1 files changed, 145 insertions, 74 deletions

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 4196a8bc..fa7ddac6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, flakeInputs, ... }:
+{ config, pkgs, lib, flake, flakeInputs, ... }:
 
 with lib;
 
@@ -15,7 +15,7 @@ let
 
       for file in $out/pipe/bin/*; do
         wrapProgram $file \
-          --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
+          --set PATH "${makeBinPath (with pkgs; [coreutils rspamd])}"
       done
     '';
   };
@@ -33,12 +33,28 @@ let
         });
       });
     };
+  internal-policy-server =
+    let
+      workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./internal-policy-server; };
+      pythonSet = flake.lib.pythonSet {
+        inherit pkgs;
+        python = pkgs.python312;
+        overlay = workspace.mkPyprojectOverlay {
+          sourcePreference = "wheel";
+        };
+      };
+      virtualEnv = pythonSet.mkVirtualEnv "internal-policy-server-env" workspace.deps.default;
+    in virtualEnv.overrideAttrs (oldAttrs: {
+      meta = (oldAttrs.meta or {}) // {
+        mainProgram = "internal-policy-server";
+      };
+    });
 
-  nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
-    #!${pkgs.zsh}/bin/zsh
-
+  nftables-nologin-script = pkgs.resholve.writeScript "nftables-mail-nologin" {
+    inputs = with pkgs; [inetutils nftables gnugrep findutils];
+    interpreter = lib.getExe pkgs.zsh;
+  } ''
     set -e
-    export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
 
     typeset -a as_sets mnt_bys route route6
     as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets})
@@ -51,7 +67,7 @@ let
             elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
                 route6+=($match[1])
             fi
-        done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin)
+        done < <(whois -h whois.radb.net "!i''${as_set},1" | grep -Eo 'AS[0-9]+' | xargs whois -h whois.radb.net -- -i origin)
     done
     for mnt_by in $mnt_bys; do
         while IFS=$'\n' read line; do
@@ -113,14 +129,14 @@ in {
       setSendmail = true;
       postmasterAlias = ""; rootAlias = ""; extraAliases = "";
       destination = [];
-      sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";
-      sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";
       networks = [];
-      config = let
-        relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
-      in {
+      config = {
         smtpd_tls_security_level = "may";
 
+        smtpd_tls_chain_files = [
+          "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
+        ];
+
         #the dh params
         smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
         smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
@@ -155,12 +171,7 @@ in {
 
         smtp_tls_connection_reuse = true;
 
-        tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
-          concatMapStringsSep "\n\n" (domain:
-            concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem")
-              [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
-          ) emailDomains
-        )}'';
+        tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}";
 
         smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
 
@@ -184,25 +195,26 @@ in {
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
           ''}"
-          "check_ccert_access ${relay_ccert}"
           "reject_non_fqdn_helo_hostname"
           "reject_invalid_helo_hostname"
           "reject_unauth_destination"
           "reject_unknown_recipient_domain"
           "reject_unverified_recipient"
+          "check_policy_service unix:/run/postfix-internal-policy.sock"
         ];
         unverified_recipient_reject_code = "550";
         unverified_recipient_reject_reason = "Recipient address lookup failed";
         address_verify_map = "internal:address_verify_map";
         address_verify_positive_expire_time = "1h";
         address_verify_positive_refresh_time = "15m";
-        address_verify_negative_expire_time = "15s";
-        address_verify_negative_refresh_time = "5s";
-        address_verify_cache_cleanup_interval = "5s";
+        address_verify_negative_expire_time = "5m";
+        address_verify_negative_refresh_time = "1m";
+        address_verify_cache_cleanup_interval = "12h";
+        address_verify_poll_count = "\${stress?15}\${stress:30}";
         address_verify_poll_delay = "1s";
+        address_verify_sender_ttl = "30045s";
 
         smtpd_relay_restrictions = [
-          "check_ccert_access ${relay_ccert}"
           "reject_unauth_destination"
         ];
 
@@ -213,7 +225,7 @@ in {
         smtpd_client_event_limit_exceptions = "";
 
         milter_default_action = "accept";
-        smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
+        smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];
         non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
 
         alias_maps = "";
@@ -235,11 +247,6 @@ in {
           ::/0                silent-discard, dsn
         ''}";
 
-        sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}";
-        sender_canonical_classes = "envelope_sender";
-        recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}";
-        recipient_canonical_classes = ["envelope_recipient" "header_recipient"];
-
         virtual_mailbox_domains = ''pgsql:${pkgs.writeText "virtual_mailbox_domains.cf" ''
           hosts = postgresql:///email
           dbname = email
@@ -254,11 +261,24 @@ in {
         virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
         smtputf8_enable = false;
 
