diff options
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 10 | ||||
-rw-r--r-- | hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py | 35 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 144 | ||||
-rw-r--r-- | hosts/surtr/postgresql/default.nix | 14 | ||||
-rw-r--r-- | hosts/surtr/ruleset.nft | 37 | ||||
-rw-r--r-- | hosts/surtr/vpn/default.nix | 9 | ||||
-rw-r--r-- | hosts/surtr/zfs.nix | 9 |
7 files changed, 212 insertions, 46 deletions
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 40e4b78b..2b319a93 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023020101 ; serial | 4 | 2024070901 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -41,10 +41,10 @@ mailin IN MX 0 mailin.bouncy.email. | |||
41 | mailin IN TXT "v=spf1 redirect=bouncy.email" | 41 | mailin IN TXT "v=spf1 redirect=bouncy.email" |
42 | _acme-challenge.mailin IN NS ns.yggdrasil.li. | 42 | _acme-challenge.mailin IN NS ns.yggdrasil.li. |
43 | 43 | ||
44 | _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 | 44 | ; _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 |
45 | _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 | 45 | ; _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 |
46 | _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d | 46 | ; _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d |
47 | _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 | 47 | ; _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 |
48 | 48 | ||
49 | mailsub IN A 202.61.241.61 | 49 | mailsub IN A 202.61.241.61 |
50 | mailsub IN AAAA 2a03:4000:52:ada:: | 50 | mailsub IN AAAA 2a03:4000:52:ada:: |
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index f481090c..00182523 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py | |||
@@ -27,20 +27,27 @@ class PolicyHandler(StreamRequestHandler): | |||
27 | logger.info('Connection parameters: %s', self.args) | 27 | logger.info('Connection parameters: %s', self.args) |
28 | 28 | ||
29 | allowed = False | 29 | allowed = False |
30 | with self.server.db_pool.connection() as conn: | 30 | user = None |
31 | local, domain = self.args['sender'].split(sep='@', maxsplit=1) | 31 | if self.args['sasl_username']: |
32 | extension = None | 32 | user = self.args['sasl_username'] |
33 | if '+' in local: | 33 | if self.args['ccert_subject']: |
34 | local, extension = local.split(sep='+', maxsplit=1) | 34 | user = self.args['ccert_subject'] |
35 | 35 | ||
36 | logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) | 36 | if user: |
37 | 37 | with self.server.db_pool.connection() as conn: | |
38 | with conn.cursor() as cur: | 38 | local, domain = self.args['sender'].split(sep='@', maxsplit=1) |
39 | cur.row_factory = namedtuple_row | 39 | extension = None |
40 | cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': self.args['ccert_subject'], 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) | 40 | if '+' in local: |
41 | for record in cur: | 41 | local, extension = local.split(sep='+', maxsplit=1) |
42 | logger.debug('Received result: %s', record) | 42 | |
43 | allowed = True | 43 | logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) |
44 | |||
45 | with conn.cursor() as cur: | ||
46 | cur.row_factory = namedtuple_row | ||
47 | cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) | ||
48 | for record in cur: | ||
49 | logger.debug('Received result: %s', record) | ||
50 | allowed = True | ||
44 | 51 | ||
45 | action = '550 5.7.0 Sender address not authorized for current user' | 52 | action = '550 5.7.0 Sender address not authorized for current user' |
46 | if allowed: | 53 | if allowed: |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index bb0f6e20..c10f611f 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -32,9 +32,63 @@ let | |||
