2 files changed, 72 insertions, 57 deletions
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index 7117eb63..7c931559 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
        allowed = False
        user = None
+        relay_eligible = False
        if self.args['sasl_username']:
            user = self.args['sasl_username']
        if self.args['ccert_subject']:
            user = self.args['ccert_subject']
+            relay_eligible = True
        if user:
            with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
                with conn.cursor() as cur:
                    cur.row_factory = namedtuple_row
-                    cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                    if (row := cur.fetchone()) is not None:
+                    if relay_eligible:
-                        allowed = row.exists
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+                    if not allowed:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
        action = '550 5.7.0 Sender address not authorized for current user'
        if allowed:
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index c6253e4c..a3e06ca6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -124,19 +124,20 @@ in {
    services.postfix = {
      enable = true;
      enableSmtp = false;
-      hostname = "surtr.yggdrasil.li";
-      recipientDelimiter = "";
      setSendmail = true;
      postmasterAlias = ""; rootAlias = ""; extraAliases = "";
-      destination = [];
+      settings.main = {
-      sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";
+        recpipient_delimiter = "";
-      sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";
+        mydestination = [];
-      networks = [];
+        mynetworks = [];
-      config = let
+        myhostname = "surtr.yggdrasil.li";
-        relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
-      in {
        smtpd_tls_security_level = "may";
+        smtpd_tls_chain_files = [
+          "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
+        ];
        #the dh params
        smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
        smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
@@ -171,21 +172,14 @@ in {
        smtp_tls_connection_reuse = true;
-        tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
+        tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}";
-          concatMapStringsSep "\n\n" (domain:
-            concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem")
-              [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
-          ) emailDomains
-        )}'';
        smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
        local_recipient_maps = "";
-        # 10 GiB
+        message_size_limit = 10 * 1024 * 1024 * 1024;
-        message_size_limit = "10737418240";
+        mailbox_size_limit = 10 * 1024 * 1024 * 1024;
-        # 10 GiB
-        mailbox_size_limit = "10737418240";
        smtpd_delay_reject = true;
        smtpd_helo_required = true;
@@ -200,7 +194,6 @@ in {
            dbname = email
            query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
          ''}"
-          "check_ccert_access ${relay_ccert}"
          "reject_non_fqdn_helo_hostname"
          "reject_invalid_helo_hostname"
          "reject_unauth_destination"
@@ -221,7 +214,6 @@ in {
        address_verify_sender_ttl = "30045s";
        smtpd_relay_restrictions = [
-          "check_ccert_access ${relay_ccert}"
          "reject_unauth_destination"
        ];
@@ -268,13 +260,26 @@ in {
        virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
        smtputf8_enable = false;
-        authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";
+        authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.user}= }";
+        authorized_flush_users = "inline:{ root= }";
+        authorized_mailq_users = "inline:{ root= }";
        postscreen_access_list = "";
        postscreen_denylist_action = "drop";
        postscreen_greet_action = "enforce";
+        sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
+        ''}'';
+        recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
+        ''}'';
      };
-      masterConfig = {
+      settings.master = {
        "465" = {
          type = "inet";
          private = false;
@@ -342,7 +347,10 @@ in {
          maxproc = 0;
          args = [
            "-o" "header_checks=pcre:${pkgs.writeText "header_checks_submission" ''
+              if /^Received: /
+              !/by surtr\.yggdrasil\.li/ STRIP
              /^Received: from [^ ]+ \([^ ]+ [^ ]+\)\s+(.*)$/ REPLACE Received: $1
+              endif
            ''}"
          ];
        };
@@ -390,7 +398,7 @@ in {
      enable = true;
      user = "postfix"; group = "postfix";
      socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
+      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
      selector = "surtr";
      configFile = builtins.toFile "opendkim.conf" ''
        Syslog true
@@ -494,7 +502,7 @@ in {
      };
    };
-    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];
