From 59e54bd97f70711573d321f2d2aeee5da46bf95d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 2 Oct 2022 18:46:48 +0200 Subject: ... --- accounts/gkleen@sif/zshrc | 68 +++++++++++++-------- hosts/surtr/default.nix | 2 +- hosts/surtr/email/default.nix | 70 ++++++++++++++++++---- modules/postfwd.nix | 19 +++++- .../spm/frontend/src/app/spm/spm.component.html | 5 +- .../spm/frontend/src/app/spm/spm.component.sass | 4 ++ overlays/spm/wordlist.txt | 1 - 7 files changed, 131 insertions(+), 38 deletions(-) diff --git a/accounts/gkleen@sif/zshrc b/accounts/gkleen@sif/zshrc index 1b7cc06c..bda73d76 100644 --- a/accounts/gkleen@sif/zshrc +++ b/accounts/gkleen@sif/zshrc @@ -45,7 +45,7 @@ genmail() { s() { dir=$(pwd) [[ ${#@} -ge 1 ]] && dir=$1 - + shellFile=$(findNix ${@}) [[ ${#@} -ge 1 ]] && shift @@ -137,7 +137,7 @@ dir() { *) printf "Invalid option: %s\n" $arg >&2; exit 2 ;; esac done - + shift $((OPTIND - 1)) if [[ -z ${dir} && ${#@} -ge 1 ]]; then @@ -145,7 +145,7 @@ dir() { shift fi - [[ -n ${dir} ]] || return 2; + [[ -n ${dir} ]] || return 2; if [[ ! -e ${dir} ]]; then if [[ -z "${gitWorktree}" ]]; then @@ -156,7 +156,7 @@ dir() { else gitWorktree="" fi - + ( cd ${dir} export dir; @@ -164,7 +164,7 @@ dir() { ${findNix} && { nixShell=$(findNix) || return $? } [[ -n ${repoUrl} ]] && git clone -- ${repoUrl} . - + if [[ -n ${templateArchive} ]]; then ( archiveFile="" @@ -181,16 +181,36 @@ dir() { templateArchive=${archiveFile} fi - case $(file --brief --mime-type --dereference ${templateArchive}) in - application/zip) unzip ${templateArchive} ;; - application/vnd.debian.binary-package) - nix shell nixos#binutils --command ar x ${templateArchive} - mkdir control data - tar -C control -xvaf control.* - tar -C data -xvaf data.* - ;; - *) tar -xvaf ${templateArchive} ;; - esac + unpack=true + while ${unpack}; do + case $(file --brief --mime-type --dereference ${templateArchive}) in + application/zip) + unzip ${templateArchive} + unpack=false + ;; + application/vnd.debian.binary-package) + nix shell nixos#binutils --command ar x ${templateArchive} + mkdir control data + tar -C control -xvaf control.* + tar -C data -xvaf data.* + unpack=false + ;; + application/x-rpm) + cpioArchive=$(mktemp -t "archive.XXXXXXXXXX.${templateArchive:t:r}.cpio") + nix shell nixos#busybox --command rpm2cpio ${templateArchive} > ${cpioArchive} + templateArchive=${cpioArchive} + unpack=true + ;; + application/x-cpio) + cpio --extract --make-directories --no-absolute-filenames -F ${templateArchive} + unpack=false + ;; + *) + tar -xvaf ${templateArchive} + unpack=false + ;; + esac + done ) fi @@ -202,7 +222,7 @@ dir() { # typeset -a messages # messages=(${(z)$(notmuch search --output=messages ${notmuchMsg})}) - + # for message (${messages}); do # typeset -A notmuchAtts # notmuchAtts=() @@ -253,7 +273,7 @@ dir() { quickserve --root . --upload . --show-hidden --tar gz fi - + if [[ ${#@} -eq 0 ]] || ${forceShell}; then if [[ ${#@} -gt 0 ]]; then if [[ -z ${nixShell} ]]; then @@ -264,11 +284,11 @@ dir() { fi cd $(pwd) # Needed for mounting to work - + isSingleDir() { typeset -a contents contents=(*(N) .*(N)) - + if [[ ${#contents} -eq 1 && -d ${contents[1]} ]]; then print ${contents[1]} return 0 @@ -278,7 +298,7 @@ dir() { } while d=$(isSingleDir); do cd ${d}; done - + if [[ -z ${nixShell} ]]; then exec -- zsh else @@ -302,7 +322,7 @@ tmpdir() { printf "Unmounting %s\n" ${1} >&2 fusermount -u ${1} || umount ${1} || sudo umount ${1} } - + if mountpoint -q -- ${dir}; then unmount ${dir} || return $? else @@ -311,7 +331,7 @@ tmpdir() { unmount ${subDir} || return $? done <<<$(find ${dir} -xdev -type d -print0 | sort -zr) fi - + rm -rfv --one-file-system -- ${dir} } @@ -323,7 +343,7 @@ tmpdir() { "?"|":") printf "Invalid option: %s\n" $arg >&2; exit 2 ;; esac done - + ( trap cleanup EXIT @@ -362,7 +382,7 @@ nix-ghci() { pkgExpr="${1}" shift fi - + nix-shell -p "with (import {}); pkgs.haskellPackages.ghcWithPackages (p: with p; [${pkgExpr}])" --run "ghci ${@}" } diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 2be25560..e031c9b3 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -57,7 +57,7 @@ { address = "202.61.241.61"; prefixLength = 22; } ]; ipv6.addresses = [ - { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; } + # { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; } { address = "2a03:4000:52:ada::"; prefixLength = 96; } ]; }; diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9cfba1f1..2fe5b7f0 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -59,6 +59,7 @@ in { services.postfix = { enable = true; + enableSmtp = false; hostname = "surtr.yggdrasil.li"; recipientDelimiter = ""; setSendmail = true; @@ -66,20 +67,22 @@ in { destination = []; sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; - networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; + networks = []; config = let relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; in { + smtpd_tls_security_level = "may"; + #the dh params smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; #enable ECDH smtpd_tls_eecdh_grade = "strong"; #enabled SSL protocols, don't allow SSLv2 and SSLv3 - smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; - smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; + smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; + smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; #allowed ciphers for smtpd_tls_security_level=encrypt - smtpd_tls_mandatory_ciphers = "high"; + smtpd_tls_mandatory_ciphers = "medium"; #allowed ciphers for smtpd_tls_security_level=may #smtpd_tls_ciphers = high #enforce the server cipher preference @@ -92,6 +95,7 @@ in { smtpd_tls_loglevel = "1"; #enable TLS logging to see the ciphers for outbound connections smtp_tls_loglevel = "1"; + tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; smtpd_tls_received_header = true; @@ -101,6 +105,8 @@ in { smtp_tls_security_level = "dane"; smtp_dns_support_level = "dnssec"; + smtp_tls_connection_reuse = true; + tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem @@ -130,7 +136,6 @@ in { dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' ''}" - "permit_mynetworks" "check_ccert_access ${relay_ccert}" "reject_non_fqdn_helo_hostname" "reject_invalid_helo_hostname" @@ -149,14 +154,15 @@ in { address_verify_poll_delay = "1s"; smtpd_relay_restrictions = [ - "permit_mynetworks" "check_ccert_access ${relay_ccert}" "reject_unauth_destination" ]; propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; - smtpd_authorized_verp_clients = "$authorized_verp_clients"; - authorized_verp_clients = "$mynetworks"; + smtpd_authorized_verp_clients = ""; + authorized_verp_clients = ""; + + smtpd_client_event_limit_exceptions = ""; milter_default_action = "accept"; smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; @@ -197,6 +203,12 @@ in { ''}''; dvlmtp_destination_recipient_limit = "1"; virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; + + authorized_submit_users = "inline:{ root= postfwd= }"; + + postscreen_access_list = ""; + postscreen_denylist_action = "drop"; + postscreen_greet_action = "enforce"; }; masterConfig = { smtps = { @@ -204,6 +216,14 @@ in { private = false; command = "smtpd"; args = [ + "-o" "smtpd_tls_security_level=encrypt" + "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" + "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" + "-o" "smtpd_tls_mandatory_ciphers=high" + "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" + "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" + "-o" "{tls_eecdh_auto_curves = X25519 X448}" + "-o" "smtpd_tls_wrappermode=yes" "-o" "smtpd_tls_ask_ccert=yes" "-o" "smtpd_tls_req_ccert=yes" @@ -224,6 +244,27 @@ in { "flags=DORX" ]; }; + smtp_pass = { + name = "smtpd"; + type = "pass"; + command = "smtpd"; + }; + postscreen = { + name = "smtp"; + type = "inet"; + private = false; + command = "postscreen"; + maxproc = 1; + }; + smtp = {}; + relay = { + command = "smtp"; + args = [ "-o" "smtp_fallback_relay=" ]; + }; + tlsproxy = { + maxproc = 0; + }; + dnsblog = {}; }; }; @@ -596,6 +637,9 @@ in { params = { "postfix-512".bits = 512; "postfix-1024".bits = 2048; + + "postfix-smtps-512".bits = 512; + "postfix-smtps-1024".bits = 2048; }; }; @@ -800,8 +844,14 @@ in { services.postfwd = { enable = true; rules = '' - id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/450 4.7.1 Exceeding maximum of 100 recipients per hour [$$ratecount]) - id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/450 4.7.1 Exceeding maximum of 1000 recipients per day [$$ratecount]) + id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) + id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) + + id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) + + id=EOF; action=DUNNO + + id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] ''; }; }; diff --git a/modules/postfwd.nix b/modules/postfwd.nix index 4afea0a1..e10c04a7 100644 --- a/modules/postfwd.nix +++ b/modules/postfwd.nix @@ -32,6 +32,11 @@ in { "--proto" "unix" "--port" "/run/postfwd3/postfwd3.sock" "--save_rates" "/var/lib/postfwd/rates" + "--save_groups" "/var/lib/postfwd/groups" + "--summary" "3600" + "--cache" "600" + "--cache_proto" "unix" + "--cache_port" "/run/postfwd3/cache.sock" "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) ]}"; PIDFile = "/run/postfwd3/postfwd3.pid"; @@ -45,7 +50,8 @@ in { DynamicUser = true; ProtectSystem = "strict"; - SystemCallFilter = "@system-service"; + ProtectHome = true; + SystemCallFilter = ["@system-service" "~@resources @obsolete"]; NoNewPrivileges = true; ProtectKernelTunables = true; ProtectKernelModules = true; @@ -59,6 +65,17 @@ in { PrivateDevices = true; PrivateTmp = true; ProtectHostname = true; + RestrictNamespaces = true; + CapabilityBoundingSet = ""; + RestrictAddressFamilies = ["AF_UNIX"]; + PrivateNetwork = true; + PrivateUsers = true; + SystemCallArchitectures = "native"; + LockPersonality = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + DevicePolicy = "closed"; + IPAddressDeny = "any"; }; }; }; diff --git a/overlays/spm/frontend/src/app/spm/spm.component.html b/overlays/spm/frontend/src/app/spm/spm.component.html index 5d0e625a..416da91f 100644 --- a/overlays/spm/frontend/src/app/spm/spm.component.html +++ b/overlays/spm/frontend/src/app/spm/spm.component.html @@ -1,7 +1,10 @@
- {{entry.value.local}} + {{entry.value.local}} + + {{entry.value.local}} + @{{entry.value.domain}} diff --git a/overlays/spm/frontend/src/app/spm/spm.component.sass b/overlays/spm/frontend/src/app/spm/spm.component.sass index 74ad7d0e..773eb879 100644 --- a/overlays/spm/frontend/src/app/spm/spm.component.sass +++ b/overlays/spm/frontend/src/app/spm/spm.component.sass @@ -1,3 +1,7 @@ +a + color: inherit + text-decoration: inherit + #add-button position: fixed bottom: 16px diff --git a/overlays/spm/wordlist.txt b/overlays/spm/wordlist.txt index 028ca87e..0db5ca44 100644 --- a/overlays/spm/wordlist.txt +++ b/overlays/spm/wordlist.txt @@ -605,7 +605,6 @@ keg kept kick kilt -king kite kitty kiwi -- cgit v1.2.3