diff options
Diffstat (limited to 'hosts/surtr/email')
| -rw-r--r-- | hosts/surtr/email/default.nix | 70 | 
1 files changed, 60 insertions, 10 deletions
| diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9cfba1f1..2fe5b7f0 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
| @@ -59,6 +59,7 @@ in { | |||
| 59 | 59 | ||
| 60 | services.postfix = { | 60 | services.postfix = { | 
| 61 | enable = true; | 61 | enable = true; | 
| 62 | enableSmtp = false; | ||
| 62 | hostname = "surtr.yggdrasil.li"; | 63 | hostname = "surtr.yggdrasil.li"; | 
| 63 | recipientDelimiter = ""; | 64 | recipientDelimiter = ""; | 
| 64 | setSendmail = true; | 65 | setSendmail = true; | 
| @@ -66,20 +67,22 @@ in { | |||
| 66 | destination = []; | 67 | destination = []; | 
| 67 | sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; | 68 | sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; | 
| 68 | sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; | 69 | sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; | 
| 69 | networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; | 70 | networks = []; | 
| 70 | config = let | 71 | config = let | 
| 71 | relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; | 72 | relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; | 
| 72 | in { | 73 | in { | 
| 74 | smtpd_tls_security_level = "may"; | ||
| 75 | |||
| 73 | #the dh params | 76 | #the dh params | 
| 74 | smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; | 77 | smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; | 
| 75 | smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; | 78 | smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; | 
| 76 | #enable ECDH | 79 | #enable ECDH | 
| 77 | smtpd_tls_eecdh_grade = "strong"; | 80 | smtpd_tls_eecdh_grade = "strong"; | 
| 78 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 | 81 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 | 
| 79 | smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; | 82 | smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; | 
| 80 | smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; | 83 | smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; | 
| 81 | #allowed ciphers for smtpd_tls_security_level=encrypt | 84 | #allowed ciphers for smtpd_tls_security_level=encrypt | 
| 82 | smtpd_tls_mandatory_ciphers = "high"; | 85 | smtpd_tls_mandatory_ciphers = "medium"; | 
| 83 | #allowed ciphers for smtpd_tls_security_level=may | 86 | #allowed ciphers for smtpd_tls_security_level=may | 
| 84 | #smtpd_tls_ciphers = high | 87 | #smtpd_tls_ciphers = high | 
| 85 | #enforce the server cipher preference | 88 | #enforce the server cipher preference | 
| @@ -92,6 +95,7 @@ in { | |||
| 92 | smtpd_tls_loglevel = "1"; | 95 | smtpd_tls_loglevel = "1"; | 
| 93 | #enable TLS logging to see the ciphers for outbound connections | 96 | #enable TLS logging to see the ciphers for outbound connections | 
| 94 | smtp_tls_loglevel = "1"; | 97 | smtp_tls_loglevel = "1"; | 
| 98 | tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; | ||
| 95 | 99 | ||
| 96 | smtpd_tls_received_header = true; | 100 | smtpd_tls_received_header = true; | 
| 97 | 101 | ||
| @@ -101,6 +105,8 @@ in { | |||
| 101 | smtp_tls_security_level = "dane"; | 105 | smtp_tls_security_level = "dane"; | 
| 102 | smtp_dns_support_level = "dnssec"; | 106 | smtp_dns_support_level = "dnssec"; | 
| 103 | 107 | ||
| 108 | smtp_tls_connection_reuse = true; | ||
| 109 | |||
| 104 | tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' | 110 | tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' | 
| 105 | bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 111 | bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 
| 106 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem | 112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem | 
| @@ -130,7 +136,6 @@ in { | |||
| 130 | dbname = email | 136 | dbname = email | 
| 131 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' | 137 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' | 
| 132 | ''}" | 138 | ''}" | 
| 133 | "permit_mynetworks" | ||
| 134 | "check_ccert_access ${relay_ccert}" | 139 | "check_ccert_access ${relay_ccert}" | 
| 135 | "reject_non_fqdn_helo_hostname" | 140 | "reject_non_fqdn_helo_hostname" | 
| 136 | "reject_invalid_helo_hostname" | 141 | "reject_invalid_helo_hostname" | 
| @@ -149,14 +154,15 @@ in { | |||
| 149 | address_verify_poll_delay = "1s"; | 154 | address_verify_poll_delay = "1s"; | 
| 150 | 155 | ||