+    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.user ];
    services.redis.servers.rspamd.enable = true;
@@ -504,22 +512,22 @@ in {
    services.dovecot2 = {
      enable = true;
      enablePAM = false;
-      sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";
+      sslServerCert = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
-      sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";
+      sslServerKey = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
      sslCACert = toString ./ca/ca.crt;
      mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
      mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
      protocols = [ "lmtp" "sieve" ];
      sieve = {
-        extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
+        extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation" "vacation-seconds" "vnd.dovecot.debug"];
-        globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
+        globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation" "vacation-seconds" "vnd.dovecot.debug"];
      };
      extraConfig = let
        dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
          driver = pgsql
          connect = dbname=email
-          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
+          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM imap_user WHERE "user" = '%n'
-          user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
+          user_query = SELECT "user", quota_rule, '${config.services.dovecot2.user}' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
          iterate_query = SELECT "user" FROM imap_user
        '';
      in ''
@@ -527,16 +535,16 @@ in {
        mail_plugins = $mail_plugins quota
-        first_valid_uid = ${toString config.users.users.dovecot2.uid}
+        first_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
-        last_valid_uid = ${toString config.users.users.dovecot2.uid}
+        last_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
-        first_valid_gid = ${toString config.users.groups.dovecot2.gid}
+        first_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
-        last_valid_gid = ${toString config.users.groups.dovecot2.gid}
+        last_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
        ${concatMapStringsSep "\n\n" (domain:
          concatMapStringsSep "\n" (subdomain: ''
            local_name ${subdomain} {
-              ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
+              ssl_cert = </run/credentials/dovecot.service/${subdomain}.pem
-              ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
+              ssl_key = </run/credentials/dovecot.service/${subdomain}.key.pem
            }
          '') ["imap.${domain}" domain]
        ) emailDomains}
@@ -557,10 +565,10 @@ in {
        auth_debug = yes
        service auth {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
        }
        service auth-worker {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
        }
        userdb {
@@ -581,7 +589,7 @@ in {
            args = ${pkgs.writeText "dovecot-sql.conf" ''
              driver = pgsql
              connect = dbname=email
-              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
+              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
            ''}
            skip = never
@@ -651,7 +659,7 @@ in {
          quota_status_success = DUNNO
          quota_status_nouser = DUNNO
          quota_grace = 10%%
-          quota_max_mail_size = ${config.services.postfix.config.message_size_limit}
+          quota_max_mail_size = ${toString config.services.postfix.settings.main.message_size_limit}
          quota_vsizes = yes
        }
@@ -704,8 +712,8 @@ in {
    systemd.services.dovecot-fts-xapian-optimize = {
      description = "Optimize dovecot indices for fts_xapian";
-      requisite = [ "dovecot2.service" ];
+      requisite = [ "dovecot.service" ];
-      after = [ "dovecot2.service" ];
+      after = [ "dovecot.service" ];
      startAt = "*-*-* 22:00:00 Europe/Berlin";
      serviceConfig = {
        Type = "oneshot";
@@ -770,28 +778,26 @@ in {
    security.acme.rfc2136Domains = {
      "surtr.yggdrasil.li" = {
-        restartUnits = [ "postfix.service" "dovecot2.service" ];
+        restartUnits = [ "postfix.service" "dovecot.service" ];
      };
    } // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains)
    // listToAttrs (concatMap (domain: [
-      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot2.service"]; })
+      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot.service"]; })
      (nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; })
      (nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; })
-      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot2.service"]; })
+      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot.service"]; })
      (nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; })
    ]) emailDomains);
    systemd.services.postfix = {
-      serviceConfig.LoadCredential = [
+      serviceConfig.LoadCredential = let
-        "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
+        tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem";