-        authorized_submit_users = "inline:{ root= postfwd= }";
+        authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.user}= }";
+        authorized_flush_users = "inline:{ root= }";
+        authorized_mailq_users = "inline:{ root= }";
 
         postscreen_access_list = "";
         postscreen_denylist_action = "drop";
         postscreen_greet_action = "enforce";
+
+        sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
+        ''}'';
+        recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
+        ''}'';
       };
       masterConfig = {
         "465" = {
@@ -283,7 +303,7 @@ in {
             hosts = postgresql:///email
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
-          ''},permit_tls_all_clientcerts,reject}''
+          ''},check_policy_service unix:/run/postfix-internal-policy.sock,permit_tls_all_clientcerts,reject}''
             "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject"
             "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
             "-o" "unverified_sender_reject_code=550"
@@ -313,7 +333,7 @@ in {
             hosts = postgresql:///email
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
-          ''},permit_sasl_authenticated,reject}''
+          ''},check_policy_service unix:/run/postfix-internal-policy.sock,permit_sasl_authenticated,reject}''
             "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject"
             "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
             "-o" "unverified_sender_reject_code=550"
@@ -328,7 +348,10 @@ in {
           maxproc = 0;
           args = [
             "-o" "header_checks=pcre:${pkgs.writeText "header_checks_submission" ''
+              if /^Received: /
+              !/by surtr\.yggdrasil\.li/ STRIP
               /^Received: from [^ ]+ \([^ ]+ [^ ]+\)\s+(.*)$/ REPLACE Received: $1
+              endif
             ''}"
           ];
         };
@@ -364,17 +387,19 @@ in {
 
     services.postsrsd = {
       enable = true;
-      domain = "surtr.yggdrasil.li";
+      domains = [ "surtr.yggdrasil.li" ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
       separator = "+";
-      excludeDomains = [ "surtr.yggdrasil.li"
-                       ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
+      extraConfig = ''
+        socketmap = unix:/run/postsrsd/postsrsd-socketmap.sock
+        milter = unix:/run/postsrsd/postsrsd-milter.sock
+      '';
     };
 
     services.opendkim = {
       enable = true;
       user = "postfix"; group = "postfix";
       socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
+      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
       selector = "surtr";
       configFile = builtins.toFile "opendkim.conf" ''
         Syslog true
@@ -478,20 +503,20 @@ in {
       };
     };
 
-    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];
+    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.user ];
 
     services.redis.servers.rspamd.enable = true;
 
     users.groups.${config.services.redis.servers.rspamd.user}.members = [ config.services.rspamd.user ];
 
+    environment.systemPackages = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
     services.dovecot2 = {
       enable = true;
       enablePAM = false;
-      sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";
-      sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";
+      sslServerCert = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
+      sslServerKey = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
       sslCACert = toString ./ca/ca.crt;
       mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
-      modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
       mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
       protocols = [ "lmtp" "sieve" ];
       sieve = {
@@ -502,8 +527,8 @@ in {
         dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
           driver = pgsql
           connect = dbname=email
-          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
-          user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
+          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM imap_user WHERE "user" = '%n'
+          user_query = SELECT "user", quota_rule, '${config.services.dovecot2.user}' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
           iterate_query = SELECT "user" FROM imap_user
         '';
       in ''
@@ -511,16 +536,16 @@ in {
 
         mail_plugins = $mail_plugins quota
 
-        first_valid_uid = ${toString config.users.users.dovecot2.uid}
-        last_valid_uid = ${toString config.users.users.dovecot2.uid}
-        first_valid_gid = ${toString config.users.groups.dovecot2.gid}
-        last_valid_gid = ${toString config.users.groups.dovecot2.gid}
+        first_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
+        last_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
+        first_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
+        last_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
 
         ${concatMapStringsSep "\n\n" (domain:
           concatMapStringsSep "\n" (subdomain: ''
             local_name ${subdomain} {
-              ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
-              ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
+              ssl_cert = </run/credentials/dovecot.service/${subdomain}.pem
+              ssl_key = </run/credentials/dovecot.service/${subdomain}.key.pem
             }
           '') ["imap.${domain}" domain]
         ) emailDomains}
@@ -541,10 +566,10 @@ in {
         auth_debug = yes
 
         service auth {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
         }
         service auth-worker {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
         }
 
         userdb {
@@ -565,7 +590,7 @@ in {
             args = ${pkgs.writeText "dovecot-sql.conf" ''
               driver = pgsql
               connect = dbname=email
-              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
+              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
             ''}
 
             skip = never
@@ -673,7 +698,7 @@ in {
         plugin {
           plugin = fts fts_xapian
           fts = xapian
-          fts_xapian = partial=2 full=20 attachments=1 verbose=1
+          fts_xapian = partial=3 full=20 attachments=1 verbose=1
 
