From 59e54bd97f70711573d321f2d2aeee5da46bf95d Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 2 Oct 2022 18:46:48 +0200
Subject: ...

---
 hosts/surtr/default.nix       |  2 +-
 hosts/surtr/email/default.nix | 70 ++++++++++++++++++++++++++++++++++++-------
 2 files changed, 61 insertions(+), 11 deletions(-)

(limited to 'hosts')

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 2be25560..e031c9b3 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -57,7 +57,7 @@
           { address = "202.61.241.61"; prefixLength = 22; }
         ];
         ipv6.addresses = [
-          { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; }
+          # { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; }
           { address = "2a03:4000:52:ada::"; prefixLength = 96; }
         ];
       };
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 9cfba1f1..2fe5b7f0 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -59,6 +59,7 @@ in {
 
     services.postfix = {
       enable = true;
+      enableSmtp = false;
       hostname = "surtr.yggdrasil.li";
       recipientDelimiter = "";
       setSendmail = true;
@@ -66,20 +67,22 @@ in {
       destination = [];
       sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";
       sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";
-      networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"];
+      networks = [];
       config = let
         relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
       in {
+        smtpd_tls_security_level = "may";
+
         #the dh params
         smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
         smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
         #enable ECDH
         smtpd_tls_eecdh_grade = "strong";
         #enabled SSL protocols, don't allow SSLv2 and SSLv3
-        smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"];
-        smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"];
+        smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"];
+        smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"];
         #allowed ciphers for smtpd_tls_security_level=encrypt
-        smtpd_tls_mandatory_ciphers = "high";
+        smtpd_tls_mandatory_ciphers = "medium";
         #allowed ciphers for smtpd_tls_security_level=may
         #smtpd_tls_ciphers = high
         #enforce the server cipher preference
@@ -92,6 +95,7 @@ in {
         smtpd_tls_loglevel = "1";
         #enable TLS logging to see the ciphers for outbound connections
         smtp_tls_loglevel = "1";
+        tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
         smtpd_tls_received_header = true;
 
@@ -101,6 +105,8 @@ in {
         smtp_tls_security_level = "dane";
         smtp_dns_support_level = "dnssec";
 
+        smtp_tls_connection_reuse = true;
+
         tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ''
           bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
           mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem
@@ -130,7 +136,6 @@ in {
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
           ''}"
-          "permit_mynetworks"
           "check_ccert_access ${relay_ccert}"
           "reject_non_fqdn_helo_hostname"
           "reject_invalid_helo_hostname"
@@ -149,14 +154,15 @@ in {
         address_verify_poll_delay = "1s";
 
         smtpd_relay_restrictions = [
-          "permit_mynetworks"
           "check_ccert_access ${relay_ccert}"
           "reject_unauth_destination"
         ];
 
         propagate_unmatched_extensions = ["canonical" "virtual" "alias"];
-        smtpd_authorized_verp_clients = "$authorized_verp_clients";
-        authorized_verp_clients = "$mynetworks";
+        smtpd_authorized_verp_clients = "";
+        authorized_verp_clients = "";
+
+        smtpd_client_event_limit_exceptions = "";
 
         milter_default_action = "accept";
         smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
@@ -197,6 +203,12 @@ in {
         ''}'';
         dvlmtp_destination_recipient_limit = "1";
         virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp";
+
+        authorized_submit_users = "inline:{ root= postfwd= }";
+
+        postscreen_access_list = "";
+        postscreen_denylist_action = "drop";
+        postscreen_greet_action = "enforce";
       };
       masterConfig = {
         smtps = {
@@ -204,6 +216,14 @@ in {
           private = false;
           command = "smtpd";
           args = [
+            "-o" "smtpd_tls_security_level=encrypt"
+            "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
+            "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
+            "-o" "smtpd_tls_mandatory_ciphers=high"
+            "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}"
+            "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}"
+            "-o" "{tls_eecdh_auto_curves = X25519 X448}"
+
             "-o" "smtpd_tls_wrappermode=yes"
             "-o" "smtpd_tls_ask_ccert=yes"
             "-o" "smtpd_tls_req_ccert=yes"
@@ -224,6 +244,27 @@ in {
             "flags=DORX"
           ];
         };
+        smtp_pass = {
+          name = "smtpd";
+          type = "pass";
+          command = "smtpd";
+        };
+        postscreen = {
+          name = "smtp";
+          type = "inet";
+          private = false;
+          command = "postscreen";
+          maxproc = 1;
+        };
+        smtp = {};
+        relay = {
+          command = "smtp";
+          args = [ "-o" "smtp_fallback_relay=" ];
+        };
+        tlsproxy = {
+          maxproc = 0;
+        };
+        dnsblog = {};
       };
     };
 
@@ -596,6 +637,9 @@ in {
       params = {
         "postfix-512".bits = 512;
         "postfix-1024".bits = 2048;
+
+        "postfix-smtps-512".bits = 512;
+        "postfix-smtps-1024".bits = 2048;
       };
     };
 
@@ -800,8 +844,14 @@ in {
     services.postfwd = {
       enable = true;
       rules = ''
-        id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/450 4.7.1 Exceeding maximum of 100 recipients per hour [$$ratecount])
-        id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/450 4.7.1 Exceeding maximum of 1000 recipients per day [$$ratecount])
+        id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
+        id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
+
+        id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL)
+
+        id=EOF; action=DUNNO
+
+        id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
       '';
     };
   };
-- 
cgit v1.2.3