Post mailaddresses to HRZ allowlist

2025-02-25 16:16:12 +01:00 · 2025-02-25 16:16:12 +01:00 · 14ee694ed6
commit 14ee694ed6
parent 95f66f6210
4 changed files with 178 additions and 1 deletions
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@ -25,6 +25,10 @@
 in {
  options.services.mathebau-mail = {
    enable = mkEnableOption "mathebau mail service";
+    stalwartAdmin = mkOption {
+      type = path;
+      description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth";
+    };
    stalwartAdminHash = mkOption {
      type = str;
      description = "String containing the hashed fallback admin password";
@ -198,7 +202,60 @@ in {
    };

    systemd = {
+      timers."mailAllowlist" = {
+        wantedBy = ["timers.target"];
+        timerConfig = {
+          OnBootSec = "1h"; # Run every hour
+          OnUnitActiveSec = "1h";
+          RandomizedDelaySec = "10m"; # prevent overload on regular intervals
+          Unit = "mailAllowlist.service";
+        };
+      };
      services = {
+        "mailAllowlist" = {
+          description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
+          script = let
+            scriptTemplate = {
+              domain,
+              allowlistPass,
+              ...
+            }: ''
+              echo "process ${domain}"
+              # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
+              # This line searches for available redirects and adds them to the submission file.
+              ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
+              # Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload
+              ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
+              # Cleanup submission file
+              rm /tmp/addresses
+            '';
+          in
+            lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
+          serviceConfig = {
+            Type = "oneshot";
+            User = "stalwart-mail";
+            NoNewPrivileges = true;
+            # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
+            PrivateTmp = false; # allow access to sieve script
+            ProtectHome = true;
+            ReadOnlyPaths = "/";
+            ReadWritePaths = "/tmp";
+            InaccessiblePaths = "-/lost+found";
+            PrivateDevices = true;
+            PrivateUsers = true;
+            ProtectHostname = true;
+            ProtectClock = true;
+            ProtectKernelTunables = true;
+            ProtectKernelModules = true;
+            ProtectKernelLogs = true;
+            ProtectControlGroups = true;
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+          };
+        };
        "stalwart-mail" = {
          restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
          serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script