32 | }); | 32 | }); |
33 | }; | 33 | }; |
34 | 34 | ||
35 | nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" '' | ||
36 | #!${pkgs.zsh}/bin/zsh | ||
37 | |||
38 | set -e | ||
39 | export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH" | ||
40 | |||
41 | typeset -a as_sets mnt_bys route route6 | ||
42 | as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets}) | ||
43 | mnt_bys=(${lib.escapeShellArgs config.services.email.nologin.MNTBys}) | ||
44 | |||
45 | for as_set in $as_sets; do | ||
46 | while IFS=$'\n' read line; do | ||
47 | if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then | ||
48 | route+=($match[1]) | ||
49 | elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then | ||
50 | route6+=($match[1]) | ||
51 | fi | ||
52 | done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin) | ||
53 | done | ||
54 | for mnt_by in $mnt_bys; do | ||
55 | while IFS=$'\n' read line; do | ||
56 | if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then | ||
57 | route+=($match[1]) | ||
58 | elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then | ||
59 | route6+=($match[1]) | ||
60 | fi | ||
61 | done < <(whois -h whois.radb.net "!o''${mnt_by}") | ||
62 | done | ||
63 | |||
64 | printf -v elements4 '%s,' "''${route[@]}" | ||
65 | elements4=''${elements4%,} | ||
66 | printf -v elements6 '%s,' "''${route6[@]}" | ||
67 | elements6=''${elements6%,} | ||
68 | nft -f - <<EOF | ||
69 | flush set inet filter mail_nologin4 | ||
70 | flush set inet filter mail_nologin6 | ||
71 | add element inet filter mail_nologin4 {''${elements4}} | ||
72 | add element inet filter mail_nologin6 {''${elements6}} | ||
73 | EOF | ||
74 | ''; | ||
75 | |||
35 | spmDomains = ["bouncy.email"]; | 76 | spmDomains = ["bouncy.email"]; |
36 | emailDomains = spmDomains ++ ["kleen.consulting"]; | 77 | emailDomains = spmDomains ++ ["kleen.consulting"]; |
37 | in { | 78 | in { |
79 | options = { | ||
80 | services.email.nologin = { | ||
81 | ASSets = mkOption { | ||
82 | type = types.listOf types.str; | ||
83 | default = []; | ||
84 | }; | ||
85 | MNTBys = mkOption { | ||
86 | type = types.listOf types.str; | ||
87 | default = []; | ||
88 | }; | ||
89 | }; | ||
90 | }; | ||
91 | |||
38 | config = { | 92 | config = { |
39 | nixpkgs.overlays = [ | 93 | nixpkgs.overlays = [ |
40 | (final: prev: { | 94 | (final: prev: { |
@@ -167,6 +221,7 @@ in { | |||
167 | maximal_backoff_time = "10m"; | 221 | maximal_backoff_time = "10m"; |
168 | maximal_queue_lifetime = "100m"; | 222 | maximal_queue_lifetime = "100m"; |
169 | bounce_queue_lifetime = "20m"; | 223 | bounce_queue_lifetime = "20m"; |
224 | delay_warning_time = "10m"; | ||
170 | 225 | ||
171 | smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' | 226 | smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' |
172 | # Allow DSN requests from local subnet only | 227 | # Allow DSN requests from local subnet only |
@@ -204,17 +259,15 @@ in { | |||
204 | postscreen_greet_action = "enforce"; | 259 | postscreen_greet_action = "enforce"; |
205 | }; | 260 | }; |
206 | masterConfig = { | 261 | masterConfig = { |
207 | smtps = { | 262 | "465" = { |
208 | type = "inet"; | 263 | type = "inet"; |
209 | private = false; | 264 | private = false; |
210 | command = "smtpd"; | 265 | command = "smtpd -v"; |
211 | args = [ | 266 | args = [ |
212 | "-o" "smtpd_tls_security_level=encrypt" | 267 | "-o" "smtpd_tls_security_level=encrypt" |
213 | "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" | 268 | "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" |
214 | "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" | 269 | "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" |
