1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
{ config, pkgs, lib, ... }:
with lib;
{
config = {
services.postfix = {
enable = true;
hostname = "surtr.yggdrasil.li";
recipientDelimiter = "+";
setSendmail = true;
postmasterAlias = ""; rootAlias = ""; extraAliases = "";
destination = [];
sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";
sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";
networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"];
config = let
relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
in {
#the dh params
smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
#enable ECDH
smtpd_tls_eecdh_grade = "strong";
#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"];
smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"];
#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = "high";
#allowed ciphers for smtpd_tls_security_level=may
#smtpd_tls_ciphers = high
#enforce the server cipher preference
tls_preempt_cipherlist = true;
#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"];
#disable following ciphers for smtpd_tls_security_level=may
smtpd_tls_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"];
#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = "1";
#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = "1";
smtpd_tls_ask_ccert = true;
smtpd_tls_CAfile = toString ./ca/ca.crt;
smtp_tls_security_level = "dane";
smtp_dns_support_level = "dnssec";
tls_server_sni_maps = ''cidr:${pkgs.writeText "sni" ''
bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem
mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.sni.pem
mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.sni.pem
.bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem
''}'';
local_recipient_maps = "";
# 10 GiB
message_size_limit = "10737418240";
# 10 GiB
mailbox_size_limit = "10737418240";
smtpd_delay_reject = true;
smtpd_helo_required = true;
smtpd_helo_restrictions = "permit";
smtpd_recipient_restrictions = [
"reject_unauth_pipelining"
"reject_non_fqdn_recipient"
"reject_unknown_recipient_domain"
"permit_mynetworks"
"check_ccert_access ${relay_ccert}"
"reject_non_fqdn_helo_hostname"
"reject_invalid_helo_hostname"
"reject_unauth_destination"
"reject_unknown_recipient_domain"
"reject_unverified_recipient"
];
smtpd_relay_restrictions = [
"permit_mynetworks"
"check_ccert_access ${relay_ccert}"
"reject_unauth_destination"
];
propagate_unmatched_extensions = ["canonical" "virtual" "alias"];
smtpd_authorized_verp_clients = "$authorized_verp_clients";
authorized_verp_clients = "$mynetworks";
milter_default_action = "accept";
smtpd_milters = [config.services.opendkim.socket];
non_smtpd_milters = [config.services.opendkim.socket];
alias_maps = "";
queue_run_delay = "10s";
minimal_backoff_time = "1m";
maximal_backoff_time = "10m";
maximal_queue_lifetime = "100m";
bounce_queue_lifetime = "20m";
smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" ''
# Allow DSN requests from local subnet only
192.168.0.0/16 silent-discard
172.16.0.0/12 silent-discard
10.0.0.0/8 silent-discard
0.0.0.0/0 silent-discard, dsn
fd00::/8 silent-discard
::/0 silent-discard, dsn
''}";
sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}";
sender_canonical_classes = "envelope_sender";
recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}";
recipient_canonical_classes = ["envelope_recipient" "header_recipient"];
};
masterConfig = {
smtps = {
type = "inet";
private = false;
command = "smtpd";
args = [
"-o" "smtpd_tls_wrappermode=yes"
"-o" "smtpd_tls_req_ccert=yes"
"-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject"
"-o" "smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_tls_all_clientcerts,reject"
];
};
};
};
services.postsrsd = {
enable = true;
domain = "srs.surtr.yggdrasil.li";
separator = "+";
excludeDomains = [ "surtr.yggdrasil.li"
".bouncy.email" "bouncy.email"
];
};
services.opendkim = {
enable = true;
user = "postfix"; group = "postfix";
socket = "local:/run/opendkim/opendkim.sock";
domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}'';
selector = "surtr";
configFile = builtins.toFile "opendkim.conf" ''
Syslog true
MTACommand ${config.security.wrapperDir}/sendmail
LogResults true
SignatureAlgorithm ed25519-sha256
'';
};
security.dhparams = {
params = {
"postfix-512".bits = 512;
"postfix-1024".bits = 2048;
};
};
security.acme.domains = {
"bouncy.email" = {};
"mailin.bouncy.email" = {};
"mailsub.bouncy.email" = {};
"surtr.yggdrasil.li" = {};
};
systemd.services.postfix = {
preStart = concatMapStringsSep "\n" (domain: ''
(
umask 0037
cat /var/lib/acme/${domain}/key.pem /var/lib/acme/${domain}/full.pem > /var/lib/acme/${domain}/sni.pem
chown acme:acme /var/lib/acme/${domain}/sni.pem
)
'') ["bouncy.email" "mailin.bouncy.email" "mailsub.bouncy.email" "surtr.yggdrasil.li"];
serviceConfig.LoadCredential = [
"surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
"surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
"bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem"
"mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem"
"mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem"
];
};
};
}
|