summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ymir.nix169
1 files changed, 76 insertions, 93 deletions
diff --git a/ymir.nix b/ymir.nix
index b55df52e..f6197e5a 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -443,72 +443,72 @@ in rec {
443 ''}'']; 443 ''}''];
444 sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 444 sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
445 sslKey = "/var/lib/acme/yggdrasil.li/key.pem"; 445 sslKey = "/var/lib/acme/yggdrasil.li/key.pem";
446 extraConfig = '' 446 config = {
447 #the dh params 447 #the dh params
448 smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem 448 smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem;
449 smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem 449 smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem;
450 #enable ECDH 450 #enable ECDH
451 smtpd_tls_eecdh_grade = strong 451 smtpd_tls_eecdh_grade = "strong";
452 #enabled SSL protocols, don't allow SSLv2 and SSLv3 452 #enabled SSL protocols, don't allow SSLv2 and SSLv3
453 smtpd_tls_protocols= !SSLv2, !SSLv3 453 smtpd_tls_protocols = [ "!SSLv2" "!SSLv3"];
454 smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3 454 smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3"];
455 #allowed ciphers for smtpd_tls_security_level=encrypt 455 #allowed ciphers for smtpd_tls_security_level=encrypt
456 smtpd_tls_mandatory_ciphers = high 456 smtpd_tls_mandatory_ciphers = "high";
457 #allowed ciphers for smtpd_tls_security_level=may 457 #allowed ciphers for smtpd_tls_security_level=may
458 #smtpd_tls_ciphers = high 458 #smtpd_tls_ciphers = high
459 #enforce the server cipher preference 459 #enforce the server cipher preference
460 tls_preempt_cipherlist = yes 460 tls_preempt_cipherlist = true;
461 #disable following ciphers for smtpd_tls_security_level=encrypt 461 #disable following ciphers for smtpd_tls_security_level=encrypt
462 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL 462 smtpd_tls_mandatory_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"];
463 #disable following ciphers for smtpd_tls_security_level=may 463 #disable following ciphers for smtpd_tls_security_level=may
464 #smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL 464 smtpd_tls_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"];
465 #enable TLS logging to see the ciphers for inbound connections 465 #enable TLS logging to see the ciphers for inbound connections
466 smtpd_tls_loglevel = 1 466 smtpd_tls_loglevel = 1;
467 #enable TLS logging to see the ciphers for outbound connections 467 #enable TLS logging to see the ciphers for outbound connections
468 smtp_tls_loglevel = 1 468 smtp_tls_loglevel = 1;
469 469
470 smtp_dns_support_level = dnssec 470 smtp_dns_support_level = "dnssec";
471 smtp_tls_security_level = dane 471 smtp_tls_security_level = "dane";
472 472
473 transport_maps = regexp:${pkgs.writeText "transport" '' 473 transport_maps = ''regexp:${pkgs.writeText "transport" ''
474 /@(lists?|l)\./ mlmmj: 474 /@(lists?|l)\./ mlmmj:
475 /@subs?\.(lists?|l)\./ mlmmj-subs: 475 /@subs?\.(lists?|l)\./ mlmmj-subs:
476 ''} regexp:/srv/mail/transport pipemap:{texthash:/srv/mail/discard,static:{discard:}} 476 ''} regexp:/srv/mail/transport pipemap:{texthash:/srv/mail/discard,static:{discard:}}'';
477 477
478 local_recipient_maps = 478 local_recipient_maps = "";
479 479
480 luser_relay = gkleen+''${local} 480 luser_relay = "gkleen+${local}";
481 481
482 # 10 GiB 482 # 10 GiB
483 message_size_limit = 10737418240 483 message_size_limit = 10737418240;
484 # 10 GiB 484 # 10 GiB
485 mailbox_size_limit = 10737418240 485 mailbox_size_limit = 10737418240;
486 486
487 mailbox_transport_maps = pipemap:{unix:passwd.byname, static:{lmtp:unix:private/dovecot-lmtp}} 487 mailbox_transport_maps = "pipemap:{unix:passwd.byname, static:{lmtp:unix:private/dovecot-lmtp}}";
488 #mailbox_command = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" 488 #mailbox_command = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
489 489
490 smtpd_sasl_type = dovecot 490 smtpd_sasl_type = "dovecot";
491 smtpd_sasl_path = private/dovecot-auth 491 smtpd_sasl_path = private/dovecot-auth;
492 492
493 smtpd_sasl_auth_enable = yes 493 smtpd_sasl_auth_enable = true;
494 smtpd_sasl_security_options = noanonymous, noplaintext 494 smtpd_sasl_security_options = ["noanonymous" "noplaintext"];
495 smtpd_sasl_tls_security_options = noanonymous 495 smtpd_sasl_tls_security_options = "noanonymous";
496 smtpd_tls_auth_only = yes 496 smtpd_tls_auth_only = true;
497 497
498 smtpd_delay_reject = yes 498 smtpd_delay_reject = true;
499 smtpd_helo_required = yes 499 smtpd_helo_required = true;
500 smtpd_helo_restrictions = permit 500 smtpd_helo_restrictions = "permit";
501 501
502 smtpd_recipient_restrictions = 502 smtpd_recipient_restrictions = [