215 | "-o" "smtpd_tls_mandatory_ciphers=high" | 270 | "-o" "smtpd_tls_mandatory_ciphers=high" |
216 | "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" | ||
217 | "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" | ||
218 | "-o" "{tls_eecdh_auto_curves = X25519 X448}" | 271 | "-o" "{tls_eecdh_auto_curves = X25519 X448}" |
219 | 272 | ||
220 | "-o" "smtpd_tls_wrappermode=yes" | 273 | "-o" "smtpd_tls_wrappermode=yes" |
@@ -223,22 +276,52 @@ in { | |||
223 | "-o" "smtpd_tls_received_header=no" | 276 | "-o" "smtpd_tls_received_header=no" |
224 | "-o" "cleanup_service_name=subcleanup" | 277 | "-o" "cleanup_service_name=subcleanup" |
225 | "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" | 278 | "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" |
226 | "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" | ||
227 | "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" | ||
228 | "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" | 279 | "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" |
280 | "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' | ||
281 | hosts = postgresql:///email | ||
282 | dbname = email | ||
283 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) | ||
284 | ''},permit_tls_all_clientcerts,reject}'' | ||
285 | "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" | ||
286 | "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" | ||
229 | "-o" "unverified_sender_reject_code=550" | 287 | "-o" "unverified_sender_reject_code=550" |
230 | "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" | 288 | "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" |
289 | "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" | ||
290 | "-o" ''smtpd_milters=${config.services.opendkim.socket}'' | ||
291 | ]; | ||
292 | }; | ||
293 | "466" = { | ||
294 | type = "inet"; | ||
295 | private = false; | ||
296 | command = "smtpd -v"; | ||
297 | args = [ | ||
298 | "-o" "smtpd_tls_security_level=encrypt" | ||
299 | |||
300 | "-o" "smtpd_tls_wrappermode=yes" | ||
301 | "-o" "smtpd_tls_ask_ccert=no" | ||
302 | "-o" "smtpd_tls_req_ccert=no" | ||
303 | "-o" "smtpd_sasl_type=dovecot" | ||
304 | "-o" "smtpd_sasl_path=/run/dovecot-sasl" | ||
305 | "-o" "smtpd_sasl_auth_enable=yes" | ||
306 | "-o" "smtpd_tls_received_header=no" | ||
307 | "-o" "cleanup_service_name=subcleanup" | ||
308 | "-o" "smtpd_client_restrictions=permit_sasl_authenticated,reject" | ||
309 | "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" | ||
231 | "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' | 310 | "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' |
232 | hosts = postgresql:///email | 311 | hosts = postgresql:///email |
233 | dbname = email | 312 | dbname = email |
234 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) | 313 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) |
235 | ''},permit_tls_all_clientcerts,reject}'' | 314 | ''},permit_sasl_authenticated,reject}'' |
315 | "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject" | ||
316 | "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" | ||
317 | "-o" "unverified_sender_reject_code=550" | ||
318 | "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" | ||
236 | "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" | 319 | "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" |
237 | "-o" ''smtpd_milters=${config.services.opendkim.socket}'' | 320 | "-o" ''smtpd_milters=${config.services.opendkim.socket}'' |
238 | ]; | 321 | ]; |
239 | }; | 322 | }; |
240 | subcleanup = { | 323 | subcleanup = { |
241 | command = "cleanup"; | 324 | command = "cleanup -v"; |
242 | private = false; | 325 | private = false; |
243 | maxproc = 0; | 326 | maxproc = 0; |
244 | args = [ | 327 | args = [ |
@@ -256,13 +339,13 @@ in { | |||
256 | smtp_pass = { | 339 | smtp_pass = { |
257 | name = "smtpd"; | 340 | name = "smtpd"; |
258 | type = "pass"; | 341 | type = "pass"; |
259 | command = "smtpd"; | 342 | command = "smtpd -v"; |
260 | }; | 343 | }; |
261 | postscreen = { | 344 | postscreen = { |
262 | name = "smtp"; | 345 | name = "smtp"; |
263 | type = "inet"; | 346 | type = "inet"; |
264 | private = false; | 347 | private = false; |
265 | command = "postscreen"; | 348 | command = "postscreen -v"; |
266 | maxproc = 1; | 349 | maxproc = 1; |
267 | }; | 350 | }; |
268 | smtp = {}; | 351 | smtp = {}; |
@@ -417,7 +500,7 @@ in { | |||
417 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' | 500 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' |
418 | driver = pgsql | 501 | driver = pgsql |
419 | connect = dbname=email | 502 | connect = dbname=email |
420 | password_query = SELECT NULL as password, 'Y' as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' | 503 | password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' |
421 | user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' | 504 | user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' |
422 | iterate_query = SELECT "user" FROM imap_user | 505 | iterate_query = SELECT "user" FROM imap_user |
423 | ''; | 506 | ''; |
@@ -449,7 +532,7 @@ in { | |||
449 | 532 | ||
450 | auth_ssl_username_from_cert = yes | 533 | auth_ssl_username_from_cert = yes |
451 | ssl_cert_username_field = commonName | 534 | ssl_cert_username_field = commonName |
452 | auth_mechanisms = external | 535 | auth_mechanisms = plain login external |
453 | 536 | ||
454 | auth_verbose = yes | 537 | auth_verbose = yes |
455 | verbose_ssl = yes | 538 | verbose_ssl = yes |
@@ -505,6 +588,15 @@ in { | |||
505 | group = postfix | 588 | group = postfix |
506 | } | 589 | } |
507 | } | 590 | } |
591 | service auth { | ||
592 | vsz_limit = 2G | ||
593 | |||
594 | unix_listener /run/dovecot-sasl { | ||
595 | mode = 0600 | ||
596 | user = postfix | ||
597 | group = postfix | ||
598 | } | ||
599 | } | ||
508 | 600 | ||
509 | namespace inbox { | 601 | namespace inbox { |
510 | separator = / | 602 | separator = / |
@@ -869,9 +961,13 @@ in { | |||
869 | 961 | ||
870 | services.postfwd = { | 962 | services.postfwd = { |
871 | enable = true; | 963 | enable = true; |
964 | cache = false; | ||
872 | rules = '' | 965 | rules = '' |
873 | id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) | 966 | id=RCPT_SASL01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) |
874 | id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) | 967 | id=RCPT_SASL02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) |
968 | |||
969 | id=RCPT_CCERT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) | ||
970 | id=RCPT_CCERT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) | ||
875 | 971 | ||
876 | id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) | 972 | id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) |
877 | 973 | ||
@@ -880,5 +976,25 @@ in { | |||
880 | id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] | 976 | id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] |
881 | ''; | 977 | ''; |
882 | }; | 978 | }; |
979 | |||
980 | services.email.nologin.MNTBys = ["MICROSOFT-MAINT"]; | ||
981 | systemd.services.nftables.serviceConfig = { | ||
982 | ExecStart = lib.mkAfter [ nftables-nologin-script ]; | ||
983 | ExecReload = lib.mkAfter [ nftables-nologin-script ]; | ||
984 | }; | ||
985 | systemd.services."nftables-mail-nologin" = { | ||
986 | serviceConfig = { | ||
987 | Type = "oneshot"; | ||
988 | ExecStart = nftables-nologin-script; | ||
989 | }; | ||
990 | }; | ||
991 | systemd.timers."nftables-mail-nologin" = { | ||