           fts_autoindex = yes
 
@@ -688,12 +713,12 @@ in {
 
     systemd.services.dovecot-fts-xapian-optimize = {
       description = "Optimize dovecot indices for fts_xapian";
-      requisite = [ "dovecot2.service" ];
-      after = [ "dovecot2.service" ];
+      requisite = [ "dovecot.service" ];
+      after = [ "dovecot.service" ];
       startAt = "*-*-* 22:00:00 Europe/Berlin";
       serviceConfig = {
         Type = "oneshot";
-        ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
+        ExecStart = "${getExe' pkgs.dovecot "doveadm"} fts optimize -A";
         PrivateDevices = true;
         PrivateNetwork = true;
         ProtectKernelTunables = true;
@@ -754,31 +779,29 @@ in {
 
     security.acme.rfc2136Domains = {
       "surtr.yggdrasil.li" = {
-        restartUnits = [ "postfix.service" "dovecot2.service" ];
+        restartUnits = [ "postfix.service" "dovecot.service" ];
       };
     } // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains)
     // listToAttrs (concatMap (domain: [
-      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot2.service"]; })
+      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot.service"]; })
       (nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; })
       (nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; })
-      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot2.service"]; })
+      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot.service"]; })
       (nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; })
     ]) emailDomains);
 
     systemd.services.postfix = {
-      serviceConfig.LoadCredential = [
-        "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
-        "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
-      ] ++ concatMap (domain:
-        map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
-          [domain "mailin.${domain}" "mailsub.${domain}"]
-      ) emailDomains;
+      serviceConfig.LoadCredential = let
+        tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem";
+      in [
+        (tlsCredential "surtr.yggdrasil.li")
+      ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
     };
 
-    systemd.services.dovecot2 = {
+    systemd.services.dovecot = {
       preStart = ''
         for f in /etc/dovecot/sieve_flag.d/*.sieve /etc/dovecot/sieve_before.d/*.sieve; do
-          ${pkgs.dovecot_pigeonhole}/bin/sievec $f
+          ${getExe' pkgs.dovecot_pigeonhole "sievec"} $f
         done
       '';
 
@@ -845,15 +868,16 @@ in {
               charset utf-8;
               source_charset utf-8;
             '';
-            root = pkgs.runCommand "mta-sts.${domain}" {} ''
-              mkdir -p $out/.well-known
-              cp ${pkgs.writeText "mta-sts.${domain}.txt" ''
+            root = pkgs.writeTextFile {
+              name = "mta-sts.${domain}";
+              destination = "/.well-known/mta-sts.txt";
+              text = ''
                 version: STSv1
                 mode: enforce
                 max_age: 2419200
                 mx: mailin.${domain}
-              ''} $out/.well-known/mta-sts.txt
-            '';
+              '';
+            };
           };
       }) emailDomains);
     };
@@ -870,7 +894,7 @@ in {
     systemd.services.spm = {
       serviceConfig = {
         Type = "notify";
-        ExecStart = "${pkgs.spm}/bin/spm-server";
+        ExecStart = getExe' pkgs.spm "spm-server";
         User = "spm";
         Group = "spm";
 
@@ -928,7 +952,7 @@ in {
       serviceConfig = {
         Type = "notify";
 
-        ExecStart = "${ccert-policy-server}/bin/ccert-policy-server";
+        ExecStart = getExe' ccert-policy-server "ccert-policy-server";
 
         Environment = [
           "PGDATABASE=email"
@@ -961,6 +985,53 @@ in {
     };
     users.groups."postfix-ccert-sender-policy" = {};
 
+    systemd.sockets."postfix-internal-policy" = {
+      requiredBy = ["postfix.service"];
+      wants = ["postfix-internal-policy.service"];
+      socketConfig = {
+        ListenStream = "/run/postfix-internal-policy.sock";
+      };
+    };
+    systemd.services."postfix-internal-policy" = {
+      after = [ "postgresql.service" ];
+      bindsTo = [ "postgresql.service" ];
+
+      serviceConfig = {
+        Type = "notify";
+
+        ExecStart = lib.getExe internal-policy-server;
+
+        Environment = [
+          "PGDATABASE=email"
+        ];
+
+        DynamicUser = false;
+        User = "postfix-internal-policy";
+        Group = "postfix-internal-policy";
+        ProtectSystem = "strict";
+        SystemCallFilter = "@system-service";
+        NoNewPrivileges = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        MemoryDenyWriteExecute = true;
+        RestrictSUIDSGID = true;
+        KeyringMode = "private";
+        ProtectClock = true;
+        RestrictRealtime = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectHostname = true;
+        ReadWritePaths = ["/run/postgresql"];
+      };
+    };
+    users.users."postfix-internal-policy" = {
+      isSystemUser = true;
+      group = "postfix-internal-policy";
+    };
+    users.groups."postfix-internal-policy" = {};
+
     services.postfwd = {
       enable = true;
       cache = false;