Mail machine #47
No reviewers
Fachschaft/Server-Minions
Labels
No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Fachschaft/nixConfig#47
Loading…
Reference in a new issue
No description provided.
Delete branch "Gonne/nixConfig:kaalut"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
A general replacement of Eihort with software that probably allows for easier DKIM and DMARC setup
TODO list:
Optional for deployment:
84e613f0b0
to044326ad38
044326ad38
to597f4d365c
597f4d365c
to85131d6f36
WIP: Mail machineto Mail machine85131d6f36
toe3006b8e03
e3006b8e03
tob3aac99ca7
b3aac99ca7
to3bb4dcb120
3bb4dcb120
to42102bb1a0
42102bb1a0
tod2ab4d8eea
@ -56,0 +56,4 @@
overlays = [
(_: _: {
alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine
The package selection should depend on system, and is there a reason we overlay like this and not
just use
flake-inputs.alias-to-sieve...
in the system config?The
flake-inputs
parameter is not available as a module parameter whilepkgs
is supplied by the nix module system.@ -0,0 +41,4 @@
sops.secrets = {
# Password for the HRZ API that gets a list of mailaddresses that we serve
allowlistPassMatheball = {
sopsFile = ./allowlistPassMatheball.yaml;
The passwords can be in one yaml file and still be exposed as different secrets by sops. This can
be managed by the yaml structure
@ -0,0 +1,301 @@
/*
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
ufff
@ -0,0 +1,301 @@
/*
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
double uff
@ -0,0 +2,4 @@
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy.
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
isn't really a problem, this means we have time to rebuild stalwart to deploy the new alias
@ -0,0 +5,4 @@
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
* and use your personal admin account or create one using the fallback admin password.
* Create users with mail boxes: Go to the admin interface and create them.
if the mailboxes are data on the machine, maybe the aliases should be too. This would also spare us to rebuild stalwart to update an alias
If only aliases are changed rebuilds on the VM itself are fast and lean.
@ -0,0 +31,4 @@
type = listOf (lib.types.submodule {
options = {
domain = mkOption {
type = str;
did you think about a more specialized type, non empty string? string matching regex? something like this?
@ -0,0 +47,4 @@
};
config = mkIf cfg.enable {
environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts
does this need to be a system wide package or can we just call it in the right places?
There is no need for system wide.
@ -0,0 +62,4 @@
protocol = "smtp";
};
"submissions" = {
# Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
???
@ -0,0 +73,4 @@
tls.implicit = true;
};
"management" = {
bind = ["[::]:80"]; # This must also bind publically for ACME to work.
maybe a comment what cthulhu should forward to us, and on which connections it handles tls
@ -0,0 +87,4 @@
};
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly
lol
can we do it?
@ -0,0 +110,4 @@
}
{"else" = "'hrz'";}
];
tls = {
this is fine because we only talk to vms and hrz which are "trusted" entities
@ -0,0 +120,4 @@
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false; # somehow this is needed here
I HATE starttls can we burn down the hrz already?
@ -0,0 +132,4 @@
session.rcpt = {
# In order to accept mail that we only forward
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
I love how we kind of abuse being in a shielded environment
@ -0,0 +142,4 @@
{"else" = false;}
];
};
config.local-keys =
this needs a comment!
@ -0,0 +165,4 @@
authentication.fallback-admin = {
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
comment is outdated
@ -0,0 +167,4 @@
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
};
tracer.stdout.level = "debug";
in production?
@ -0,0 +202,4 @@
}: ''
echo "process ${domain}"
# Get the mail addresses' local-part
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
This line needs explanation. A LOT OF IT
@ -0,0 +205,4 @@
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
# Post local-parts to HRZ
${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
A linkt to hrz docu, so we can look at it if something breaks
d89b132fa1
to6dbd7d6a80
We may also want to manage mailboxes in config
6dbd7d6a80
tobbea28a6cf
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.