os/hosts/frikandel/email.nix

246 lines
6.6 KiB
Nix

{
flake,
config,
pkgs,
lib,
...
}: let
hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
dkimDNSb12fio = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
'';
in {
age.secrets."b12f.io-dkim-private-rsa" = {
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
mode = "400";
owner = "maddy";
};
age.secrets."mail@b12f.io-password" = {
file = "${flake.self}/secrets/mail@b12f.io-password.age";
mode = "400";
owner = "maddy";
};
security.acme.certs = {
"mail.b12f.io" = {
reloadServices = [ "maddy" ];
group = "maddy";
};
"mta-sts.b12f.io" = {};
"mta-sts.${hzDomain}" = {};
};
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
"mta-sts.${hostName}" = {
forceSSL = true;
useACMEHost = "mta-sts.${hostName}";
locations."/" = {
root = pkgs.runCommand "create-well-known-mta-sts" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mail.${hostName}
" > "$out/.well-known/mta-sts.txt"
'';
tryFiles = "$uri $uri/ =404";
};
};
}) {} [ "b12f.io" hzDomain ];
systemd.tmpfiles.rules = [
"d '/run/maddy' 0750 maddy maddy - -"
];
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/maddy/dkim_keys
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
'';
services.maddy = {
enable = true;
openFirewall = true;
hostname = "mail.b12f.io";
primaryDomain = "b12f.io";
ensureAccounts = [
"mail@b12f.io"
];
ensureCredentials = {
# Do not use this in production. This will make passwords world-readable
# in the Nix store
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
};
tls = {
loader = "file";
certificates = [
{
keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
}
];
};
config = ''
# Minimal configuration with TLS disabled, adapted from upstream example
# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
# Do not use this in production!
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
table.chain local_rewrites {
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster postmaster@$(primary_domain)
}
optional_step file /etc/maddy/aliases
}
msgpipeline local_routing {
check {
rspamd {
api_path http://localhost:11334
}
}
modify {
replace_rcpt &local_rewrites
}
# at this point rcpt was normalized to either:
# postmaster@$(primary_domain),
# local_mailbox_without_tag@$(local_domains),
# replacements with alias
# destination_in block takes priority over destinations
destination_in &local_mailboxes {
deliver_to &local_mailboxes
}
# if rcpt is not in local_mailboxes, but has our domains,
# replace rcpt to catchall and deliver it there
destination $(local_domains) {
modify {
replace_rcpt regexp ".*" "mail@$(primary_domain)"
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
smtp tcp://0.0.0.0:25 {
limits {
all rate 20 1s
all concurrency 10
}
dmarc yes
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
submission tcp://0.0.0.0:587 {
limits {
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
modify {
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
target.remote outbound_delivery {
limits {
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
imap tcp://0.0.0.0:143 {
auth &local_authdb
storage &local_mailboxes
}
'';
};
services.rspamd = {
enable = true;
locals."dkim_signing.conf".text = ''
enabled = false;
'';
};
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
}