diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-10-02 18:46:48 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-10-02 18:46:48 +0200 |
commit | 59e54bd97f70711573d321f2d2aeee5da46bf95d (patch) | |
tree | 57ad9c1e82af6247afde473cb2f1f3a219599059 /hosts/surtr/email | |
parent | 410a63cf1baf627a0b99c34a955b3d02efabb48f (diff) | |
download | nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.gz nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.bz2 nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.xz nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.zip |
...
Diffstat (limited to 'hosts/surtr/email')
-rw-r--r-- | hosts/surtr/email/default.nix | 70 |
1 files changed, 60 insertions, 10 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9cfba1f1..2fe5b7f0 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -59,6 +59,7 @@ in { | |||
59 | 59 | ||
60 | services.postfix = { | 60 | services.postfix = { |
61 | enable = true; | 61 | enable = true; |
62 | enableSmtp = false; | ||
62 | hostname = "surtr.yggdrasil.li"; | 63 | hostname = "surtr.yggdrasil.li"; |
63 | recipientDelimiter = ""; | 64 | recipientDelimiter = ""; |
64 | setSendmail = true; | 65 | setSendmail = true; |
@@ -66,20 +67,22 @@ in { | |||
66 | destination = []; | 67 | destination = []; |
67 | sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; | 68 | sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; |
68 | sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; | 69 | sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; |
69 | networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; | 70 | networks = []; |
70 | config = let | 71 | config = let |
71 | relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; | 72 | relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; |
72 | in { | 73 | in { |
74 | smtpd_tls_security_level = "may"; | ||
75 | |||
73 | #the dh params | 76 | #the dh params |
74 | smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; | 77 | smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; |
75 | smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; | 78 | smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; |
76 | #enable ECDH | 79 | #enable ECDH |
77 | smtpd_tls_eecdh_grade = "strong"; | 80 | smtpd_tls_eecdh_grade = "strong"; |
78 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 | 81 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 |
79 | smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; | 82 | smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; |
80 | smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; | 83 | smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; |
81 | #allowed ciphers for smtpd_tls_security_level=encrypt | 84 | #allowed ciphers for smtpd_tls_security_level=encrypt |
82 | smtpd_tls_mandatory_ciphers = "high"; | 85 | smtpd_tls_mandatory_ciphers = "medium"; |
83 | #allowed ciphers for smtpd_tls_security_level=may | 86 | #allowed ciphers for smtpd_tls_security_level=may |
84 | #smtpd_tls_ciphers = high | 87 | #smtpd_tls_ciphers = high |
85 | #enforce the server cipher preference | 88 | #enforce the server cipher preference |
@@ -92,6 +95,7 @@ in { | |||
92 | smtpd_tls_loglevel = "1"; | 95 | smtpd_tls_loglevel = "1"; |
93 | #enable TLS logging to see the ciphers for outbound connections | 96 | #enable TLS logging to see the ciphers for outbound connections |
94 | smtp_tls_loglevel = "1"; | 97 | smtp_tls_loglevel = "1"; |
98 | tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; | ||
95 | 99 | ||
96 | smtpd_tls_received_header = true; | 100 | smtpd_tls_received_header = true; |
97 | 101 | ||
@@ -101,6 +105,8 @@ in { | |||
101 | smtp_tls_security_level = "dane"; | 105 | smtp_tls_security_level = "dane"; |
102 | smtp_dns_support_level = "dnssec"; | 106 | smtp_dns_support_level = "dnssec"; |
103 | 107 | ||
108 | smtp_tls_connection_reuse = true; | ||
109 | |||
104 | tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' | 110 | tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' |
105 | bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 111 | bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem |
106 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem | 112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem |
@@ -130,7 +136,6 @@ in { | |||
130 | dbname = email | 136 | dbname = email |
131 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' | 137 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' |
132 | ''}" | 138 | ''}" |
133 | "permit_mynetworks" | ||
134 | "check_ccert_access ${relay_ccert}" | 139 | "check_ccert_access ${relay_ccert}" |