992 | wantedBy = [ "nftables.service" ]; | ||
993 | |||
994 | timerConfig = { | ||
995 | OnActiveSec = "20h"; | ||
996 | RandomizedDelaySec = "8h"; | ||
997 | }; | ||
998 | }; | ||
883 | }; | 999 | }; |
884 | } | 1000 | } |
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index f0e42ee8..583e4443 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix | |||
@@ -262,6 +262,20 @@ in { | |||
262 | 262 | ||
263 | GRANT DELETE ON "mailbox_mapping" TO "spm"; | 263 | GRANT DELETE ON "mailbox_mapping" TO "spm"; |
264 | COMMIT; | 264 | COMMIT; |
265 | |||
266 | BEGIN; | ||
267 | SELECT _v.register_patch('011-password', ARRAY['000-base'], null); | ||
268 | |||
269 | ALTER TABLE mailbox ADD COLUMN password text CONSTRAINT password_non_empty CHECK (password IS DISTINCT FROM '''); | ||
270 | COMMIT; | ||
271 | |||
272 | BEGIN; | ||
273 | SELECT _v.register_patch('012-imap-password', ARRAY['000-base', '002-citext'], null); | ||
274 | |||
275 | DROP VIEW imap_user; | ||
276 | CREATE VIEW imap_user ("user", "password", quota_rule) AS SELECT mailbox.mailbox AS "user", "password", quota_rule FROM mailbox_quota_rule INNER JOIN mailbox ON mailbox_quota_rule.mailbox = mailbox.mailbox; | ||
277 | |||
278 | COMMIT; | ||
265 | ''} | 279 | ''} |
266 | 280 | ||
267 | psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" '' | 281 | psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" '' |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..5c2bba7c 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
@@ -86,6 +86,7 @@ table inet filter { | |||
86 | 86 | ||
87 | counter established-rx {} | 87 | counter established-rx {} |
88 | 88 | ||
89 | counter reject-mail-nologin {} | ||
89 | counter reject-ratelimit-rx {} | 90 | counter reject-ratelimit-rx {} |
90 | counter reject-rx {} | 91 | counter reject-rx {} |
91 | counter reject-tcp-rx {} | 92 | counter reject-tcp-rx {} |
@@ -114,6 +115,17 @@ table inet filter { | |||
114 | 115 | ||
115 | counter tx {} | 116 | counter tx {} |
116 | 117 | ||
118 | set mail_nologin4 { | ||
119 | type ipv4_addr | ||
120 | flags interval | ||
121 | auto-merge | ||
122 | } | ||
123 | set mail_nologin6 { | ||
124 | type ipv6_addr | ||
125 | flags interval | ||
126 | auto-merge | ||
127 | } | ||
128 | |||
117 | chain forward { | 129 | chain forward { |
118 | type filter hook forward priority filter | 130 | type filter hook forward priority filter |
119 | policy drop | 131 | policy drop |
@@ -145,6 +157,14 @@ table inet filter { | |||
145 | counter name drop-fw | 157 | counter name drop-fw |
146 | } | 158 | } |
147 | 159 | ||
160 | chain reject_input { | ||
161 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | ||
162 | log level debug prefix "reject input: " counter name reject-rx | ||
163 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
164 | ct state new counter name reject-icmp-rx reject | ||
165 | |||
166 | counter name drop-rx | ||
167 | } | ||
148 | chain input { | 168 | chain input { |
149 | type filter hook input priority filter | 169 | type filter hook input priority filter |
150 | policy drop | 170 | policy drop |
@@ -177,8 +197,11 @@ table inet filter { | |||
177 | udp dport {3478, 5349} counter name stun-rx accept | 197 | udp dport {3478, 5349} counter name stun-rx accept |
178 | udp dport 49000-50000 counter name turn-rx accept | 198 | udp dport 49000-50000 counter name turn-rx accept |
179 | 199 | ||
200 | tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input | ||
201 | tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input | ||
202 | |||
180 | tcp dport 25 counter name smtp-rx accept | 203 | tcp dport 25 counter name smtp-rx accept |
181 | tcp dport 465 counter name submissions-rx accept | 204 | tcp dport {465, 466} counter name submissions-rx accept |