-        "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
+      in [
-      ] ++ concatMap (domain:
+        (tlsCredential "surtr.yggdrasil.li")
-        map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
+      ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
-          [domain "mailin.${domain}" "mailsub.${domain}"]
-      ) emailDomains;
    };
-    systemd.services.dovecot2 = {
+    systemd.services.dovecot = {
      preStart = ''
        for f in /etc/dovecot/sieve_flag.d/*.sieve /etc/dovecot/sieve_before.d/*.sieve; do
          ${getExe' pkgs.dovecot_pigeonhole "sievec"} $f

diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index 7117eb63..7c931559 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
28		28
29	allowed = False	29	allowed = False
30	user = None	30	user = None
		31	relay_eligible = False
31	if self.args['sasl_username']:	32	if self.args['sasl_username']:
32	user = self.args['sasl_username']	33	user = self.args['sasl_username']
33	if self.args['ccert_subject']:	34	if self.args['ccert_subject']:
34	user = self.args['ccert_subject']	35	user = self.args['ccert_subject']
		36	relay_eligible = True
35		37
36	if user:	38	if user:
37	with self.server.db_pool.connection() as conn:	39	with self.server.db_pool.connection() as conn:
@@ -44,9 +46,16 @@ class PolicyHandler(StreamRequestHandler):
44		46
45	with conn.cursor() as cur:	47	with conn.cursor() as cur:
46	cur.row_factory = namedtuple_row	48	cur.row_factory = namedtuple_row
47	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)	49
48	if (row := cur.fetchone()) is not None:	50	if relay_eligible:
49	allowed = row.exists	51	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
		52	if (row := cur.fetchone()) is not None:
		53	allowed = row.exists
		54
		55	if not allowed:
		56	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
		57	if (row := cur.fetchone()) is not None:
		58	allowed = row.exists
50		59
51	action = '550 5.7.0 Sender address not authorized for current user'	60	action = '550 5.7.0 Sender address not authorized for current user'
52	if allowed:	61	if allowed:


diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index c6253e4c..a3e06ca6 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -124,19 +124,20 @@ in {
124	services.postfix = {	124	services.postfix = {
125	enable = true;	125	enable = true;
126	enableSmtp = false;	126	enableSmtp = false;
127	hostname = "surtr.yggdrasil.li";
128	recipientDelimiter = "";
129	setSendmail = true;	127	setSendmail = true;
130	postmasterAlias = ""; rootAlias = ""; extraAliases = "";	128	postmasterAlias = ""; rootAlias = ""; extraAliases = "";
131	destination = [];	129	settings.main = {
132	sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";	130	recpipient_delimiter = "";
133	sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";	131	mydestination = [];
134	networks = [];	132	mynetworks = [];
135	config = let	133	myhostname = "surtr.yggdrasil.li";
136	relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";	134
137	in {
138	smtpd_tls_security_level = "may";	135	smtpd_tls_security_level = "may";
139		136
		137	smtpd_tls_chain_files = [
		138	"/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
		139	];
		140
140	#the dh params	141	#the dh params
141	smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;	142	smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
142	smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;	143	smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
@@ -171,21 +172,14 @@ in {
171		172
172	smtp_tls_connection_reuse = true;	173	smtp_tls_connection_reuse = true;
173		174
174	tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (	175	tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}";
175	concatMapStringsSep "\n\n" (domain:
176	concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem")
177	[domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
178	) emailDomains
179	)}'';
180		176
181	smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";	177	smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
182		178
183	local_recipient_maps = "";	179	local_recipient_maps = "";
184		180
185	# 10 GiB	181	message_size_limit = 10 * 1024 * 1024 * 1024;
186	message_size_limit = "10737418240";	182	mailbox_size_limit = 10 * 1024 * 1024 * 1024;
187	# 10 GiB
188	mailbox_size_limit = "10737418240";
189		183
190	smtpd_delay_reject = true;	184	smtpd_delay_reject = true;
191	smtpd_helo_required = true;	185	smtpd_helo_required = true;
@@ -200,7 +194,6 @@ in {
200	dbname = email	194	dbname = email
201	query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'	195	query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
202	''}"	196	''}"
203	"check_ccert_access ${relay_ccert}"
204	"reject_non_fqdn_helo_hostname"	197	"reject_non_fqdn_helo_hostname"
205	"reject_invalid_helo_hostname"	198	"reject_invalid_helo_hostname"
206	"reject_unauth_destination"	199	"reject_unauth_destination"
@@ -221,7 +214,6 @@ in {
221	address_verify_sender_ttl = "30045s";	214	address_verify_sender_ttl = "30045s";
222		215
223	smtpd_relay_restrictions = [	216	smtpd_relay_restrictions = [
224	"check_ccert_access ${relay_ccert}"
