2 files changed, 82 insertions, 7 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 057e29f3..23ac8aa1 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -32,9 +32,47 @@ let
      });
    };
+  nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
+    #!${pkgs.zsh}/bin/zsh
+    set -e
+    export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
+    typeset -a as_sets route route6
+    as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets})
+    for as_set in $as_sets; do
+        while IFS=$'\n' read line; do
+            if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
+                route+=($match[1])
+            elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
+                route6+=($match[1])
+            fi
+        done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin)
+    done
+    printf -v elements4 '%s,' "''${route[@]}"
+    elements4=''${elements4%,}
+    printf -v elements6 '%s,' "''${route6[@]}"
+    elements6=''${elements6%,}
+    nft -f - <<EOF
+    flush set inet filter mail_nologin4
+    flush set inet filter mail_nologin6
+    add element inet filter mail_nologin4 {''${elements4}}
+    add element inet filter mail_nologin6 {''${elements6}}
+    EOF
+  '';
  spmDomains = ["bouncy.email"];
  emailDomains = spmDomains ++ ["kleen.consulting"];
 in {
+  options = {
+    services.email.nologinASSets = mkOption {
+      type = types.listOf types.str;
+      default = [];
+    };
+  };
  config = {
    nixpkgs.overlays = [
      (final: prev: {
@@ -918,5 +956,25 @@ in {
        id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
      '';
    };
+    services.email.nologinASSets = ["AS-MICROSOFT"];
+    systemd.services.nftables.serviceConfig = {
+      ExecStart = lib.mkAfter [ nftables-nologin-script ];
+      ExecReload = lib.mkAfter [ nftables-nologin-script ];
+    };
+    systemd.services."nftables-mail-nologin" = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = nftables-nologin-script;
+      };
+    };
+    systemd.timers."nftables-mail-nologin" = {
+      wantedBy = [ "nftables.service" ];
+      timerConfig = {
+        OnActiveSec = "20h";
+        RandomizedDelaySec = "8h";
+      };
+    };
  };
 }
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 14fc9b79..5c2bba7c 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -86,6 +86,7 @@ table inet filter {
  counter established-rx {}
+  counter reject-mail-nologin {}
  counter reject-ratelimit-rx {}
  counter reject-rx {}
  counter reject-tcp-rx {}
@@ -114,6 +115,17 @@ table inet filter {
  counter tx {}
+  set mail_nologin4 {
+    type ipv4_addr
+    flags interval
+    auto-merge
+  }
+  set mail_nologin6 {
+    type ipv6_addr
+    flags interval
+    auto-merge
+  }
  chain forward {
    type filter hook forward priority filter
    policy drop
@@ -145,6 +157,14 @@ table inet filter {
    counter name drop-fw
  }
+  chain reject_input {
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+    counter name drop-rx
+  }
  chain input {
    type filter hook input priority filter
    policy drop
@@ -177,6 +197,9 @@ table inet filter {
    udp dport {3478, 5349} counter name stun-rx accept
    udp dport 49000-50000 counter name turn-rx accept
+    tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
+    tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
    tcp dport 25 counter name smtp-rx accept
    tcp dport {465, 466} counter name submissions-rx accept
    tcp dport 993 counter name imaps-rx accept
@@ -186,13 +209,7 @@ table inet filter {
    ct state {established, related} counter name established-rx accept
-    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    jump reject_input
-    log level debug prefix "reject input: " counter name reject-rx
-    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
-    ct state new counter name reject-icmp-rx reject
-    counter name drop-rx
  }
  chain output {

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 057e29f3..23ac8aa1 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -32,9 +32,47 @@ let
32	});	32	});
33	};	33	};
34		34
		35	nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
		36	#!${pkgs.zsh}/bin/zsh
		37
		38	set -e
		39	export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
		40
		41	typeset -a as_sets route route6
		42	as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets})
		43
		44	for as_set in $as_sets; do
		45	while IFS=$'\n' read line; do
		46	if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
		47	route+=($match[1])
		48	elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
