{ config, pkgs, lib, flakeInputs, ... }: with lib; let dovecotSievePipeBin = pkgs.stdenv.mkDerivation { name = "dovecot-sieve-pipe-bin"; src = ./dovecot-pipe-bin; buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ]; buildCommand = '' mkdir -p $out/pipe/bin cp $src/* $out/pipe/bin/ chmod a+x $out/pipe/bin/* patchShebangs $out/pipe/bin for file in $out/pipe/bin/*; do wrapProgram $file \ --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin" done ''; }; ccert-policy-server = with pkgs.poetry2nix; mkPoetryApplication { projectDir = cleanPythonSources { src = ./ccert-policy-server; }; overrides = overrides.withDefaults (self: super: { systemd-python = super.systemd-python.overridePythonAttrs (oldAttrs: { buildInputs = (oldAttrs.buildInputs or []) ++ [ super.setuptools ]; }); }); }; spmDomains = ["bouncy.email"]; emailDomains = spmDomains ++ ["kleen.consulting"]; in { config = { nixpkgs.overlays = [ (final: prev: { postfix = prev.postfix.override { withLDAP = false; withPgSQL = true; }; dovecot = prev.dovecot.override { withSQLite = false; withPgSQL = true; }; }) ]; services.postfix = { enable = true; enableSmtp = false; hostname = "surtr.yggdrasil.li"; recipientDelimiter = ""; setSendmail = true; postmasterAlias = ""; rootAlias = ""; extraAliases = ""; destination = []; sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; networks = []; config = let relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}"; in { smtpd_tls_security_level = "may"; #the dh params smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; #enable ECDH smtpd_tls_eecdh_grade = "strong"; #enabled SSL protocols, don't allow SSLv2 and SSLv3 smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"]; #allowed ciphers for smtpd_tls_security_level=encrypt smtpd_tls_mandatory_ciphers = "medium"; #allowed ciphers for smtpd_tls_security_level=may #smtpd_tls_ciphers = high #enforce the server cipher preference tls_preempt_cipherlist = true; #disable following ciphers for smtpd_tls_security_level=encrypt smtpd_tls_mandatory_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; #disable following ciphers for smtpd_tls_security_level=may smtpd_tls_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; #enable TLS logging to see the ciphers for inbound connections smtpd_tls_loglevel = "1"; #enable TLS logging to see the ciphers for outbound connections smtp_tls_loglevel = "1"; tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; smtpd_tls_received_header = true; smtpd_tls_ask_ccert = true; smtpd_tls_CAfile = toString ./ca/ca.crt; smtp_tls_security_level = "dane"; smtp_dns_support_level = "dnssec"; smtp_tls_connection_reuse = true; tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ( concatMapStringsSep "\n\n" (domain: concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem") [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"] ) emailDomains )}''; smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; local_recipient_maps = ""; # 10 GiB message_size_limit = "10737418240"; # 10 GiB mailbox_size_limit = "10737418240"; smtpd_delay_reject = true; smtpd_helo_required = true; smtpd_helo_restrictions = "permit"; smtpd_recipient_restrictions = [ "reject_unauth_pipelining" "reject_non_fqdn_recipient" "reject_unknown_recipient_domain" "check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' hosts = postgresql:///email dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' ''}" "check_ccert_access ${relay_ccert}" "reject_non_fqdn_helo_hostname" "reject_invalid_helo_hostname" "reject_unauth_destination" "reject_unknown_recipient_domain" "reject_unverified_recipient" ]; unverified_recipient_reject_code = "550"; unverified_recipient_reject_reason = "Recipient address lookup failed"; address_verify_map = "internal:address_verify_map"; address_verify_positive_expire_time = "1h"; address_verify_positive_refresh_time = "15m"; address_verify_negative_expire_time = "15s"; address_verify_negative_refresh_time = "5s"; address_verify_cache_cleanup_interval = "5s"; address_verify_poll_delay = "1s"; smtpd_relay_restrictions = [ "check_ccert_access ${relay_ccert}" "reject_unauth_destination" ]; propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; smtpd_authorized_verp_clients = ""; authorized_verp_clients = ""; smtpd_client_event_limit_exceptions = ""; milter_default_action = "accept"; smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; alias_maps = ""; queue_run_delay = "10s"; minimal_backoff_time = "1m"; maximal_backoff_time = "10m"; maximal_queue_lifetime = "100m"; bounce_queue_lifetime = "20m"; smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' # Allow DSN requests from local subnet only 192.168.0.0/16 silent-discard 172.16.0.0/12 silent-discard 10.0.0.0/8 silent-discard 0.0.0.0/0 silent-discard, dsn fd00::/8 silent-discard ::/0 silent-discard, dsn ''}"; sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}"; sender_canonical_classes = "envelope_sender"; recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}"; recipient_canonical_classes = ["envelope_recipient" "header_recipient"]; virtual_mailbox_domains = ''pgsql:${pkgs.writeText "virtual_mailbox_domains.cf" '' hosts = postgresql:///email dbname = email query = SELECT 1 FROM virtual_mailbox_domain WHERE domain = '%s' ''}''; virtual_mailbox_maps = ''pgsql:${pkgs.writeText "virtual_mailbox_maps.cf" '' hosts = postgresql:///email dbname = email query = SELECT 1 FROM virtual_mailbox_mapping WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_mapping WHERE lookup = '%s')) ''}''; dvlmtp_destination_recipient_limit = "1"; virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp"; smtputf8_enable = false; authorized_submit_users = "inline:{ root= postfwd= }"; postscreen_access_list = ""; postscreen_denylist_action = "drop"; postscreen_greet_action = "enforce"; }; masterConfig = { smtps = { type = "inet"; private = false; command = "smtpd"; args = [ "-o" "smtpd_tls_security_level=encrypt" "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" "-o" "smtpd_tls_mandatory_ciphers=high" "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" "-o" "{tls_eecdh_auto_curves = X25519 X448}" "-o" "smtpd_tls_wrappermode=yes" "-o" "smtpd_tls_ask_ccert=yes" "-o" "smtpd_tls_req_ccert=yes" "-o" "smtpd_tls_received_header=no" "-o" "cleanup_service_name=subcleanup" "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" "-o" "unverified_sender_reject_code=550" "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' hosts = postgresql:///email dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) ''},permit_tls_all_clientcerts,reject}'' "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" "-o" ''smtpd_milters=${config.services.opendkim.socket}'' ]; }; subcleanup = { command = "cleanup"; private = false; maxproc = 0; args = [ "-o" "header_checks=pcre:${pkgs.writeText "header_checks_submission" '' /^Received: from [^ ]+ \([^ ]+ [^ ]+\)\s+(.*)$/ REPLACE Received: $1 ''}" ]; }; dvlmtp = { command = "lmtp"; args = [ "flags=DORX" ]; }; smtp_pass = { name = "smtpd"; type = "pass"; command = "smtpd"; }; postscreen = { name = "smtp"; type = "inet"; private = false; command = "postscreen"; maxproc = 1; }; smtp = {}; relay = { command = "smtp"; args = [ "-o" "smtp_fallback_relay=" ]; }; tlsproxy = { maxproc = 0; }; dnsblog = {}; }; }; services.postsrsd = { enable = true; domain = "surtr.yggdrasil.li"; separator = "+"; excludeDomains = [ "surtr.yggdrasil.li" ] ++ concatMap (domain: [".${domain}" domain]) emailDomains; }; services.opendkim = { enable = true; user = "postfix"; group = "postfix"; socket = "local:/run/opendkim/opendkim.sock"; domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}''; selector = "surtr"; configFile = builtins.toFile "opendkim.conf" '' Syslog true MTA surtr.yggdrasil.li MTACommand ${config.security.wrapperDir}/sendmail LogResults true ''; }; services.rspamd = { enable = true; workers = { controller = { type = "controller"; count = 1; bindSockets = [ { mode = "0660"; socket = "/run/rspamd/worker-controller.sock"; owner = config.services.rspamd.user; group = config.services.rspamd.group; } ]; includes = []; extraConfig = '' static_dir = "''${WWWDIR}"; # Serve the web UI static assets ''; }; external = { type = "rspamd_proxy"; bindSockets = [ { mode = "0660"; socket = "/run/rspamd/rspamd-milter.sock"; owner = config.services.rspamd.user; group = config.services.rspamd.group; } ]; extraConfig = '' milter = yes; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } ''; }; }; locals = { "milter_headers.conf".text = '' use = ["authentication-results", "x-spamd-result", "x-rspamd-queue-id", "x-rspamd-server", "x-spam-level", "x-spam-status"]; extended_headers_rcpt = []; ''; "actions.conf".text = '' reject = 15; add_header = 10; greylist = 5; ''; "groups.conf".text = '' symbols { "BAYES_SPAM" { weight = 2.0; } } ''; "dmarc.conf".text = '' reporting = true; send_reports = true; report_settings { org_name = "Yggdrasil.li"; domain = "yggdrasil.li"; email = "postmaster@yggdrasil.li"; } ''; "redis.conf".text = '' servers = "${config.services.redis.servers.rspamd.unixSocket}"; ''; "dkim_signing.conf".text = "enabled = false;"; "neural.conf".text = "enabled = false;"; "classifier-bayes.conf".text = '' enable = true; expire = 8640000; new_schema = true; backend = "redis"; per_user = true; min_learns = 0; autolearn = [0, 10]; statfile { symbol = "BAYES_HAM"; spam = false; } statfile { symbol = "BAYES_SPAM"; spam = true; } ''; # "redirectors.inc".text = '' # visit.creeper.host # ''; }; }; users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ]; services.redis.servers.rspamd.enable = true; users.groups.${config.services.redis.servers.rspamd.user}.members = [ config.services.rspamd.user ]; services.dovecot2 = { enable = true; enablePAM = false; sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem"; sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem"; sslCACert = toString ./ca/ca.crt; mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u"; modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; protocols = [ "lmtp" "sieve" ]; extraConfig = let dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' driver = pgsql connect = dbname=email password_query = SELECT NULL as password, 'Y' as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' iterate_query = SELECT "user" FROM imap_user ''; in '' mail_home = /var/lib/mail/%u mail_plugins = $mail_plugins quota first_valid_uid = ${toString config.users.users.dovecot2.uid} last_valid_uid = ${toString config.users.users.dovecot2.uid} first_valid_gid = ${toString config.users.groups.dovecot2.gid} last_valid_gid = ${toString config.users.groups.dovecot2.gid} ${concatMapStringsSep "\n\n" (domain: concatMapStringsSep "\n" (subdomain: '' local_name ${subdomain} { ssl_cert =