Fachschaft/nixConfig
5
2
Fork 2
Code Issues 11 Pull requests 1 Projects Wiki Activity

Group config parameters

Browse source
This commit is contained in:
Gonne 2025-03-02 11:57:05 +01:00
parent 5dfd352edd
commit 590ea741d0
1 changed files with 68 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

130
nixos/modules/mail.nix
View file

@ -101,13 +101,22 @@ in {
# Reevaluate after DKIM and DMARC deployment
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly
# TODO check if HRZ and our own VMs conform to these standards and we can validate them strictly
dkim.verify = "relaxed";
arc.verify = "relaxed";
dmarc.verify = "relaxed";
iprev.verify = "relaxed";
spf.verify.ehlo = "relaxed";
spf.verify.mail-from = "relaxed";
# Sign *our* outgoing mails with the configured signatures.
dkim.sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
}
{"else" = false;}
];
};
# Forward outgoing mail to HRZ or mail VMs.
@ -131,52 +140,56 @@ in {
starttls = "optional"; # e.g. Lobon does not offer starttls
};
};
remote."hrz" = {
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
};
remote."mailman" = {
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
port = 25;
protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
remote = {
"hrz" = {
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
};
"mailman" = {
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
port = 25;
protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
};
};
session.rcpt = {
# In order to accept mail that we only forward
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
# See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
catch-all = true;
relay = [
session = {
rcpt = {
# In order to accept mail that we only forward
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
# See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
catch-all = true;
relay = [
{
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP
"then" = true;
}
{"else" = false;}
];
};
ehlo.require = [
{
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP
"then" = true;
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = false;}
{"else" = true;}
];
ehlo.reject-non-fqdn = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
};
session.ehlo.require = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
session.ehlo.reject-non-fqdn = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
# Stalwart gets its configuration from two places: A TOML configuration file that we control in this module
# and from a database that can be configured from web management interface or via Rest API.
# We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
# We here define what comes from the TOML-file and especially add "sieve.trusted.*" to the default ones
# because only TOML-based keys may use macros to load files from disk.
# We want this to be able to load our sieve-script for mail forwarding.
# See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
@ -198,21 +211,23 @@ in {
"certificate.*"
] # the default ones
++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
sieve.trusted.from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
sieve.trusted.from-namo = "sender";
sieve.trusted.return-path = "sender";
# If we are the sender, we sign the message with DKIM. Else we leave it alone.
sieve.trusted.sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
}
{"else" = false;}
];
sieve.trusted.limits = {
redirects = 50;
out-messages = 50;
sieve.trusted = {
scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
from-namo = "sender";
return-path = "sender";
# If we are the sender, we sign the message with DKIM. Else we leave it alone.
sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
}
{"else" = false;}
];
limits = {
redirects = 50;
out-messages = 50;
};
};
session.data.script = "'redirects'";
@ -240,15 +255,6 @@ in {
in
map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));
# Sign *our* outgoing mails with the configured signatures.
auth.dkim.sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
}
{"else" = false;}
];
authentication.fallback-admin = {
user = "admin";
# see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH