235 lines
6 KiB
Nix
235 lines
6 KiB
Nix
{
|
|
flake,
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
dkimDNSb12fio = ''
|
|
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
|
|
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
|
|
'';
|
|
in {
|
|
age.secrets."b12f.io-dkim-private-rsa" = {
|
|
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
|
|
path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
age.secrets."mail@b12f.io-password" = {
|
|
file = "${flake.self}/secrets/mail@b12f.io-password.age";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
security.acme.certs = {
|
|
"mail.b12f.io" = {
|
|
reloadServices = [ "maddy" ];
|
|
group = "maddy";
|
|
};
|
|
"mta-sts.b12f.io" = {};
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
"mta-sts.b12f.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mta-sts.b12f.io";
|
|
locations."/" = {
|
|
root = pkgs.runCommand "create-well-known-mta-sts" {} ''
|
|
mkdir -p "$out/.well-known"
|
|
echo "
|
|
version: STSv1
|
|
mode: enforce
|
|
max_age: 604800
|
|
mx: mail.b12f.io
|
|
" > "$out/.well-known/mta-sts.txt"
|
|
'';
|
|
tryFiles = "$uri $uri/ =404";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '/run/maddy' 0750 maddy maddy - -"
|
|
];
|
|
|
|
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] ''
|
|
mkdir -p /var/lib/maddy/dkim_keys
|
|
|
|
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
|
|
'';
|
|
|
|
services.maddy = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
hostname = "mail.b12f.io";
|
|
primaryDomain = "b12f.io";
|
|
ensureAccounts = [
|
|
"mail@b12f.io"
|
|
];
|
|
ensureCredentials = {
|
|
# Do not use this in production. This will make passwords world-readable
|
|
# in the Nix store
|
|
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
|
|
};
|
|
tls = {
|
|
loader = "file";
|
|
certificates = [
|
|
{
|
|
keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
|
|
}
|
|
];
|
|
};
|
|
config = ''
|
|
# Minimal configuration with TLS disabled, adapted from upstream example
|
|
# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
|
|
# Do not use this in production!
|
|
|
|
auth.pass_table local_authdb {
|
|
table sql_table {
|
|
driver sqlite3
|
|
dsn credentials.db
|
|
table_name passwords
|
|
}
|
|
}
|
|
|
|
storage.imapsql local_mailboxes {
|
|
driver sqlite3
|
|
dsn imapsql.db
|
|
}
|
|
|
|
table.chain local_rewrites {
|
|
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
|
|
optional_step static {
|
|
entry postmaster postmaster@$(primary_domain)
|
|
}
|
|
optional_step file /etc/maddy/aliases
|
|
}
|
|
|
|
msgpipeline local_routing {
|
|
check {
|
|
rspamd {
|
|
api_path http://localhost:11334
|
|
}
|
|
}
|
|
|
|
destination b12f.io {
|
|
modify {
|
|
replace_rcpt regexp ".*" "mail@b12f.io"
|
|
}
|
|
deliver_to &local_mailboxes
|
|
}
|
|
|
|
destination postmaster $(local_domains) {
|
|
modify {
|
|
replace_rcpt &local_rewrites
|
|
}
|
|
deliver_to &local_mailboxes
|
|
}
|
|
|
|
default_destination {
|
|
reject 550 5.1.1 "User doesn't exist"
|
|
}
|
|
}
|
|
|
|
smtp tcp://0.0.0.0:25 {
|
|
limits {
|
|
all rate 20 1s
|
|
all concurrency 10
|
|
}
|
|
dmarc yes
|
|
check {
|
|
require_mx_record
|
|
dkim
|
|
spf
|
|
}
|
|
source $(local_domains) {
|
|
reject 501 5.1.8 "Use Submission for outgoing SMTP"
|
|
}
|
|
default_source {
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
reject 550 5.1.1 "User doesn't exist"
|
|
}
|
|
}
|
|
}
|
|
|
|
submission tcp://0.0.0.0:587 {
|
|
limits {
|
|
all rate 50 1s
|
|
}
|
|
auth &local_authdb
|
|
source $(local_domains) {
|
|
check {
|
|
authorize_sender {
|
|
prepare_email &local_rewrites
|
|
user_to_email identity
|
|
}
|
|
}
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
modify {
|
|
dkim $(primary_domain) $(local_domains) default
|
|
}
|
|
deliver_to &remote_queue
|
|
}
|
|
}
|
|
default_source {
|
|
reject 501 5.1.8 "Non-local sender domain"
|
|
}
|
|
}
|
|
|
|
target.remote outbound_delivery {
|
|
limits {
|
|
destination rate 20 1s
|
|
destination concurrency 10
|
|
}
|
|
mx_auth {
|
|
dane
|
|
mtasts {
|
|
cache fs
|
|
fs_dir mtasts_cache/
|
|
}
|
|
local_policy {
|
|
min_tls_level encrypted
|
|
min_mx_level none
|
|
}
|
|
}
|
|
}
|
|
|
|
target.queue remote_queue {
|
|
target &outbound_delivery
|
|
autogenerated_msg_domain $(primary_domain)
|
|
bounce {
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
|
|
}
|
|
}
|
|
}
|
|
|
|
imap tcp://0.0.0.0:143 {
|
|
auth &local_authdb
|
|
storage &local_mailboxes
|
|
}
|
|
'';
|
|
};
|
|
|
|
services.rspamd = {
|
|
enable = true;
|
|
locals."dkim_signing.conf".text = ''
|
|
enabled = false;
|
|
'';
|
|
};
|
|
|
|
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
|
|
}
|