		49	route6+=($match[1])
		50	fi
		51	done < <(whois -h whois.radb.net "!i''${as_set},1" \| egrep -o 'AS[0-9]+' \| xargs -- whois -h whois.radb.net -- -i origin)
		52	done
		53
		54	printf -v elements4 '%s,' "''${route[@]}"
		55	elements4=''${elements4%,}
		56	printf -v elements6 '%s,' "''${route6[@]}"
		57	elements6=''${elements6%,}
		58	nft -f - <<EOF
		59	flush set inet filter mail_nologin4
		60	flush set inet filter mail_nologin6
		61	add element inet filter mail_nologin4 {''${elements4}}
		62	add element inet filter mail_nologin6 {''${elements6}}
		63	EOF
		64	'';
		65
35	spmDomains = ["bouncy.email"];	66	spmDomains = ["bouncy.email"];
36	emailDomains = spmDomains ++ ["kleen.consulting"];	67	emailDomains = spmDomains ++ ["kleen.consulting"];
37	in {	68	in {
		69	options = {
		70	services.email.nologinASSets = mkOption {
		71	type = types.listOf types.str;
		72	default = [];
		73	};
		74	};
		75
38	config = {	76	config = {
39	nixpkgs.overlays = [	77	nixpkgs.overlays = [
40	(final: prev: {	78	(final: prev: {
@@ -918,5 +956,25 @@ in {
918	id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]	956	id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
919	'';	957	'';
920	};	958	};
		959
		960	services.email.nologinASSets = ["AS-MICROSOFT"];
		961	systemd.services.nftables.serviceConfig = {
		962	ExecStart = lib.mkAfter [ nftables-nologin-script ];
		963	ExecReload = lib.mkAfter [ nftables-nologin-script ];
		964	};
		965	systemd.services."nftables-mail-nologin" = {
		966	serviceConfig = {
		967	Type = "oneshot";
		968	ExecStart = nftables-nologin-script;
		969	};
		970	};
		971	systemd.timers."nftables-mail-nologin" = {
		972	wantedBy = [ "nftables.service" ];
		973
		974	timerConfig = {
		975	OnActiveSec = "20h";
		976	RandomizedDelaySec = "8h";
		977	};
		978	};
921	};	979	};
922	}	980	}


diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 14fc9b79..5c2bba7c 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft
@@ -86,6 +86,7 @@ table inet filter {
86		86
87	counter established-rx {}	87	counter established-rx {}
88		88
		89	counter reject-mail-nologin {}
89	counter reject-ratelimit-rx {}	90	counter reject-ratelimit-rx {}
90	counter reject-rx {}	91	counter reject-rx {}
91	counter reject-tcp-rx {}	92	counter reject-tcp-rx {}
@@ -114,6 +115,17 @@ table inet filter {
114		115
115	counter tx {}	116	counter tx {}
116		117
		118	set mail_nologin4 {
		119	type ipv4_addr
		120	flags interval
		121	auto-merge
		122	}
		123	set mail_nologin6 {
		124	type ipv6_addr
		125	flags interval
		126	auto-merge
		127	}
		128
117	chain forward {	129	chain forward {
118	type filter hook forward priority filter	130	type filter hook forward priority filter
119	policy drop	131	policy drop
@@ -145,6 +157,14 @@ table inet filter {
145	counter name drop-fw	157	counter name drop-fw
146	}	158	}
147		159
		160	chain reject_input {
		161	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
		162	log level debug prefix "reject input: " counter name reject-rx
		163	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
		164	ct state new counter name reject-icmp-rx reject
		165
		166	counter name drop-rx
		167	}
148	chain input {	168	chain input {
149	type filter hook input priority filter	169	type filter hook input priority filter
150	policy drop	170	policy drop
@@ -177,6 +197,9 @@ table inet filter {
177	udp dport {3478, 5349} counter name stun-rx accept	197	udp dport {3478, 5349} counter name stun-rx accept
178	udp dport 49000-50000 counter name turn-rx accept	198	udp dport 49000-50000 counter name turn-rx accept
179		199
		200	tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
		201	tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
		202
180	tcp dport 25 counter name smtp-rx accept	203	tcp dport 25 counter name smtp-rx accept
181	tcp dport {465, 466} counter name submissions-rx accept	204	tcp dport {465, 466} counter name submissions-rx accept
182	tcp dport 993 counter name imaps-rx accept	205	tcp dport 993 counter name imaps-rx accept
@@ -186,13 +209,7 @@ table inet filter {
186	ct state {established, related} counter name established-rx accept	209	ct state {established, related} counter name established-rx accept
187		210
188		211
189	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop	212	jump reject_input
190	log level debug prefix "reject input: " counter name reject-rx
191	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
192	ct state new counter name reject-icmp-rx reject
193
194
195	counter name drop-rx
196	}	213	}
197		214
198	chain output {	215	chain output {