Fachschaft/nixConfig
5
2
Fork 2
Code Issues 11 Pull requests 1 Projects Wiki Activity

WIP: nyarlathotep: cleanup after deployment #55

Draft
Gonne wants to merge 13 commits from Gonne/nixConfig:nyarlathotep into main
pull from: Gonne/nixConfig:nyarlathotep
merge into: Fachschaft:main
Conversation 1 Commits 13 Files changed 5 +60 -64
1 changed files with 60 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit be998b48f5 - Show all commits

70
nixos/modules/mail.nix
View file

@ -101,7 +101,7 @@ in {
# Reevaluate after DKIM and DMARC deployment
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly
# TODO check if HRZ and our own VMs conform to these standards and we can validate them strictly
dkim.verify = "relaxed";
arc.verify = "relaxed";
dmarc.verify = "relaxed";
@ -140,20 +140,38 @@ in {
starttls = "optional"; # e.g. Lobon does not offer starttls
};
};
remote."hrz" = {
remote = {
"hrz" = {
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
};
remote."mailman" = {
"mailman" = {
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
port = 25;
protocol = "smtp";
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
};
};
session.rcpt = {
session = {
ehlo.require = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
ehlo.reject-non-fqdn = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
rcpt = {
# In order to accept mail that we only forward
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
@ -167,25 +185,12 @@ in {
{"else" = false;}
];
};
session.ehlo.require = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
session.ehlo.reject-non-fqdn = [
{
"if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
"then" = false;
}
{"else" = true;}
];
data.script = "'redirects'";
};
# Stalwart gets its configuration from two places: A TOML configuration file that we control in this module
# and from a database that can be configured from web management interface or via Rest API.
# We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
# We here define what comes from the TOML-file and especially add "sieve.trusted.*" to the default ones
# because only TOML-based keys may use macros to load files from disk.
# We want this to be able to load our sieve-script for mail forwarding.
# See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
@ -207,24 +212,24 @@ in {
"certificate.*"
] # the default ones
++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
sieve.trusted.from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
sieve.trusted.from-name = "sender";
sieve.trusted.return-path = "sender";
sieve.trusted = {
scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
Gonne marked this conversation as resolved Outdated
nerf commented 2025-03-02 16:03:00 +00:00
Outdated
Review
Copy link

the trusted part is to much, also see the comment at from-name below

the `trusted` part is to much, also see the comment at `from-name` below
👍 1
from-name = "sender";
Gonne marked this conversation as resolved Outdated
nerf commented 2025-03-02 16:05:15 +00:00
Outdated
Review
Copy link

I couldn't figure out what from-name or from-addr actually do. Reading the documentation I believe combined they
set the default value for the From: header of a generated mail. But I couldn't verify this in tests.
Maybe it does something different that has to do with the MAIL FROM: see comment below

I couldn't figure out what `from-name` or `from-addr` actually do. Reading the documentation I believe combined they set the default value for the `From:` header of a generated mail. But I couldn't verify this in tests. Maybe it does something different that has to do with the `MAIL FROM:` see comment below
return-path = "sender";
Gonne marked this conversation as resolved Outdated
nerf commented 2025-03-02 16:06:36 +00:00
Outdated
Review
Copy link

This seems to do what we want, even though the documentation reads like it sets the Return-Path: header. But it seems to set the reverse path (which is the argument to the MAIL FROM: smtp command). Maybe it does both?

This seems to do what we want, even though the documentation reads like it sets the `Return-Path:` header. But it seems to set the reverse path (which is the argument to the `MAIL FROM:` smtp command). Maybe it does both?
nerf commented 2025-03-03 10:36:53 +00:00
Outdated
Review
Copy link

This parameter seems to control the MAIL FROM: and with this all the headers we want to set.
The documentation reads to me as if it sets the Return-Path: header. I'm unsure if it actually does it.

This parameter seems to control the `MAIL FROM:` and with this all the headers we want to set. The documentation reads to me as if it sets the `Return-Path:` header. I'm unsure if it actually does it.
# If we are the sender, we sign the message with DKIM. Else we leave it alone.
sieve.trusted.sign = [
sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
}
{"else" = false;}
];
sieve.trusted.limits = {
limits = {
redirects = 50;
out-messages = 50;
};
session.data.script = "'redirects'";
};
# See https://stalw.art/docs/smtp/authentication/dkim/sign
# We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.
signature = let
@ -249,15 +254,6 @@ in {
in
map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));
# Sign *our* outgoing mails with the configured signatures.
auth.dkim.sign = [
{
"if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
"then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
}
{"else" = false;}
];
authentication.fallback-admin = {
user = "admin";
# see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH