From 59e54bd97f70711573d321f2d2aeee5da46bf95d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 2 Oct 2022 18:46:48 +0200 Subject: ... --- hosts/surtr/default.nix | 2 +- hosts/surtr/email/default.nix | 70 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 61 insertions(+), 11 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 2be25560..e031c9b3 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -57,7 +57,7 @@ { address = "202.61.241.61"; prefixLength = 22; } ]; ipv6.addresses = [ - { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; } + # { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; } { address = "2a03:4000:52:ada::"; prefixLength = 96; } ]; }; diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9cfba1f1..2fe5b7f0 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -59,6 +59,7 @@ in { services.postfix = { enable = true; + enableSmtp = false; hostname = "surtr.yggdrasil.li"; recipientDelimiter = ""; setSendmail = true; @@ -66,20 +67,22 @@ in { destination = []; sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; - networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; + networks = []; config = let relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; in { + smtpd_tls_security_level = "may"; + #the dh params smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; #enable ECDH smtpd_tls_eecdh_grade = "strong"; #enabled SSL protocols, don't allow SSLv2 and SSLv3 - smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; - smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; + smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; + smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; #allowed ciphers for smtpd_tls_security_level=encrypt - smtpd_tls_mandatory_ciphers = "high"; + smtpd_tls_mandatory_ciphers = "medium"; #allowed ciphers for smtpd_tls_security_level=may #smtpd_tls_ciphers = high #enforce the server cipher preference @@ -92,6 +95,7 @@ in { smtpd_tls_loglevel = "1"; #enable TLS logging to see the ciphers for outbound connections smtp_tls_loglevel = "1"; + tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; smtpd_tls_received_header = true; @@ -101,6 +105,8 @@ in { smtp_tls_security_level = "dane"; smtp_dns_support_level = "dnssec"; + smtp_tls_connection_reuse = true; + tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem @@ -130,7 +136,6 @@ in { dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' ''}" - "permit_mynetworks" "check_ccert_access ${relay_ccert}" "reject_non_fqdn_helo_hostname" "reject_invalid_helo_hostname" @@ -149,14 +154,15 @@ in { address_verify_poll_delay = "1s"; smtpd_relay_restrictions = [ - "permit_mynetworks" "check_ccert_access ${relay_ccert}" "reject_unauth_destination" ]; propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; - smtpd_authorized_verp_clients = "$authorized_verp_clients"; - authorized_verp_clients = "$mynetworks"; + smtpd_authorized_verp_clients = ""; + authorized_verp_clients = ""; + + smtpd_client_event_limit_exceptions = ""; milter_default_action = "accept"; smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; @@ -197,6 +203,12 @@ in { ''}''; dvlmtp_destination_recipient_limit = "1"; virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; + + authorized_submit_users = "inline:{ root= postfwd= }"; + + postscreen_access_list = ""; + postscreen_denylist_action = "drop"; + postscreen_greet_action = "enforce"; }; masterConfig = { smtps = { @@ -204,6 +216,14 @@ in { private = false; command = "smtpd"; args = [ + "-o" "smtpd_tls_security_level=encrypt" + "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" + "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" + "-o" "smtpd_tls_mandatory_ciphers=high" + "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" + "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" + "-o" "{tls_eecdh_auto_curves = X25519 X448}" + "-o" "smtpd_tls_wrappermode=yes" "-o" "smtpd_tls_ask_ccert=yes" "-o" "smtpd_tls_req_ccert=yes" @@ -224,6 +244,27 @@ in { "flags=DORX" ]; }; + smtp_pass = { + name = "smtpd"; + type = "pass"; + command = "smtpd"; + }; + postscreen = { + name = "smtp"; + type = "inet"; + private = false; + command = "postscreen"; + maxproc = 1; + }; + smtp = {}; + relay = { + command = "smtp"; + args = [ "-o" "smtp_fallback_relay=" ]; + }; + tlsproxy = { + maxproc = 0; + }; + dnsblog = {}; }; }; @@ -596,6 +637,9 @@ in { params = { "postfix-512".bits = 512; "postfix-1024".bits = 2048; + + "postfix-smtps-512".bits = 512; + "postfix-smtps-1024".bits = 2048; }; }; @@ -800,8 +844,14 @@ in { services.postfwd = { enable = true; rules = '' - id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/450 4.7.1 Exceeding maximum of 100 recipients per hour [$$ratecount]) - id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/450 4.7.1 Exceeding maximum of 1000 recipients per day [$$ratecount]) + id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) + id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) + + id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) + + id=EOF; action=DUNNO + + id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] ''; }; }; -- cgit v1.2.3