From a4585bb27cfd27e7d1770a4ff16435d1cebb9bbc Mon Sep 17 00:00:00 2001 From: ChaotiCryptidz Date: Wed, 22 Jun 2022 18:05:02 +0100 Subject: [PATCH] mail server --- .../hetzner-vm/services/mailserver/config.nix | 2 + .../services/mailserver/postfix.nix | 26 ++++----- hosts/hetzner-vm/services/mailserver/ssl.nix | 2 +- .../hetzner-vm/services/mailserver/vmail.nix | 54 +++++++++++++++++-- .../services/mailserver/webmail.nix | 2 + 5 files changed, 66 insertions(+), 20 deletions(-) diff --git a/hosts/hetzner-vm/services/mailserver/config.nix b/hosts/hetzner-vm/services/mailserver/config.nix index e07ea0a..cca180e 100644 --- a/hosts/hetzner-vm/services/mailserver/config.nix +++ b/hosts/hetzner-vm/services/mailserver/config.nix @@ -19,6 +19,7 @@ accounts = { "chaoticryptidz@owo.monster" = { + name = "chaoticryptidz@owo.monster"; passwordFile = "/secrets/chaos-mail-password"; aliases = [ "all@owo.monster" @@ -26,6 +27,7 @@ "kitteh@owo.monster" "kitteh@kitteh.pw" ]; + sieveScript = null; }; }; diff --git a/hosts/hetzner-vm/services/mailserver/postfix.nix b/hosts/hetzner-vm/services/mailserver/postfix.nix index 054179a..81198b9 100644 --- a/hosts/hetzner-vm/services/mailserver/postfix.nix +++ b/hosts/hetzner-vm/services/mailserver/postfix.nix @@ -71,6 +71,9 @@ let "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; cleanup_service_name = "submission-header-cleanup"; }; + + tls_allowed = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; + tls_disallow = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; in { services.postfix = { @@ -133,12 +136,10 @@ in { smtpd_tls_eecdh_grade = "ultra"; # Disable obselete protocols - smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; - smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; - smtpd_tls_mandatory_protocols = - "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; - smtp_tls_mandatory_protocols = - "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; + smtpd_tls_protocols = tls_allowed; + smtp_tls_protocols = tls_allowed; + smtpd_tls_mandatory_protocols = tls_allowed; + smtp_tls_mandatory_protocols = tls_allowed; smtp_tls_ciphers = "high"; smtpd_tls_ciphers = "high"; @@ -146,21 +147,16 @@ in { smtpd_tls_mandatory_ciphers = "high"; # Disable deprecated ciphers - smtpd_tls_mandatory_exclude_ciphers = - "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; - smtpd_tls_exclude_ciphers = - "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; - smtp_tls_mandatory_exclude_ciphers = - "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; - smtp_tls_exclude_ciphers = - "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; + smtpd_tls_mandatory_exclude_ciphers = tls_disallow; + smtpd_tls_exclude_ciphers = tls_disallow; + smtp_tls_mandatory_exclude_ciphers = tls_disallow; + smtp_tls_exclude_ciphers = tls_disallow; tls_preempt_cipherlist = true; smtpd_tls_auth_only = true; smtpd_tls_loglevel = "1"; - # Configure a non blocking source of randomness tls_random_source = "dev:/dev/urandom"; smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ]; diff --git a/hosts/hetzner-vm/services/mailserver/ssl.nix b/hosts/hetzner-vm/services/mailserver/ssl.nix index 89f30ee..2b5d198 100644 --- a/hosts/hetzner-vm/services/mailserver/ssl.nix +++ b/hosts/hetzner-vm/services/mailserver/ssl.nix @@ -8,7 +8,7 @@ in { virtualHosts."${mail_config.fqdn}" = { serverName = mail_config.fqdn; serverAliases = mail_config.domains; - forceSSL = false; + forceSSL = true; enableACME = true; acmeRoot=acmeRoot; }; diff --git a/hosts/hetzner-vm/services/mailserver/vmail.nix b/hosts/hetzner-vm/services/mailserver/vmail.nix index 184d81e..3f75c94 100644 --- a/hosts/hetzner-vm/services/mailserver/vmail.nix +++ b/hosts/hetzner-vm/services/mailserver/vmail.nix @@ -1,7 +1,47 @@ -{ config, pkgs, lib, ... }: let - config = (import ./config.nix {}); - - v = config.vmail_config; +{ config, pkgs, lib, ... }: +let + mail_config = (import ./config.nix { }); + + v = mail_config.vmail_config; + sieve_directory = mail_config.sieve_directory; + + virtualMailUsersActivationScript = + pkgs.writeScript "activate-virtual-mail-users" '' + #!${pkgs.stdenv.shell} + + set -euo pipefail + + # Create directory to store user sieve scripts if it doesn't exist + if (! test -d "${sieve_directory}"); then + mkdir "${sieve_directory}" + chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}" + chmod 770 "${sieve_directory}" + fi + + # Copy user's sieve script to the correct location (if it exists). If it + # is null, remove the file. + ${lib.concatMapStringsSep "\n" ({ name, sieveScript }: + if lib.isString sieveScript then '' + if (! test -d "${sieve_directory}/${name}"); then + mkdir -p "${sieve_directory}/${name}" + chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}/${name}" + chmod 770 "${sieve_directory}/${name}" + fi + cat << 'EOF' > "${sieve_directory}/${name}/default.sieve" + ${sieveScript} + EOF + chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}/${name}/default.sieve" + '' else '' + if (test -f "${sieve_directory}/${name}/default.sieve"); then + rm "${sieve_directory}/${name}/default.sieve" + fi + if (test -f "${sieve_directory}/${name}.svbin"); then + rm "${sieve_directory}/${name}/default.svbin" + fi + '') (map (user: { inherit (user) name sieveScript; }) + (lib.attrValues mail_config.accounts))} + ''; + in { users.users."${v.user_group_name}" = { name = "${v.user_group_name}"; @@ -12,4 +52,10 @@ in { group = "${v.user_group_name}"; }; users.groups."${v.user_group_name}" = { gid = v.user_group_id; }; + systemd.services.activate-virtual-mail-users = { + wantedBy = [ "multi-user.target" ]; + before = [ "dovecot2.service" ]; + serviceConfig = { ExecStart = virtualMailUsersActivationScript; }; + enable = true; + }; } diff --git a/hosts/hetzner-vm/services/mailserver/webmail.nix b/hosts/hetzner-vm/services/mailserver/webmail.nix index 65eba3e..eae898f 100644 --- a/hosts/hetzner-vm/services/mailserver/webmail.nix +++ b/hosts/hetzner-vm/services/mailserver/webmail.nix @@ -8,6 +8,8 @@ in { $config['smtp_server'] = "tls://${mail_config.fqdn}"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; + $config['plugins'] = ["managesieve"]; + $config['managesieve_host'] = 'tls://${mail_config.fqdn}'; ''; }; }