Add pushing to hrz allowlist

2024-03-31 16:26:11 +02:00 · 2024-03-31 16:26:11 +02:00 · b9b7a1fa58
commit b9b7a1fa58
parent 1ab6e5d868
3 changed files with 87 additions and 3 deletions
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@ -2,6 +2,7 @@
 {
  config,
  lib,
+  pkgs,
  ...
 }: let
  inherit
@ -36,7 +37,7 @@ in {
          proxy_interfaces = "130.83.2.184";
          smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
        };
-        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
+        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
      };
      mailman = {
        enable = true;
@ -44,10 +45,12 @@ in {
        hyperkitty.enable = true;
        webHosts = [cfg.hostName];
        serve.enable = true; #
+        # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
+        settings.mta.verp_confirmations = "no";
      };
      nginx.virtualHosts.${cfg.hostName} = {
-        enableACME = true;
-        forceSSL = false;
+        enableACME = true; # Get certificates (primarily for postfix)
+        forceSSL = false; # Don't use HTTPS behind the proxy
      };
    };

@ -63,5 +66,40 @@ in {
    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [25 80 443];
+
+    # Update HRZ allowlist
+    # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
+    # will stop working if no valid TUIDs are associated to our domain.
+    systemd.timers."mailAllowlist" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5m"; # Run every 5 minutes
+        OnUnitActiveSec = "5m";
+        RandomizedDelaySec = "2m"; # prevent overload on regular intervals
+        Unit = "mailAllowlist.service";
+      };
+    };
+    systemd.services."mailAllowlist" = {
+      description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
+      script = ''
+        # Get the mail addresses' local-part
+        cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
+        # Post local-parts to HRZ
+        ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
+        # Cleanup
+        rm /tmp/addresses
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "mailman";
+        PrivateTmp = true;
+      };
+    };
+    sops.secrets.allowlistPass = {
+      sopsFile = ../machines/lobon/allowlistPass.yaml;
+      owner = "mailman";
+      group = "mailman";
+      mode = "0400";
+    };
  };
 }