Fachschaft/nixConfig
5
2
Fork 2
Code Issues 11 Pull requests 1 Projects Wiki Activity

WIP: nyarlathotep: cleanup after deployment #55

Draft
Gonne wants to merge 13 commits from Gonne/nixConfig:nyarlathotep into main
pull from: Gonne/nixConfig:nyarlathotep
merge into: Fachschaft:main
Conversation 1 Commits 13 Files changed 5 +60 -64
1 changed files with 60 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit be998b48f5 - Show all commits

124
nixos/modules/mail.nix
View file

@ -101,7 +101,7 @@ in {
# Reevaluate after DKIM and DMARC deployment # Reevaluate after DKIM and DMARC deployment
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = { auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly # TODO check if HRZ and our own VMs conform to these standards and we can validate them strictly
dkim.verify = "relaxed"; dkim.verify = "relaxed";
arc.verify = "relaxed"; arc.verify = "relaxed";
dmarc.verify = "relaxed"; dmarc.verify = "relaxed";
@ -140,52 +140,57 @@ in {
starttls = "optional"; # e.g. Lobon does not offer starttls starttls = "optional"; # e.g. Lobon does not offer starttls
}; };
}; };
remote."hrz" = { remote = {
address = "mailout.hrz.tu-darmstadt.de"; "hrz" = {
port = 25; address = "mailout.hrz.tu-darmstadt.de";
protocol = "smtp"; port = 25;
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS protocol = "smtp";
}; tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
remote."mailman" = { };
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. "mailman" = {
port = 25; address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
protocol = "smtp"; port = 25;
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
};
}; };
session.rcpt = { session = {
# In order to accept mail that we only forward ehlo.require = [
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
# See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
catch-all = true;
relay = [
{ {
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP "if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = true; "then" = false;
} }
{"else" = false;} {"else" = true;}
];
ehlo.reject-non-fqdn = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
]; ];
};
session.ehlo.require = [ rcpt = {
{ # In order to accept mail that we only forward
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly # without having to generate an account.
"then" = false; # Invalid addresses are filtered by DFN beforehand.
} # See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
{"else" = true;} catch-all = true;
]; relay = [
session.ehlo.reject-non-fqdn = [ {
{ "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly "then" = true;
"then" = false; }
} {"else" = false;}
{"else" = true;} ];
]; };
data.script = "'redirects'";
};
# Stalwart gets its configuration from two places: A TOML configuration file that we control in this module # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module
# and from a database that can be configured from web management interface or via Rest API. # and from a database that can be configured from web management interface or via Rest API.
# We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones # We here define what comes from the TOML-file and especially add "sieve.trusted.*" to the default ones
# because only TOML-based keys may use macros to load files from disk. # because only TOML-based keys may use macros to load files from disk.
# We want this to be able to load our sieve-script for mail forwarding. # We want this to be able to load our sieve-script for mail forwarding.
# See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details. # See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
@ -207,24 +212,24 @@ in {
"certificate.*" "certificate.*"
] # the default ones ] # the default ones
++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script ++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script sieve.trusted = {
sieve.trusted.from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM. scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
sieve.trusted.from-name = "sender"; from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
Gonne marked this conversation as resolved Outdated
nerf commented 2025-03-02 16:03:00 +00:00
Outdated
Review
Copy link

the trusted part is to much, also see the comment at from-name below

the `trusted` part is to much, also see the comment at `from-name` below
👍 1
sieve.trusted.return-path = "sender"; from-name = "sender";
Gonne marked this conversation as resolved Outdated
nerf commented 2025-03-02 16:05:15 +00:00
Outdated
Review
Copy link

I couldn't figure out what from-name or from-addr actually do. Reading the documentation I believe combined they
set the default value for the From: header of a generated mail. But I couldn't verify this in tests.
Maybe it does something different that has to do with the MAIL FROM: see comment below

I couldn't figure out what `from-name` or `from-addr` actually do. Reading the documentation I believe combined they set the default value for the `From:` header of a generated mail. But I couldn't verify this in tests. Maybe it does something different that has to do with the `MAIL FROM:` see comment below
# If we are the sender, we sign the message with DKIM. Else we leave it alone. return-path = "sender";
Gonne marked this conversation as resolved Outdated
nerf commented 2025-03-02 16:06:36 +00:00
Outdated
Review
Copy link

This seems to do what we want, even though the documentation reads like it sets the Return-Path: header. But it seems to set the reverse path (which is the argument to the MAIL FROM: smtp command). Maybe it does both?

This seems to do what we want, even though the documentation reads like it sets the `Return-Path:` header. But it seems to set the reverse path (which is the argument to the `MAIL FROM:` smtp command). Maybe it does both?
nerf commented 2025-03-03 10:36:53 +00:00
Outdated
Review
Copy link

This parameter seems to control the MAIL FROM: and with this all the headers we want to set.
The documentation reads to me as if it sets the Return-Path: header. I'm unsure if it actually does it.

This parameter seems to control the `MAIL FROM:` and with this all the headers we want to set. The documentation reads to me as if it sets the `Return-Path:` header. I'm unsure if it actually does it.
sieve.trusted.sign = [ # If we are the sender, we sign the message with DKIM. Else we leave it alone.
{ sign = [
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'"; {
"then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]"; "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
} "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
{"else" = false;} }
]; {"else" = false;}
sieve.trusted.limits = { ];
redirects = 50; limits = {
out-messages = 50; redirects = 50;
out-messages = 50;
};
}; };
session.data.script = "'redirects'";
# See https://stalw.art/docs/smtp/authentication/dkim/sign # See https://stalw.art/docs/smtp/authentication/dkim/sign
# We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`. # We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.
signature = let signature = let
@ -249,15 +254,6 @@ in {
in in
map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains)); map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));
# Sign *our* outgoing mails with the configured signatures.
auth.dkim.sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
}
{"else" = false;}
];
authentication.fallback-admin = { authentication.fallback-admin = {
user = "admin"; user = "admin";
# see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH