Mail machine #47

Open
Gonne wants to merge 3 commits from Gonne/nixConfig:kaalut into main
Owner

A general replacement of Eihort with software that probably allows for easier DKIM and DMARC setup

TODO list:

  • reinstall kaalut after bricking on full disk
  • fix admin login that somehow does not work
  • sync alias files from eihort
  • include correct passwords for HRZ allowlist
  • …?

Optional for deployment:

  • fix collection of local mail accounts for HRZ API
  • refactor sieve generation from first try
  • DKIM
  • DMARC
  • …?
A general replacement of Eihort with software that probably allows for easier DKIM and DMARC setup TODO list: - [x] reinstall kaalut after bricking on full disk - [x] fix admin login that somehow does not work - [ ] sync alias files from eihort - [ ] include correct passwords for HRZ allowlist - [ ] …? Optional for deployment: - [x] fix collection of local mail accounts for HRZ API - [x] refactor sieve generation from first try - [ ] DKIM - [ ] DMARC - [ ] …?
Gonne added 2 commits 2024-11-22 21:28:45 +00:00
Gonne requested review from Server-Minions 2024-11-22 21:29:09 +00:00
Gonne force-pushed kaalut from 84e613f0b0 to 044326ad38 2024-11-23 08:40:23 +00:00 Compare
Gonne force-pushed kaalut from 044326ad38 to 597f4d365c 2024-11-23 09:15:35 +00:00 Compare
Gonne force-pushed kaalut from 597f4d365c to 85131d6f36 2024-11-23 20:56:13 +00:00 Compare
Gonne changed title from WIP: Mail machine to Mail machine 2024-11-23 20:59:23 +00:00
Gonne force-pushed kaalut from 85131d6f36 to e3006b8e03 2024-11-25 20:31:40 +00:00 Compare
Gonne force-pushed kaalut from e3006b8e03 to b3aac99ca7 2024-11-26 18:26:13 +00:00 Compare
Gonne force-pushed kaalut from b3aac99ca7 to 3bb4dcb120 2024-11-27 12:42:07 +00:00 Compare
Gonne force-pushed kaalut from 3bb4dcb120 to 42102bb1a0 2024-11-29 10:46:15 +00:00 Compare
Gonne force-pushed kaalut from 42102bb1a0 to d2ab4d8eea 2024-12-02 19:55:14 +00:00 Compare
Gonne reviewed 2024-12-13 17:29:29 +00:00
@ -56,0 +56,4 @@
overlays = [
(_: _: {
alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine
Author
Owner

The package selection should depend on system, and is there a reason we overlay like this and not
just use flake-inputs.alias-to-sieve... in the system config?

The package selection should depend on system, and is there a reason we overlay like this and not just use `flake-inputs.alias-to-sieve...` in the system config?
Author
Owner

The flake-inputs parameter is not available as a module parameter while pkgs is supplied by the nix module system.

The `flake-inputs ` parameter is not available as a module parameter while `pkgs` is supplied by the nix module system.
Gonne marked this conversation as resolved
@ -0,0 +41,4 @@
sops.secrets = {
# Password for the HRZ API that gets a list of mailaddresses that we serve
allowlistPassMatheball = {
sopsFile = ./allowlistPassMatheball.yaml;
Author
Owner

The passwords can be in one yaml file and still be exposed as different secrets by sops. This can
be managed by the yaml structure

The passwords can be in one yaml file and still be exposed as different secrets by sops. This can be managed by the yaml structure
Gonne marked this conversation as resolved
@ -0,0 +1,301 @@
/*
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
Author
Owner

ufff

ufff
Gonne marked this conversation as resolved
@ -0,0 +1,301 @@
/*
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
Author
Owner

double uff

double uff
Gonne marked this conversation as resolved
@ -0,0 +2,4 @@
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy.
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
Author
Owner

isn't really a problem, this means we have time to rebuild stalwart to deploy the new alias

isn't really a problem, this means we have time to rebuild stalwart to deploy the new alias
Gonne marked this conversation as resolved
@ -0,0 +5,4 @@
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
* and use your personal admin account or create one using the fallback admin password.
* Create users with mail boxes: Go to the admin interface and create them.
Author
Owner

if the mailboxes are data on the machine, maybe the aliases should be too. This would also spare us to rebuild stalwart to update an alias

if the mailboxes are data on the machine, maybe the aliases should be too. This would also spare us to rebuild stalwart to update an alias
Author
Owner

If only aliases are changed rebuilds on the VM itself are fast and lean.