135 | "reject_non_fqdn_helo_hostname" | 140 | "reject_non_fqdn_helo_hostname" |
136 | "reject_invalid_helo_hostname" | 141 | "reject_invalid_helo_hostname" |
@@ -149,14 +154,15 @@ in { | |||
149 | address_verify_poll_delay = "1s"; | 154 | address_verify_poll_delay = "1s"; |
150 | 155 | ||
151 | smtpd_relay_restrictions = [ | 156 | smtpd_relay_restrictions = [ |
152 | "permit_mynetworks" | ||
153 | "check_ccert_access ${relay_ccert}" | 157 | "check_ccert_access ${relay_ccert}" |
154 | "reject_unauth_destination" | 158 | "reject_unauth_destination" |
155 | ]; | 159 | ]; |
156 | 160 | ||
157 | propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; | 161 | propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; |
158 | smtpd_authorized_verp_clients = "$authorized_verp_clients"; | 162 | smtpd_authorized_verp_clients = ""; |
159 | authorized_verp_clients = "$mynetworks"; | 163 | authorized_verp_clients = ""; |
164 | |||
165 | smtpd_client_event_limit_exceptions = ""; | ||
160 | 166 | ||
161 | milter_default_action = "accept"; | 167 | milter_default_action = "accept"; |
162 | smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; | 168 | smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; |
@@ -197,6 +203,12 @@ in { | |||
197 | ''}''; | 203 | ''}''; |
198 | dvlmtp_destination_recipient_limit = "1"; | 204 | dvlmtp_destination_recipient_limit = "1"; |
199 | virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; | 205 | virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; |
206 | |||
207 | authorized_submit_users = "inline:{ root= postfwd= }"; | ||
208 | |||
209 | postscreen_access_list = ""; | ||
210 | postscreen_denylist_action = "drop"; | ||
211 | postscreen_greet_action = "enforce"; | ||
200 | }; | 212 | }; |
201 | masterConfig = { | 213 | masterConfig = { |
202 | smtps = { | 214 | smtps = { |
@@ -204,6 +216,14 @@ in { | |||
204 | private = false; | 216 | private = false; |
205 | command = "smtpd"; | 217 | command = "smtpd"; |
206 | args = [ | 218 | args = [ |
219 | "-o" "smtpd_tls_security_level=encrypt" | ||
220 | "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" | ||
221 | "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" | ||
222 | "-o" "smtpd_tls_mandatory_ciphers=high" | ||
223 | "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" | ||
224 | "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" | ||
225 | "-o" "{tls_eecdh_auto_curves = X25519 X448}" | ||
226 | |||
207 | "-o" "smtpd_tls_wrappermode=yes" | 227 | "-o" "smtpd_tls_wrappermode=yes" |
208 | "-o" "smtpd_tls_ask_ccert=yes" | 228 | "-o" "smtpd_tls_ask_ccert=yes" |
209 | "-o" "smtpd_tls_req_ccert=yes" | 229 | "-o" "smtpd_tls_req_ccert=yes" |
@@ -224,6 +244,27 @@ in { | |||
224 | "flags=DORX" | 244 | "flags=DORX" |
225 | ]; | 245 | ]; |
226 | }; | 246 | }; |
247 | smtp_pass = { | ||
248 | name = "smtpd"; | ||
249 | type = "pass"; | ||
250 | command = "smtpd"; | ||
251 | }; | ||
252 | postscreen = { | ||
253 | name = "smtp"; | ||
254 | type = "inet"; | ||
255 | private = false; | ||
256 | command = "postscreen"; | ||
257 | maxproc = 1; | ||
258 | }; | ||
259 | smtp = {}; | ||
260 | relay = { | ||
261 | command = "smtp"; | ||
262 | args = [ "-o" "smtp_fallback_relay=" ]; | ||
263 | }; | ||
264 | tlsproxy = { | ||
265 | maxproc = 0; | ||
266 | }; | ||
267 | dnsblog = {}; | ||
227 | }; | 268 | }; |
228 | }; | 269 | }; |
229 | 270 | ||
@@ -596,6 +637,9 @@ in { | |||
596 | params = { | 637 | params = { |
597 | "postfix-512".bits = 512; | 638 | "postfix-512".bits = 512; |
598 | "postfix-1024".bits = 2048; | 639 | "postfix-1024".bits = 2048; |
640 | |||
641 | "postfix-smtps-512".bits = 512; | ||
642 | "postfix-smtps-1024".bits = 2048; | ||
599 | }; | 643 | }; |
600 | }; | 644 | }; |
601 | 645 | ||
@@ -800,8 +844,14 @@ in { | |||
800 | services.postfwd = { | 844 | services.postfwd = { |
801 | enable = true; | 845 | enable = true; |
802 | rules = '' | 846 | rules = '' |
803 | id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/450 4.7.1 Exceeding maximum of 100 recipients per hour [$$ratecount]) | 847 | id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) |
804 | id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/450 4.7.1 Exceeding maximum of 1000 recipients per day [$$ratecount]) | 848 | id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) |
849 | |||
850 | id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) | ||
851 | |||
852 | id=EOF; action=DUNNO | ||
853 | |||
854 | id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] | ||
805 | ''; | 855 | ''; |
806 | }; | 856 | }; |
807 | }; | 857 | }; |