225	"reject_unauth_destination"	217	"reject_unauth_destination"
226	];	218	];
227		219
@@ -268,13 +260,26 @@ in {
268	virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";	260	virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
269	smtputf8_enable = false;	261	smtputf8_enable = false;
270		262
271	authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";	263	authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.user}= }";
		264	authorized_flush_users = "inline:{ root= }";
		265	authorized_mailq_users = "inline:{ root= }";
272		266
273	postscreen_access_list = "";	267	postscreen_access_list = "";
274	postscreen_denylist_action = "drop";	268	postscreen_denylist_action = "drop";
275	postscreen_greet_action = "enforce";	269	postscreen_greet_action = "enforce";
		270
		271	sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
		272	hosts = postgresql:///email
		273	dbname = email
		274	query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
		275	''}'';
		276	recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
		277	hosts = postgresql:///email
		278	dbname = email
		279	query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
		280	''}'';
276	};	281	};
277	masterConfig = {	282	settings.master = {
278	"465" = {	283	"465" = {
279	type = "inet";	284	type = "inet";
280	private = false;	285	private = false;
@@ -342,7 +347,10 @@ in {
342	maxproc = 0;	347	maxproc = 0;
343	args = [	348	args = [
344	"-o" "header_checks=pcre:${pkgs.writeText "header_checks_submission" ''	349	"-o" "header_checks=pcre:${pkgs.writeText "header_checks_submission" ''
		350	if /^Received: /
		351	!/by surtr\.yggdrasil\.li/ STRIP
345	/^Received: from [^ ]+ \([^ ]+ [^ ]+\)\s+(.*)$/ REPLACE Received: $1	352	/^Received: from [^ ]+ \([^ ]+ [^ ]+\)\s+(.*)$/ REPLACE Received: $1
		353	endif
346	''}"	354	''}"
347	];	355	];
348	};	356	};
@@ -390,7 +398,7 @@ in {
390	enable = true;	398	enable = true;
391	user = "postfix"; group = "postfix";	399	user = "postfix"; group = "postfix";
392	socket = "local:/run/opendkim/opendkim.sock";	400	socket = "local:/run/opendkim/opendkim.sock";
393	domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';	401	domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
394	selector = "surtr";	402	selector = "surtr";
395	configFile = builtins.toFile "opendkim.conf" ''	403	configFile = builtins.toFile "opendkim.conf" ''
396	Syslog true	404	Syslog true
@@ -494,7 +502,7 @@ in {
494	};	502	};
495	};	503	};
496		504
497	users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];	505	users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.user ];
498		506
499	services.redis.servers.rspamd.enable = true;	507	services.redis.servers.rspamd.enable = true;
500		508
@@ -504,22 +512,22 @@ in {
504	services.dovecot2 = {	512	services.dovecot2 = {
505	enable = true;	513	enable = true;
506	enablePAM = false;	514	enablePAM = false;
507	sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";	515	sslServerCert = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
508	sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";	516	sslServerKey = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
509	sslCACert = toString ./ca/ca.crt;	517	sslCACert = toString ./ca/ca.crt;
510	mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";	518	mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
511	mailPlugins.globally.enable = [ "fts" "fts_xapian" ];	519	mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
512	protocols = [ "lmtp" "sieve" ];	520	protocols = [ "lmtp" "sieve" ];
513	sieve = {	521	sieve = {
514	extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];	522	extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation" "vacation-seconds" "vnd.dovecot.debug"];
515	globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];	523	globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation" "vacation-seconds" "vnd.dovecot.debug"];
516	};	524	};
517	extraConfig = let	525	extraConfig = let
518	dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''	526	dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
519	driver = pgsql	527	driver = pgsql
520	connect = dbname=email	528	connect = dbname=email
521	password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'	529	password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM imap_user WHERE "user" = '%n'
522	user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'	530	user_query = SELECT "user", quota_rule, '${config.services.dovecot2.user}' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
523	iterate_query = SELECT "user" FROM imap_user	531	iterate_query = SELECT "user" FROM imap_user
524	'';	532	'';
525	in ''	533	in ''
@@ -527,16 +535,16 @@ in {
527		535
528	mail_plugins = $mail_plugins quota	536	mail_plugins = $mail_plugins quota
529		537
530	first_valid_uid = ${toString config.users.users.dovecot2.uid}	538	first_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
531	last_valid_uid = ${toString config.users.users.dovecot2.uid}	539	last_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
532	first_valid_gid = ${toString config.users.groups.dovecot2.gid}	540	first_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