182 | tcp dport 993 counter name imaps-rx accept | 205 | tcp dport 993 counter name imaps-rx accept |
183 | tcp dport 4190 counter name managesieve-rx accept | 206 | tcp dport 4190 counter name managesieve-rx accept |
184 | iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept | 207 | iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept |
@@ -186,13 +209,7 @@ table inet filter { | |||
186 | ct state {established, related} counter name established-rx accept | 209 | ct state {established, related} counter name established-rx accept |
187 | 210 | ||
188 | 211 | ||
189 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | 212 | jump reject_input |
190 | log level debug prefix "reject input: " counter name reject-rx | ||
191 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
192 | ct state new counter name reject-icmp-rx reject | ||
193 | |||
194 | |||
195 | counter name drop-rx | ||
196 | } | 213 | } |
197 | 214 | ||
198 | chain output { | 215 | chain output { |
@@ -224,7 +241,7 @@ table inet filter { | |||
224 | udp sport 49000-50000 counter name turn-tx accept | 241 | udp sport 49000-50000 counter name turn-tx accept |
225 | 242 | ||
226 | tcp sport 25 counter name smtp-tx accept | 243 | tcp sport 25 counter name smtp-tx accept |
227 | tcp sport 465 counter name submissions-tx accept | 244 | tcp sport {465, 466} counter name submissions-tx accept |
228 | tcp sport 993 counter name imaps-tx accept | 245 | tcp sport 993 counter name imaps-tx accept |
229 | tcp sport 4190 counter name managesieve-tx accept | 246 | tcp sport 4190 counter name managesieve-tx accept |
230 | tcp sport 8432 counter name pgbackrest-tx accept | 247 | tcp sport 8432 counter name pgbackrest-tx accept |
@@ -232,4 +249,4 @@ table inet filter { | |||
232 | 249 | ||
233 | counter name tx | 250 | counter name tx |
234 | } | 251 | } |
235 | } \ No newline at end of file | 252 | } |
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 1d31a6f2..3f7483bd 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
@@ -66,6 +66,15 @@ in { | |||
66 | 66 | ||
67 | systemd.network = { | 67 | systemd.network = { |
68 | netdevs = { | 68 | netdevs = { |
69 | upstream = { | ||
70 | netdevConfig = { | ||
71 | Name = "upstream"; | ||
72 | Kind = "ipvlan"; | ||
73 | }; | ||
74 | ipvlanConfig = { | ||
75 | Mode = "L2"; | ||
76 | }; | ||
77 | }; | ||
69 | vpn = { | 78 | vpn = { |
70 | netdevConfig = { | 79 | netdevConfig = { |
71 | Name = "vpn"; | 80 | Name = "vpn"; |
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 583ab8e1..17c5cd32 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix | |||
@@ -17,7 +17,7 @@ | |||
17 | fsType = "zfs"; | 17 | fsType = "zfs"; |
18 | neededForBoot = true; | 18 | neededForBoot = true; |
19 | }; | 19 | }; |
20 | 20 | ||
21 | "/var/lib/nixos" = | 21 | "/var/lib/nixos" = |
22 | { device = "surtr/local/var-lib-nixos"; | 22 | { device = "surtr/local/var-lib-nixos"; |
23 | fsType = "zfs"; | 23 | fsType = "zfs"; |
@@ -62,10 +62,13 @@ | |||
62 | }; | 62 | }; |
63 | 63 | ||
64 | services.zfssnap.enable = true; | 64 | services.zfssnap.enable = true; |
65 | services.zfs.trim.enable = false; | 65 | services.zfs.trim = { |
66 | enable = true; | ||
67 | interval = "Sun 16:00:00 Europe/Berlin"; | ||
68 | }; | ||
66 | services.zfs.autoScrub = { | 69 | services.zfs.autoScrub = { |
67 | enable = true; | 70 | enable = true; |
68 | interval = "Sun *-*-1..7 04:00:00"; | 71 | interval = "Sun *-*-1..7 04:00:00 Europe/Berlin"; |
69 | }; | 72 | }; |
70 | services.zfs.zed.settings = { | 73 | services.zfs.zed.settings = { |
71 | ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event"; | 74 | ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event"; |