email: fix maddy email config for smtp submission

hosts/frikandel/email.nix

@@ -5,7 +5,7 @@
   lib,
   ...
 }: let
-  hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
+  # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
   dkimDNSb12fio = ''
   default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
   '';
@@ -28,13 +28,11 @@ in {
   security.acme.certs = {
     "mail.b12f.io" = {
       reloadServices = [ "maddy" ];
-      group = "maddy";
     };
     "b12f.io" = {
       reloadServices = [ "maddy" ];
     };
     "mta-sts.b12f.io" = {};
-    "mta-sts.${hzDomain}" = {};
   };
 
   services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
@@ -54,7 +52,7 @@ in {
           tryFiles = "$uri $uri/ =404";
         };
       };
-    }) {} [ "b12f.io" hzDomain ];
+    }) {} [ "b12f.io" ];
 
   systemd.tmpfiles.rules = [
     "d '/run/maddy' 0750 maddy maddy - -"
@@ -64,15 +62,21 @@ in {
     mkdir -p /var/lib/maddy/dkim_keys
 
     echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
+    chown -R maddy:maddy /var/lib/maddy
   '';
 
-  networking.firewall.allowedTCPPorts = [ 25 587 993 ];
+  networking.firewall.allowedTCPPorts = [ 25 ];
+  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ];
 
   services.maddy = {
     enable = true;
     openFirewall = false;
     hostname = "mail.b12f.io";
     primaryDomain = "b12f.io";
+    localDomains = [
+      "b12f.io"
+      "mail.b12f.io"
+    ];
     ensureAccounts = [
       "mail@b12f.io"
     ];
@@ -95,10 +99,6 @@ in {
       ];
     };
     config = ''
-      # Minimal configuration with TLS disabled, adapted from upstream example
-      # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
-      # Do not use this in production!
-
       auth.pass_table local_authdb {
         table sql_table {
           driver sqlite3
@@ -179,7 +179,7 @@ in {
         }
       }
 
-      submission tls://0.0.0.0:587 {
+      submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 {
         limits {
           all rate 50 1s
         }
@@ -237,7 +237,7 @@ in {
         }
       }
 
-      imap tls://0.0.0.0:993 {
+      imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 {
         auth &local_authdb
         storage &local_mailboxes
       }

hosts/frikandel/nginx.nix

@@ -16,6 +16,8 @@
     recommendedProxySettings = true;
 
     defaultListenAddresses = [
+      "10.13.12.7"
+      "[fd00:b12f:acab:1312:acab:7::]"
       "128.140.109.213"
       "[2a01:4f8:c2c:b60::]"
     ];

hosts/frikandel/unbound.nix

@@ -29,8 +29,8 @@
     owner = "unbound";
   };
 
-  networking.firewall.allowedUDPPorts = [ 53 ];
+  networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ];
   services.resolved.enable = false;
 
   services.unbound = {
@@ -81,6 +81,10 @@
 
           "\"frikandel.b12f.io. 10800 IN A 10.13.12.7\""
           "\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+          "\"b12f.io. 10800 IN A 10.13.12.7\""
+          "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+          "\"mail.b12f.io. 10800 IN A 10.13.12.7\""
+          "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
         ];
 
         tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";

users/b12f/email/.config/msmtp/config

@@ -1,82 +1,63 @@
+defaults
+  auth           on
+  tls            on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
 account hello@benjaminbaedorf.eu
   host mail.hosting.de
   port 587
   protocol smtp
-  auth on
   from hello@benjaminbaedorf.eu
   user hello@benjaminbaedorf.eu
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account benjamin.baedorf@rwth-aachen.de
   host mail.rwth-aachen.de
   port 587
   protocol smtp
-  auth on
   from benjamin.baedorf@rwth-aachen.de
   user bb564306@rwth-aachen.de
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account byb@miom.space
   host mail.hosting.de
   port 587
   protocol smtp
-  auth on
   from byb@miom.space
   user byb@miom.space
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account admins@pub.solar
   host mail.greenbaum.zone
   port 587
   protocol smtp
-  auth on
   from admins@pub.solar
   user admins@pub.solar
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account crew@pub.solar
   host mail.greenbaum.zone
   port 587
   protocol smtp
-  auth on
   from crew@pub.solar
   user crew@pub.solar
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account mail@b12f.io
   host mail.b12f.io
   port 587
   protocol smtp
-  auth on
   from mail@b12f.io
   user mail@b12f.io
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account benjamin.yule.baedorf@verkstedt.com
   host smtp.gmail.com
   port 587
   protocol smtp
-  auth on
   from benjamin.yule.baedorf@verkstedt.com
   user benjamin.yule.baedorf@verkstedt.com
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 account benjamin-yule.baedorf@ext.ehealthexperts.de
   host smtp.mailbox.org
   port 587
   protocol smtp
-  auth on
   from benjamin-yule.baedorf@ext.ehealthexperts.de
   user benjamin-yule.baedorf@ext.ehealthexperts.de
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
 
 account default : hello@benjaminbaedorf.eu