| 151 | smtpd_relay_restrictions = [ | 156 | smtpd_relay_restrictions = [ | 
| 152 | "permit_mynetworks" | ||
| 153 | "check_ccert_access ${relay_ccert}" | 157 | "check_ccert_access ${relay_ccert}" | 
| 154 | "reject_unauth_destination" | 158 | "reject_unauth_destination" | 
| 155 | ]; | 159 | ]; | 
| 156 | 160 | ||
| 157 | propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; | 161 | propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; | 
| 158 | smtpd_authorized_verp_clients = "$authorized_verp_clients"; | 162 | smtpd_authorized_verp_clients = ""; | 
| 159 | authorized_verp_clients = "$mynetworks"; | 163 | authorized_verp_clients = ""; | 
| 164 | |||
| 165 | smtpd_client_event_limit_exceptions = ""; | ||
| 160 | 166 | ||
| 161 | milter_default_action = "accept"; | 167 | milter_default_action = "accept"; | 
| 162 | smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; | 168 | smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; | 
| @@ -197,6 +203,12 @@ in { | |||
| 197 | ''}''; | 203 | ''}''; | 
| 198 | dvlmtp_destination_recipient_limit = "1"; | 204 | dvlmtp_destination_recipient_limit = "1"; | 
| 199 | virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; | 205 | virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; | 
| 206 | |||
| 207 | authorized_submit_users = "inline:{ root= postfwd= }"; | ||
| 208 | |||
| 209 | postscreen_access_list = ""; | ||
| 210 | postscreen_denylist_action = "drop"; | ||
| 211 | postscreen_greet_action = "enforce"; | ||
| 200 | }; | 212 | }; | 
| 201 | masterConfig = { | 213 | masterConfig = { | 
| 202 | smtps = { | 214 | smtps = { | 
| @@ -204,6 +216,14 @@ in { | |||
| 204 | private = false; | 216 | private = false; | 
| 205 | command = "smtpd"; | 217 | command = "smtpd"; | 
| 206 | args = [ | 218 | args = [ | 
| 219 | "-o" "smtpd_tls_security_level=encrypt" | ||
| 220 | "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" | ||
| 221 | "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" | ||
| 222 | "-o" "smtpd_tls_mandatory_ciphers=high" | ||
| 223 | "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" | ||
| 224 | "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" | ||
| 225 | "-o" "{tls_eecdh_auto_curves = X25519 X448}" | ||
| 226 | |||
| 207 | "-o" "smtpd_tls_wrappermode=yes" | 227 | "-o" "smtpd_tls_wrappermode=yes" | 
| 208 | "-o" "smtpd_tls_ask_ccert=yes" | 228 | "-o" "smtpd_tls_ask_ccert=yes" | 
| 209 | "-o" "smtpd_tls_req_ccert=yes" | 229 | "-o" "smtpd_tls_req_ccert=yes" | 
| @@ -224,6 +244,27 @@ in { | |||
| 224 | "flags=DORX" | 244 | "flags=DORX" | 
| 225 | ]; | 245 | ]; | 
| 226 | }; | 246 | }; | 
| 247 | smtp_pass = { | ||
| 248 | name = "smtpd"; | ||
| 249 | type = "pass"; | ||
| 250 | command = "smtpd"; | ||
| 251 | }; | ||
| 252 | postscreen = { | ||
| 253 | name = "smtp"; | ||
| 254 | type = "inet"; | ||
| 255 | private = false; | ||
| 256 | command = "postscreen"; | ||
| 257 | maxproc = 1; | ||
| 258 | }; | ||
| 259 | smtp = {}; | ||
| 260 | relay = { | ||
| 261 | command = "smtp"; | ||
| 262 | args = [ "-o" "smtp_fallback_relay=" ]; | ||
| 263 | }; | ||
| 264 | tlsproxy = { | ||
| 265 | maxproc = 0; | ||
| 266 | }; | ||
| 267 | dnsblog = {}; | ||
| 227 | }; | 268 | }; | 
| 228 | }; | 269 | }; | 
| 229 | 270 | ||
| @@ -596,6 +637,9 @@ in { | |||
| 596 | params = { | 637 | params = { | 
| 597 | "postfix-512".bits = 512; | 638 | "postfix-512".bits = 512; | 
| 598 | "postfix-1024".bits = 2048; | 639 | "postfix-1024".bits = 2048; | 
| 640 | |||
| 641 | "postfix-smtps-512".bits = 512; | ||
| 642 | "postfix-smtps-1024".bits = 2048; | ||
| 599 | }; | 643 | }; | 
| 600 | }; | 644 | }; | 
| 601 | 645 | ||
| @@ -800,8 +844,14 @@ in { | |||
| 800 | services.postfwd = { | 844 | services.postfwd = { | 
| 801 | enable = true; | 845 | enable = true; | 
| 802 | rules = '' | 846 | rules = '' | 
| 803 | id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/450 4.7.1 Exceeding maximum of 100 recipients per hour [$$ratecount]) | 847 | id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) | 
| 804 | id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/450 4.7.1 Exceeding maximum of 1000 recipients per day [$$ratecount]) | 848 | id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) | 
| 849 | |||
| 850 | id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) | ||
| 851 | |||
| 852 | id=EOF; action=DUNNO | ||
| 853 | |||
| 854 | id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] | ||
| 805 | ''; | 855 | ''; | 
| 806 | }; | 856 | }; | 
| 807 | }; | 857 | }; | 
