Submit mailing list mails to correct vm based on port forwarding and run allowlist job less often

Add patch to allow alias files to redirect to their sender
2025-02-25 16:52:15 +01:00 · 2025-02-25 16:52:15 +01:00
4 changed files with 71 additions and 6 deletions
--- a/flake-module.nix
+++ b/flake-module.nix
@ -1,4 +1,8 @@
-{inputs, ...}: {
+{
+  inputs,
+  lib,
+  ...
+}: {
  # debug = true;
  # We only define machines config in this flake yet, so we only include
  # the module that builds these. This file might get fuller, if we need to
@ -55,8 +59,38 @@
      config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];

      overlays = [
-        (_: _: {
+        (_: prev: {
          alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine
+          stalwart-mail = assert lib.assertMsg (prev.stalwart-mail.version == "0.11.6-unstable-2025-02-04") ''
+            1. If the bug https://github.com/stalwartlabs/sieve/issues/11 is resolved to our satisfaction, try to remove this overlay.
+            2. Check whether sieve-rs recieved new updates that our patch needs to be rebased upon.
+            3. Check whether the sieve-rs patch below that exchanges the dependency needs updates.
+            4. Then update the version comparison in this assert statement.
+            5. Update the `cargoHash` by setting it to `lib.fakeHash` and then inserting the result.
+            6. Check if we can get rid of alias-to-sieve when stalwart-mail has a builtin alias feature.
+          '';
+            prev.stalwart-mail.override (
+              let
+                rp = pkgs.rustPlatform;
+              in {
+                rustPlatform =
+                  rp
+                  // {
+                    buildRustPackage = args:
+                      rp.buildRustPackage (
+                        args
+                        // rec {
+                          cargoPatches = [
+                            # Let stalwart-mail depend on our own version of the sieve crate that does not have some “loop prevention” that disables redirects to the original sender.
+                            # We want to redirect to sender if we simulate alias files and not doing so barely prevents loops in my opinion.
+                            ./patches/sieve-rs.patch
+                          ];
+                          cargoHash = "sha256-fdOU2W/EtkBk+1VmNMkFZTGbwBTQQRelrheVFhiUqlg=";
+                        }
+                      );
+                  };
+              }
+            );
        })
      ];
    };
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@ -1,4 +1,8 @@
 /*
+* Building: We patch our version of stalwart and thus need to built it locally.
+*   Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
+*   If you only want to deploy configuration changes and no software updates, consider building on the target VM.
+*   It has stalwart in its nix store and does not need to rebuild it.
 * Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy.
 *   Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
 * Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@ -35,7 +35,7 @@ in {
          proxy_interfaces = "130.83.2.184";
          smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
        };
-        relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
+        relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
      };
      mailman = {
        enable = true;
@ -64,9 +64,9 @@ in {
    systemd.timers."mailAllowlist" = {
      wantedBy = ["timers.target"];
      timerConfig = {
-        OnBootSec = "5m"; # Run every 5 minutes
-        OnUnitActiveSec = "5m";
-        RandomizedDelaySec = "2m"; # prevent overload on regular intervals
+        OnBootSec = "1h"; # Run every hour
+        OnUnitActiveSec = "1h";
+        RandomizedDelaySec = "10m"; # prevent overload on regular intervals
        Unit = "mailAllowlist.service";
      };
    };
--- a/patches/sieve-rs.patch
+++ b/patches/sieve-rs.patch
@ -0,0 +1,27 @@
+diff --git a/Cargo.lock b/Cargo.lock
+index be36759b..b4316639 100644
+--- a/Cargo.lock
+++ b/Cargo.lock
+@@ -6404,8 +6404,7 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+ [[package]]
+ name = "sieve-rs"
+ version = "0.6.0"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "15ac54053752c25a0e545dd1953de716abcc80b12cfe0b6c2f2c1c73759d4f45"
+source = "git+https://gitea.mathebau.de/fachschaft/sieve-rs.git#71324550504c0f84fe3e814d05cbe22f90a3b228"
+ dependencies = [
+  "ahash 0.8.11",
+  "bincode",
+diff --git a/Cargo.toml b/Cargo.toml
+index f055474f..2b64c9ac 100644
+--- a/Cargo.toml
+++ b/Cargo.toml
+@@ -63,3 +63,7 @@ incremental = false
+ debug-assertions = false
+ overflow-checks = false
+ rpath = false
+
+
+[patch.crates-io]
+sieve-rs = { git = 'https://gitea.mathebau.de/fachschaft/sieve-rs.git' }
+
Author	SHA1	Message	Date
Gonne	e5e3f59cd7	Submit mailing list mails to correct vm based on port forwarding and run allowlist job less often	2025-02-25 16:52:15 +01:00
Gonne	f53a8cfd68	Add patch to allow alias files to redirect to their sender	2025-02-25 16:52:15 +01:00