If only aliases are changed rebuilds on the VM itself are fast and lean.
Gonne marked this conversation as resolved
@ -0,0 +31,4 @@
type = listOf (lib.types.submodule {
options = {
domain = mkOption {
type = str;
Author
Owner

did you think about a more specialized type, non empty string? string matching regex? something like this?

did you think about a more specialized type, non empty string? string matching regex? something like this?
Gonne marked this conversation as resolved
@ -0,0 +47,4 @@
};
config = mkIf cfg.enable {
environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts
Author
Owner

does this need to be a system wide package or can we just call it in the right places?

does this need to be a system wide package or can we just call it in the right places?
Author
Owner

There is no need for system wide.

There is no need for system wide.
Gonne marked this conversation as resolved
@ -0,0 +62,4 @@
protocol = "smtp";
};
"submissions" = {
# Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
Author
Owner

???

???
Gonne marked this conversation as resolved
@ -0,0 +73,4 @@
tls.implicit = true;
};
"management" = {
bind = ["[::]:80"]; # This must also bind publically for ACME to work.
Author
Owner

maybe a comment what cthulhu should forward to us, and on which connections it handles tls

maybe a comment what cthulhu should forward to us, and on which connections it handles tls
Gonne marked this conversation as resolved
@ -0,0 +87,4 @@
};
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly
Author
Owner

lol

can we do it?

lol can we do it?
Gonne marked this conversation as resolved
@ -0,0 +110,4 @@
}
{"else" = "'hrz'";}
];
tls = {
Author
Owner

this is fine because we only talk to vms and hrz which are "trusted" entities

this is fine because we only talk to vms and hrz which are "trusted" entities
Gonne marked this conversation as resolved
@ -0,0 +120,4 @@
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false; # somehow this is needed here
Author
Owner

I HATE starttls can we burn down the hrz already?

I HATE starttls can we burn down the hrz already?
Gonne marked this conversation as resolved
@ -0,0 +132,4 @@
session.rcpt = {
# In order to accept mail that we only forward
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
Author
Owner

I love how we kind of abuse being in a shielded environment

I love how we kind of abuse being in a shielded environment
Gonne marked this conversation as resolved
@ -0,0 +142,4 @@
{"else" = false;}
];
};
config.local-keys =
Author
Owner

this needs a comment!

this needs a comment!
Gonne marked this conversation as resolved
@ -0,0 +165,4 @@
authentication.fallback-admin = {
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
Author
Owner

comment is outdated

comment is outdated
Gonne marked this conversation as resolved
@ -0,0 +167,4 @@
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
};
tracer.stdout.level = "debug";
Author
Owner

in production?

in production?
Gonne marked this conversation as resolved
@ -0,0 +202,4 @@
}: ''
echo "process ${domain}"
# Get the mail addresses' local-part
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
Author
Owner

This line needs explanation. A LOT OF IT

This line needs explanation. A LOT OF IT
Gonne marked this conversation as resolved
@ -0,0 +205,4 @@
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
# Post local-parts to HRZ
${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
Author
Owner

A linkt to hrz docu, so we can look at it if something breaks

A linkt to hrz docu, so we can look at it if something breaks
Gonne marked this conversation as resolved
Gonne added 1 commit 2024-12-14 16:31:55 +00:00
Gonne force-pushed kaalut from d89b132fa1 to 6dbd7d6a80 2024-12-15 08:32:28 +00:00 Compare
Author
Owner

We may also want to manage mailboxes in config

We may also want to manage mailboxes in config
Gonne force-pushed kaalut from 6dbd7d6a80 to bbea28a6cf 2024-12-16 19:00:38 +00:00 Compare
This pull request doesn't have enough approvals yet. 0 of 1 approvals granted.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u kaalut:Gonne-kaalut
git checkout Gonne-kaalut
Sign in to join this conversation.
No reviewers
Fachschaft/Server-Minions
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Fachschaft/nixConfig#47
No description provided.