm1vfDdyzEmGGoKNU9lit/0nxrmgv3ZvOfzrcilQQHLzAfPIM5HXTCVtoPPWmkicQ72SdNWLJbY9p1+MFQgiqFZcVAYb+FMm9s1IOxBgXx/OQWmQxDmTA6jZHqgYBZnrBMgjeo0ol1Zp60uY=,iv:FlCsVbOBQC43yrmAKv8j7b0DTuhZXmeURxWWkbIcRQQ=,tag:e9vubxFQOK6h1fHQ8GHLvQ==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | diff --git a/secrets/test.yaml b/secrets/test.yaml index bc0d72f..f1163c6 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -6,6 +6,7 @@ hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str] +rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] @@ -25,8 +26,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-17T22:26:52Z" - mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str] + lastmodified: "2023-02-03T14:47:01Z" + mac: ENC[AES256_GCM,data:qSuGdUOgVDhZ25zYGfZ6+GC7XxsoGV9dUSKM0YstpSQgR7u9S8fQVkcbz5gNTVhG8bdGQVxmMPTW3QyMI6s76yngs6kBxwnBSycAFowJlO6P/cRPqRlAuVhJy82hq0lOJem93vOnRPBQsb6Da0OS/7+SKoRd/I66BtPNKMmxEdo=,iv:IXy3cuZfUK2k8TIA7LpIbPSzcxXtiW4pmdILO6441Is=,tag:PuACj+FwaTxoTCFLytXoiw==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: | -- 2.44.2 From 2411a9c18566f820e3ca845c039997d1478532ac Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Mon, 9 Jan 2023 18:14:32 +0100 Subject: [PATCH 08/14] finished rspamd setup --- modules/mail.nix | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index b2eefaa..5e929a5 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -4,7 +4,7 @@ let domain = config.fsr.domain; in { - sops.secrets."rspamd-password".owner = config.users.user.rspamd.name; + sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; @@ -75,13 +75,41 @@ in postfix.enable = true; locals = { "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; + "redis.conf".text = '' + read_servers = "127.0.0.1"; + write_servers = "127.0.0.1"; + ''; + }; + }; + redis = { + vmOverCommit = true; + servers.rspamd = { + enable = true; + port = 6379; }; }; nginx = { enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."${hostname}" = { forceSSL = true; enableACME = true; + locations = { + "/rspamd" = { + proxyWebsockets = true; + + # maybe there is a more beautiful way for this + extraConfig = '' + if ($request_uri ~* "/rspamd/(.*)") { + proxy_pass http://127.0.0.1:11334/$1; + } + ''; + }; + }; }; }; }; -- 2.44.2 From b74d72f722f7b84526c5543a17332ffb2daa2470 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 20 Jan 2023 15:57:12 +0100 Subject: [PATCH 09/14] configured dkim signing --- modules/mail.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index 5e929a5..1a64b7a 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -79,7 +79,13 @@ in read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; ''; - }; + "dkim_signing.conf".text = '' + path = "/var/lib/rspamd/dkim/$domain.$selector.key"; + selector = "quitte"; + sign_authenticated = true; + use_domain = "header"; + ''; + }; }; redis = { vmOverCommit = true; -- 2.44.2 From 4e687b14844103911a913499ae0551c8f071113b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 27 Jan 2023 16:39:25 +0100 Subject: [PATCH 10/14] some ldap config --- modules/mail.nix | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 1a64b7a..a6b46ea 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -2,6 +2,21 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; + ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' + server_host = ldaps://auth.${config.fsr.domain} + search_base = dc=ifsr, dc=de + ''; + dovecot-ldap-args = pkgs.writeText "ldap-args" '' + uris = auth.${config.fsr.domain} + dn = uid=search, ou=admins, dc=ifsr, dc=de + + auth_bind = yes + ldap_version = 3 + scope = subtree + base = ou=ifsr, dc=ifsr, dc=de + user_filter = (&(ou=mail)(uid=%n)) + pass_filter = (&(ou=mail)(uid=%n)) + ''; in { sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; @@ -24,6 +39,7 @@ in "permit_sasl_authenticated" "permit_mynetworks" ]; + alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; virtual_mailbox_base = "/var/spool/mail"; @@ -57,9 +73,13 @@ in mail_location = maildir:/var/mail/%u auth_mechanisms = plain login disable_plaintext_auth = no + passdb { + driver = ldap + args = ${dovecot-ldap-args} + } userdb { - driver = passwd - args = blocking=no + driver = ldap + args = ${dovecot-ldap-args} } service auth { unix_listener /var/lib/postfix/auth { -- 2.44.2 From e893690e1d7b164343a285043ef7482c2dfd87f6 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 15:37:56 +0100 Subject: [PATCH 11/14] use search user for ldap --- modules/mail.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index a6b46ea..7badeef 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -2,18 +2,20 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; - ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' - server_host = ldaps://auth.${config.fsr.domain} - search_base = dc=ifsr, dc=de - ''; + # brauchen wir das überhaupt? + #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' + #server_host = ldap://localhost + #search_base = ou=mail, dc=ifsr, dc=de + #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' - uris = auth.${config.fsr.domain} - dn = uid=search, ou=admins, dc=ifsr, dc=de - + uris = ldap://localhost + dn = uid=search, ou=users, dc=ifsr, dc=de auth_bind = yes + dnpass = $(${pkgs.coreutils}/bin/cat /run/secrets/portunus_search) + ldap_version = 3 scope = subtree - base = ou=ifsr, dc=ifsr, dc=de + base = dc=ifsr, dc=de user_filter = (&(ou=mail)(uid=%n)) pass_filter = (&(ou=mail)(uid=%n)) ''; @@ -39,7 +41,7 @@ in "permit_sasl_authenticated" "permit_mynetworks" ]; - alias_maps = [ "ldap:${ldap-aliases}" ]; + #alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; virtual_mailbox_base = "/var/spool/mail"; @@ -71,8 +73,6 @@ in }; extraConfig = '' mail_location = maildir:/var/mail/%u - auth_mechanisms = plain login - disable_plaintext_auth = no passdb { driver = ldap args = ${dovecot-ldap-args} -- 2.44.2 From b600c70202a1696f335a3ce5d9de09457a7c1515 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 15:50:36 +0100 Subject: [PATCH 12/14] formatting --- modules/mail.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 7badeef..c7c5e83 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -4,8 +4,8 @@ let domain = config.fsr.domain; # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' - #server_host = ldap://localhost - #search_base = ou=mail, dc=ifsr, dc=de + #server_host = ldap://localhost + #search_base = ou=mail, dc=ifsr, dc=de #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost @@ -105,7 +105,7 @@ in sign_authenticated = true; use_domain = "header"; ''; - }; + }; }; redis = { vmOverCommit = true; -- 2.44.2 From 58449429b9ceffc622dfac26b79e48ef147a6930 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 16:04:45 +0100 Subject: [PATCH 13/14] changed maildir to /var/lib/mail, rspamd fixes --- modules/mail.nix | 44 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index c7c5e83..d41bb4e 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -2,6 +2,7 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; + rspamd-domain = "rspamd.${config.fsr.domain}"; # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #server_host = ldap://localhost @@ -11,7 +12,7 @@ let uris = ldap://localhost dn = uid=search, ou=users, dc=ifsr, dc=de auth_bind = yes - dnpass = $(${pkgs.coreutils}/bin/cat /run/secrets/portunus_search) + dnpass = $(${pkgs.coreutils}/bin/cat ${config.sops.secrets."portunus_search".path}) ldap_version = 3 scope = subtree @@ -44,7 +45,7 @@ in #alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - virtual_mailbox_base = "/var/spool/mail"; + virtual_mailbox_base = "/var/lib/mail"; }; }; dovecot2 = { @@ -72,7 +73,7 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/mail/%u + mail_location = maildir:/var/lib/mail/%u passdb { driver = ldap args = ${dovecot-ldap-args} @@ -124,15 +125,14 @@ in virtualHosts."${hostname}" = { forceSSL = true; enableACME = true; + }; + virtualHosts."${rspamd-domain}" = { + forceSSL = true; + enableACME = true; locations = { - "/rspamd" = { + "/" = { + proxyPass = "http://127.0.0.1:11334"; proxyWebsockets = true; - - # maybe there is a more beautiful way for this - extraConfig = '' - if ($request_uri ~* "/rspamd/(.*)") { - proxy_pass http://127.0.0.1:11334/$1; - } ''; }; }; @@ -140,3 +140,27 @@ in }; }; } + + + + + + + + + + + + + + + + + + + + + + + + -- 2.44.2 From f1b22088c20616d57270bad11786c4526a9b586b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 16:09:41 +0100 Subject: [PATCH 14/14] format fix --- modules/mail.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index d41bb4e..14c009c 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -133,7 +133,6 @@ in "/" = { proxyPass = "http://127.0.0.1:11334"; proxyWebsockets = true; - ''; }; }; }; -- 2.44.2