533	last_valid_gid = ${toString config.users.groups.dovecot2.gid}	541	last_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
534		542
535	${concatMapStringsSep "\n\n" (domain:	543	${concatMapStringsSep "\n\n" (domain:
536	concatMapStringsSep "\n" (subdomain: ''	544	concatMapStringsSep "\n" (subdomain: ''
537	local_name ${subdomain} {	545	local_name ${subdomain} {
538	ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem	546	ssl_cert = </run/credentials/dovecot.service/${subdomain}.pem
539	ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem	547	ssl_key = </run/credentials/dovecot.service/${subdomain}.key.pem
540	}	548	}
541	'') ["imap.${domain}" domain]	549	'') ["imap.${domain}" domain]
542	) emailDomains}	550	) emailDomains}
@@ -557,10 +565,10 @@ in {
557	auth_debug = yes	565	auth_debug = yes
558		566
559	service auth {	567	service auth {
560	user = dovecot2	568	user = ${config.services.dovecot2.user}
561	}	569	}
562	service auth-worker {	570	service auth-worker {
563	user = dovecot2	571	user = ${config.services.dovecot2.user}
564	}	572	}
565		573
566	userdb {	574	userdb {
@@ -581,7 +589,7 @@ in {
581	args = ${pkgs.writeText "dovecot-sql.conf" ''	589	args = ${pkgs.writeText "dovecot-sql.conf" ''
582	driver = pgsql	590	driver = pgsql
583	connect = dbname=email	591	connect = dbname=email
584	user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local \|\| '+' \|\| extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local \|\| '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' \|\| extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC	592	user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local \|\| '+' \|\| extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local \|\| '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' \|\| extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
585	''}	593	''}
586		594
587	skip = never	595	skip = never
@@ -651,7 +659,7 @@ in {
651	quota_status_success = DUNNO	659	quota_status_success = DUNNO
652	quota_status_nouser = DUNNO	660	quota_status_nouser = DUNNO
653	quota_grace = 10%%	661	quota_grace = 10%%
654	quota_max_mail_size = ${config.services.postfix.config.message_size_limit}	662	quota_max_mail_size = ${toString config.services.postfix.settings.main.message_size_limit}
655	quota_vsizes = yes	663	quota_vsizes = yes
656	}	664	}
657		665
@@ -704,8 +712,8 @@ in {
704		712
705	systemd.services.dovecot-fts-xapian-optimize = {	713	systemd.services.dovecot-fts-xapian-optimize = {
706	description = "Optimize dovecot indices for fts_xapian";	714	description = "Optimize dovecot indices for fts_xapian";
707	requisite = [ "dovecot2.service" ];	715	requisite = [ "dovecot.service" ];
708	after = [ "dovecot2.service" ];	716	after = [ "dovecot.service" ];
709	startAt = "--* 22:00:00 Europe/Berlin";	717	startAt = "--* 22:00:00 Europe/Berlin";
710	serviceConfig = {	718	serviceConfig = {
711	Type = "oneshot";	719	Type = "oneshot";
@@ -770,28 +778,26 @@ in {
770		778
771	security.acme.rfc2136Domains = {	779	security.acme.rfc2136Domains = {
772	"surtr.yggdrasil.li" = {	780	"surtr.yggdrasil.li" = {
773	restartUnits = [ "postfix.service" "dovecot2.service" ];	781	restartUnits = [ "postfix.service" "dovecot.service" ];
774	};	782	};
775	} // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains)	783	} // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains)
776	// listToAttrs (concatMap (domain: [	784	// listToAttrs (concatMap (domain: [
777	(nameValuePair domain { restartUnits = ["postfix.service" "dovecot2.service"]; })	785	(nameValuePair domain { restartUnits = ["postfix.service" "dovecot.service"]; })
778	(nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; })	786	(nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; })
779	(nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; })	787	(nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; })
780	(nameValuePair "imap.${domain}" { restartUnits = ["dovecot2.service"]; })	788	(nameValuePair "imap.${domain}" { restartUnits = ["dovecot.service"]; })
781	(nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; })	789	(nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; })
782	]) emailDomains);	790	]) emailDomains);
783		791
784	systemd.services.postfix = {	792	systemd.services.postfix = {
785	serviceConfig.LoadCredential = [	793	serviceConfig.LoadCredential = let
786	"surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"	794	tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem";
787	"surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"	795	in [
788	] ++ concatMap (domain:	796	(tlsCredential "surtr.yggdrasil.li")
789	map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")	797	] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
790	[domain "mailin.${domain}" "mailsub.${domain}"]
791	) emailDomains;
792	};	798	};
793		799
794	systemd.services.dovecot2 = {	800	systemd.services.dovecot = {
795	preStart = ''	801	preStart = ''
796	for f in /etc/dovecot/sieve_flag.d/.sieve /etc/dovecot/sieve_before.d/.sieve; do	802	for f in /etc/dovecot/sieve_flag.d/.sieve /etc/dovecot/sieve_before.d/.sieve; do
797	${getExe' pkgs.dovecot_pigeonhole "sievec"} $f	803	${getExe' pkgs.dovecot_pigeonhole "sievec"} $f