From 1ce9a1358c28e80725fa915517e3c7de7146dd43 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 5 May 2022 14:16:14 +0200 Subject: ... --- hosts/surtr/email/default.nix | 101 ++++++++++++------------------------------ 1 file changed, 28 insertions(+), 73 deletions(-) diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 49f156eb..da1c005d 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -2,34 +2,7 @@ with lib; -let - postfix_map = tableType: tableName: "${tableType}:/run/postfix/maps/${tableName}"; - postfix_hash = postfix_map "hash"; -in { - options = { - services.postfix.mapFilesRun = mkOption { - type = types.attrsOf (types.either types.path (types.submodule { - options = { - type = mkOption { - type = types.str; - default = "hash"; - }; - - path = mkOption { - type = types.nullOr types.path; - default = null; - }; - - text = mkOption { - type = types.nullOr types.lines; - default = null; - }; - }; - })); - default = {}; - }; - }; - +{ config = { services.postfix = { enable = true; @@ -41,25 +14,9 @@ in { sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; - mapFilesRun = { - "relay_ccert" = { text = ""; }; - "sni" = { text = '' - bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem - mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.sni.pem - mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.sni.pem - .bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem - '';}; - "esmtp_access" = { type = "cidr"; text = '' - # Allow DSN requests from local subnet only - 192.168.0.0/16 silent-discard - 172.16.0.0/12 silent-discard - 10.0.0.0/8 silent-discard - 0.0.0.0/0 silent-discard, dsn - fd00::/8 silent-discard - ::/0 silent-discard, dsn - '';}; - }; - config = { + config = let + relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; + in { #the dh params smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; @@ -89,7 +46,12 @@ in { smtp_tls_security_level = "dane"; smtp_dns_support_level = "dnssec"; - tls_server_sni_maps = postfix_hash "sni"; + tls_server_sni_maps = ''cidr:${pkgs.writeText "sni" '' + bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem + mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.sni.pem + mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.sni.pem + .bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem + ''}''; local_recipient_maps = ""; @@ -107,7 +69,7 @@ in { "reject_non_fqdn_recipient" "reject_unknown_recipient_domain" "permit_mynetworks" - "check_ccert_access ${postfix_hash "relay_ccert"}" + "check_ccert_access ${relay_ccert}" "reject_non_fqdn_helo_hostname" "reject_invalid_helo_hostname" "reject_unauth_destination" @@ -117,7 +79,7 @@ in { smtpd_relay_restrictions = [ "permit_mynetworks" - "check_ccert_access ${postfix_hash "relay_ccert"}" + "check_ccert_access ${relay_ccert}" "reject_unauth_destination" ]; @@ -137,7 +99,15 @@ in { maximal_queue_lifetime = "100m"; bounce_queue_lifetime = "20m"; - smtpd_discard_ehlo_keyword_address_maps = postfix_map "cidr" "esmtp_access"; + smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' + # Allow DSN requests from local subnet only + 192.168.0.0/16 silent-discard + 172.16.0.0/12 silent-discard + 10.0.0.0/8 silent-discard + 0.0.0.0/0 silent-discard, dsn + fd00::/8 silent-discard + ::/0 silent-discard, dsn + ''}"; sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}"; sender_canonical_classes = "envelope_sender"; @@ -204,27 +174,12 @@ in { "surtr.yggdrasil.li" = {}; }; - systemd.services.postfix = { - preStart = concatStringsSep "\n" (mapAttrsToList (to: from: let - cont = {type, path, text}: assert !(isNull path && isNull text); let - path' = if isNull path then pkgs.writeText to text else path; - in '' - ln -sf ${path'} /run/postfix/maps/${to} - postmap ${type}:/run/postfix/maps/${to} - ''; - in if builtins.isPath from then cont { path = from; } else cont from - ) config.services.postfix.mapFilesRun); - - serviceConfig = { - RuntimeDirectory = ["postfix/maps"]; - LoadCredential = [ - "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" - "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" - "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem" - "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem" - "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem" - ]; - }; - }; + systemd.services.postfix.serviceConfig.LoadCredential = [ + "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" + "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" + "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem" + "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem" + "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem" + ]; }; } -- cgit v1.2.3