503 reject_unauth_pipelining, 503 "reject_unauth_pipelining"
504 reject_non_fqdn_recipient, 504 "reject_non_fqdn_recipient"
505 reject_unknown_recipient_domain, 505 "reject_unknown_recipient_domain"
506 permit_mynetworks, 506 "permit_mynetworks"
507 permit_sasl_authenticated, 507 "permit_sasl_authenticated"
508 reject_non_fqdn_helo_hostname, 508 "reject_non_fqdn_helo_hostname"
509 reject_invalid_helo_hostname, 509 "reject_invalid_helo_hostname"
510 reject_unauth_destination, 510 "reject_unauth_destination"
511 check_client_access regexp:${pkgs.writeText "spfpolicy" '' 511 ''check_client_access regexp:${pkgs.writeText "spfpolicy" ''
512 /(^|\.)tu-muenchen\.de$/ DUNNO 512 /(^|\.)tu-muenchen\.de$/ DUNNO
513 /(^|\.)tum\.de$/ DUNNO 513 /(^|\.)tum\.de$/ DUNNO
514 /(^|\.)lmu\.de$/ DUNNO 514 /(^|\.)lmu\.de$/ DUNNO
@@ -521,27 +521,28 @@ in rec {
521 /(^|\.)mhn\.de$/ DUNNO 521 /(^|\.)mhn\.de$/ DUNNO
522 /(^|\.)mwn\.de$/ DUNNO 522 /(^|\.)mwn\.de$/ DUNNO
523 /.*/ spfcheck 523 /.*/ spfcheck
524 ''} 524 ''}''
525 smtpd_restriction_classes = spfcheck 525 ];
526 spfcheck = 526 smtpd_restriction_classes = "spfcheck";
527 check_policy_service unix:private/policy-spf 527 spfcheck = "check_policy_service unix:private/policy-spf";
528 528
529 smtpd_relay_restrictions = 529 smtpd_relay_restrictions = [
530 permit_mynetworks, 530 "permit_mynetworks"
531 permit_sasl_authenticated, 531 "permit_sasl_authenticated"
532 reject_unauth_destination 532 "reject_unauth_destination"
533 533 ];
534 mlmmj_destination_recipient_limit = 1 534
535 mlmmj-subs_destination_recipient_limit = 1 535 mlmmj_destination_recipient_limit = 1;
536 policy-spf_time_limit = 3600s 536 mlmmj-subs_destination_recipient_limit = 1;
537 propagate_unmatched_extensions = canonical, virtual, alias 537 policy-spf_time_limit = "3600s";
538 538 propagate_unmatched_extensions = ["canonical" "virtual" "alias"];
539 milter_default_action = accept 539
540 milter_protocol = 2 540 milter_default_action = "accept";
541 smtpd_milters = local:private/dkim 541 milter_protocol = 2;
542 non_smtpd_milters = local:private/dkim 542 smtpd_milters = "local:private/dkim";
543 543 non_smtpd_milters = "local:private/dkim";
544 alias_maps = texthash:${pkgs.writeText "aliases" '' 544
545 alias_maps = ''texthash:${pkgs.writeText "aliases" ''
545 postmaster gkleen 546 postmaster gkleen
546 webmaster gkleen 547 webmaster gkleen
547 abuse gkleen 548 abuse gkleen
@@ -555,18 +556,19 @@ in rec {
555 ftp gkleen 556 ftp gkleen
556 root gkleen 557 root gkleen
557 ''} texthash:/srv/mail/spm 558 ''} texthash:/srv/mail/spm
559 '';
558 560
559 queue_run_delay = 10s 561 queue_run_delay = "10s";
560 minimal_backoff_time = 1m 562 minimal_backoff_time = "1m";
561 maximal_backoff_time = 10m 563 maximal_backoff_time = "10m";
562 maximal_queue_lifetime = 100m 564 maximal_queue_lifetime = "100m";
563 bounce_queue_lifetime = 20m 565 bounce_queue_lifetime = "20m";
564 566
565 sender_canonical_maps = tcp:localhost:10001 567 sender_canonical_maps = "tcp:localhost:10001";
566 sender_canonical_classes = envelope_sender 568 sender_canonical_classes = "envelope_sender";
567 recipient_canonical_maps = tcp:localhost:10002 569 recipient_canonical_maps = "tcp:localhost:10002";
568 recipient_canonical_classes= envelope_recipient,header_recipient 570 recipient_canonical_classes = ["envelope_recipient" "header_recipient"];
569 ''; 571 };
570 masterConfig = { 572 masterConfig = {
571 uucp = { 573 uucp = {
572 type = "unix"; 574 type = "unix";
@@ -601,25 +603,6 @@ in rec {
601 args = [ "user=nobody" ''argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf}'' ]; 603 args = [ "user=nobody" ''argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf}'' ];
602 }; 604 };
603 }; 605 };
604 # extraMasterConf = ''
605 # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)
606 # mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L /var/spool/lists/''${user}
607 # mlmmj-subs unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj-exposed}/bin/mlmmj-exposed /var/spool/lists/''${user} ''${extension}
608 # policy-spf unix - n n - - spawn user=nobody argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf}
609 # logEmail unix - n n - 10 pipe flags=Rq user=nobody null_sender= argv=${pkgs.writeScript "logEmail" ''
610 # #!${pkgs.stdenv.shell}
611
612 # export PATH=${config.security.wrapperDir}:/run/current-system/sw/bin
613
614 # mailFile=/tmp/logEmail/$(date +"%F-%H%M%S").$$
615
616 # mkdir -p -m 700 /tmp/logEmail
617
618 # cat >$mailFile
619
620 # sendmail -G -i "$@" <$mailFile
621 # ''} -f ''${sender} -- ''${recipient}
622 # '';
623 networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; 606 networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"];
624 }; 607 };
625 608
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-28 20:20:05 +0000