summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-10-02 18:46:48 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-10-02 18:46:48 +0200
commit59e54bd97f70711573d321f2d2aeee5da46bf95d (patch)
tree57ad9c1e82af6247afde473cb2f1f3a219599059 /hosts/surtr
parent410a63cf1baf627a0b99c34a955b3d02efabb48f (diff)
downloadnixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.gz
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.bz2
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.xz
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.zip
...
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/default.nix2
-rw-r--r--hosts/surtr/email/default.nix70
2 files changed, 61 insertions, 11 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 2be25560..e031c9b3 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -57,7 +57,7 @@
57 { address = "202.61.241.61"; prefixLength = 22; } 57 { address = "202.61.241.61"; prefixLength = 22; }
58 ]; 58 ];
59 ipv6.addresses = [ 59 ipv6.addresses = [
60 { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; } 60 # { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; }
61 { address = "2a03:4000:52:ada::"; prefixLength = 96; } 61 { address = "2a03:4000:52:ada::"; prefixLength = 96; }
62 ]; 62 ];
63 }; 63 };
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 9cfba1f1..2fe5b7f0 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -59,6 +59,7 @@ in {
59 59
60 services.postfix = { 60 services.postfix = {
61 enable = true; 61 enable = true;
62 enableSmtp = false;
62 hostname = "surtr.yggdrasil.li"; 63 hostname = "surtr.yggdrasil.li";
63 recipientDelimiter = ""; 64 recipientDelimiter = "";
64 setSendmail = true; 65 setSendmail = true;
@@ -66,20 +67,22 @@ in {
66 destination = []; 67 destination = [];
67 sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; 68 sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";
68 sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; 69 sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";
69 networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; 70 networks = [];
70 config = let 71 config = let
71 relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; 72 relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
72 in { 73 in {
74 smtpd_tls_security_level = "may";
75
73 #the dh params 76 #the dh params
74 smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; 77 smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
75 smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; 78 smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
76 #enable ECDH 79 #enable ECDH
77 smtpd_tls_eecdh_grade = "strong"; 80 smtpd_tls_eecdh_grade = "strong";
78 #enabled SSL protocols, don't allow SSLv2 and SSLv3 81 #enabled SSL protocols, don't allow SSLv2 and SSLv3
79 smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; 82 smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"];
80 smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; 83 smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"];
81 #allowed ciphers for smtpd_tls_security_level=encrypt 84 #allowed ciphers for smtpd_tls_security_level=encrypt
82 smtpd_tls_mandatory_ciphers = "high"; 85 smtpd_tls_mandatory_ciphers = "medium";
83 #allowed ciphers for smtpd_tls_security_level=may 86 #allowed ciphers for smtpd_tls_security_level=may
84 #smtpd_tls_ciphers = high 87 #smtpd_tls_ciphers = high
85 #enforce the server cipher preference 88 #enforce the server cipher preference
@@ -92,6 +95,7 @@ in {
92 smtpd_tls_loglevel = "1"; 95 smtpd_tls_loglevel = "1";
93 #enable TLS logging to see the ciphers for outbound connections 96 #enable TLS logging to see the ciphers for outbound connections
94 smtp_tls_loglevel = "1"; 97 smtp_tls_loglevel = "1";
98 tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
95 99
96 smtpd_tls_received_header = true; 100 smtpd_tls_received_header = true;
97 101
@@ -101,6 +105,8 @@ in {
101 smtp_tls_security_level = "dane"; 105 smtp_tls_security_level = "dane";
102 smtp_dns_support_level = "dnssec"; 106 smtp_dns_support_level = "dnssec";
103 107
108 smtp_tls_connection_reuse = true;
109
104 tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' 110 tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ''
105 bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem 111 bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
106 mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem 112 mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem
@@ -130,7 +136,6 @@ in {
130 dbname = email 136 dbname = email
131 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' 137 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
132 ''}" 138 ''}"
133 "permit_mynetworks"
134 "check_ccert_access ${relay_ccert}" 139 "check_ccert_access ${relay_ccert}"
135 "reject_non_fqdn_helo_hostname" 140 "reject_non_fqdn_helo_hostname"
136 "reject_invalid_helo_hostname" 141 "reject_invalid_helo_hostname"
@@ -149,14 +154,15 @@ in {
149 address_verify_poll_delay = "1s"; 154 address_verify_poll_delay = "1s";
150 155
151 smtpd_relay_restrictions = [ 156 smtpd_relay_restrictions = [
152 "permit_mynetworks"
153 "check_ccert_access ${relay_ccert}" 157 "check_ccert_access ${relay_ccert}"
154 "reject_unauth_destination" 158 "reject_unauth_destination"
155 ]; 159 ];
156 160
157 propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; 161 propagate_unmatched_extensions = ["canonical" "virtual" "alias"];
158 smtpd_authorized_verp_clients = "$authorized_verp_clients"; 162 smtpd_authorized_verp_clients = "";
159 authorized_verp_clients = "$mynetworks"; 163 authorized_verp_clients = "";
164
165 smtpd_client_event_limit_exceptions = "";
160 166
161 milter_default_action = "accept"; 167 milter_default_action = "accept";
162 smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; 168 smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
@@ -197,6 +203,12 @@ in {
197 ''}''; 203 ''}'';
198 dvlmtp_destination_recipient_limit = "1"; 204 dvlmtp_destination_recipient_limit = "1";
199 virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; 205 virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp";
206
207 authorized_submit_users = "inline:{ root= postfwd= }";
208
209 postscreen_access_list = "";
210 postscreen_denylist_action = "drop";
211 postscreen_greet_action = "enforce";
200 }; 212 };
201 masterConfig = { 213 masterConfig = {
202 smtps = { 214 smtps = {
@@ -204,6 +216,14 @@ in {
204 private = false; 216 private = false;
205 command = "smtpd"; 217 command = "smtpd";
206 args = [ 218 args = [
219 "-o" "smtpd_tls_security_level=encrypt"
220 "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
221 "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
222 "-o" "smtpd_tls_mandatory_ciphers=high"
223 "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}"
224 "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}"
225 "-o" "{tls_eecdh_auto_curves = X25519 X448}"
226
207 "-o" "smtpd_tls_wrappermode=yes" 227 "-o" "smtpd_tls_wrappermode=yes"
208 "-o" "smtpd_tls_ask_ccert=yes" 228 "-o" "smtpd_tls_ask_ccert=yes"
209 "-o" "smtpd_tls_req_ccert=yes" 229 "-o" "smtpd_tls_req_ccert=yes"
@@ -224,6 +244,27 @@ in {
224 "flags=DORX" 244 "flags=DORX"
225 ]; 245 ];
226 }; 246 };
247 smtp_pass = {
248 name = "smtpd";
249 type = "pass";
250 command = "smtpd";
251 };
252 postscreen = {
253 name = "smtp";
254 type = "inet";
255 private = false;
256 command = "postscreen";
257 maxproc = 1;
258 };
259 smtp = {};
260 relay = {
261 command = "smtp";
262 args = [ "-o" "smtp_fallback_relay=" ];
263 };
264 tlsproxy = {
265 maxproc = 0;
266 };
267 dnsblog = {};
227 }; 268 };
228 }; 269 };
229 270
@@ -596,6 +637,9 @@ in {
596 params = { 637 params = {
597 "postfix-512".bits = 512; 638 "postfix-512".bits = 512;
598 "postfix-1024".bits = 2048; 639 "postfix-1024".bits = 2048;
640
641 "postfix-smtps-512".bits = 512;
642 "postfix-smtps-1024".bits = 2048;
599 }; 643 };
600 }; 644 };
601 645
@@ -800,8 +844,14 @@ in {
800 services.postfwd = { 844 services.postfwd = {
801 enable = true; 845 enable = true;
802 rules = '' 846 rules = ''
803 id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/450 4.7.1 Exceeding maximum of 100 recipients per hour [$$ratecount]) 847 id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
804 id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/450 4.7.1 Exceeding maximum of 1000 recipients per day [$$ratecount]) 848 id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
849
850 id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL)
851
852 id=EOF; action=DUNNO
853
854 id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
805 ''; 855 '';
806 }; 856 };
807 }; 857 };