From dd43281a4a72e4f80eb70686a04653ad8e2f236a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Mon, 25 Mar 2024 19:13:19 +0100 Subject: [PATCH] email: fix maddy email config for smtp submission --- hosts/frikandel/email.nix | 22 ++++++++++---------- hosts/frikandel/nginx.nix | 2 ++ hosts/frikandel/unbound.nix | 8 ++++++-- users/b12f/email/.config/msmtp/config | 29 +++++---------------------- 4 files changed, 24 insertions(+), 37 deletions(-) diff --git a/hosts/frikandel/email.nix b/hosts/frikandel/email.nix index 558da75..39c75ee 100644 --- a/hosts/frikandel/email.nix +++ b/hosts/frikandel/email.nix @@ -5,7 +5,7 @@ lib, ... }: let - hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; + # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; dkimDNSb12fio = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; ''; @@ -28,13 +28,11 @@ in { security.acme.certs = { "mail.b12f.io" = { reloadServices = [ "maddy" ]; - group = "maddy"; }; "b12f.io" = { reloadServices = [ "maddy" ]; }; "mta-sts.b12f.io" = {}; - "mta-sts.${hzDomain}" = {}; }; services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // { @@ -54,7 +52,7 @@ in { tryFiles = "$uri $uri/ =404"; }; }; - }) {} [ "b12f.io" hzDomain ]; + }) {} [ "b12f.io" ]; systemd.tmpfiles.rules = [ "d '/run/maddy' 0750 maddy maddy - -" @@ -64,15 +62,21 @@ in { mkdir -p /var/lib/maddy/dkim_keys echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns + chown -R maddy:maddy /var/lib/maddy ''; - networking.firewall.allowedTCPPorts = [ 25 587 993 ]; + networking.firewall.allowedTCPPorts = [ 25 ]; + networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ]; services.maddy = { enable = true; openFirewall = false; hostname = "mail.b12f.io"; primaryDomain = "b12f.io"; + localDomains = [ + "b12f.io" + "mail.b12f.io" + ]; ensureAccounts = [ "mail@b12f.io" ]; @@ -95,10 +99,6 @@ in { ]; }; config = '' - # Minimal configuration with TLS disabled, adapted from upstream example - # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf - # Do not use this in production! - auth.pass_table local_authdb { table sql_table { driver sqlite3 @@ -179,7 +179,7 @@ in { } } - submission tls://0.0.0.0:587 { + submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 { limits { all rate 50 1s } @@ -237,7 +237,7 @@ in { } } - imap tls://0.0.0.0:993 { + imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 { auth &local_authdb storage &local_mailboxes } diff --git a/hosts/frikandel/nginx.nix b/hosts/frikandel/nginx.nix index f77ecde..9b9ec42 100644 --- a/hosts/frikandel/nginx.nix +++ b/hosts/frikandel/nginx.nix @@ -16,6 +16,8 @@ recommendedProxySettings = true; defaultListenAddresses = [ + "10.13.12.7" + "[fd00:b12f:acab:1312:acab:7::]" "128.140.109.213" "[2a01:4f8:c2c:b60::]" ]; diff --git a/hosts/frikandel/unbound.nix b/hosts/frikandel/unbound.nix index 41e32de..c21ffec 100644 --- a/hosts/frikandel/unbound.nix +++ b/hosts/frikandel/unbound.nix @@ -29,8 +29,8 @@ owner = "unbound"; }; - networking.firewall.allowedUDPPorts = [ 53 ]; - networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ]; + networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ]; services.resolved.enable = false; services.unbound = { @@ -81,6 +81,10 @@ "\"frikandel.b12f.io. 10800 IN A 10.13.12.7\"" "\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + "\"b12f.io. 10800 IN A 10.13.12.7\"" + "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + "\"mail.b12f.io. 10800 IN A 10.13.12.7\"" + "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" ]; tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; diff --git a/users/b12f/email/.config/msmtp/config b/users/b12f/email/.config/msmtp/config index 1b9269d..bcbce82 100644 --- a/users/b12f/email/.config/msmtp/config +++ b/users/b12f/email/.config/msmtp/config @@ -1,82 +1,63 @@ +defaults + auth on + tls on + tls_trust_file /etc/ssl/certs/ca-certificates.crt + account hello@benjaminbaedorf.eu host mail.hosting.de port 587 protocol smtp - auth on from hello@benjaminbaedorf.eu user hello@benjaminbaedorf.eu - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account benjamin.baedorf@rwth-aachen.de host mail.rwth-aachen.de port 587 protocol smtp - auth on from benjamin.baedorf@rwth-aachen.de user bb564306@rwth-aachen.de - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account byb@miom.space host mail.hosting.de port 587 protocol smtp - auth on from byb@miom.space user byb@miom.space - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account admins@pub.solar host mail.greenbaum.zone port 587 protocol smtp - auth on from admins@pub.solar user admins@pub.solar - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account crew@pub.solar host mail.greenbaum.zone port 587 protocol smtp - auth on from crew@pub.solar user crew@pub.solar - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account mail@b12f.io host mail.b12f.io port 587 protocol smtp - auth on from mail@b12f.io user mail@b12f.io - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account benjamin.yule.baedorf@verkstedt.com host smtp.gmail.com port 587 protocol smtp - auth on from benjamin.yule.baedorf@verkstedt.com user benjamin.yule.baedorf@verkstedt.com - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account benjamin-yule.baedorf@ext.ehealthexperts.de host smtp.mailbox.org port 587 protocol smtp - auth on from benjamin-yule.baedorf@ext.ehealthexperts.de user benjamin-yule.baedorf@ext.ehealthexperts.de - tls on - tls_trust_file /etc/ssl/certs/ca-certificates.crt account default : hello@benjaminbaedorf.eu