losurdo: enable hardened profile

[sourcephile-nix.git] / servers / mermet / postfix.nix

diff --git a/servers/mermet/postfix.nix b/servers/mermet/postfix.nix
index fd979f92f3eb51ef0bcfdb8a55db76e0be4b5828..9803640304c615a7498eb5fdefdc50894d733c4d 100644 (file)
--- a/servers/mermet/postfix.nix
+++ b/servers/mermet/postfix.nix
@@ -6,16 +6,34 @@ let
   inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs;
   inherit (config) networking users;
   inherit (config.services) postfix dovecot2 openldap;
+  domains = [
+    "sourcephile.fr"
+    "autogeree.net"
+  ];
 in
 {
-imports = [
-  postfix/sourcephile.fr.nix
-  postfix/autogeree.net.nix
-];
+imports = map (domain: (./postfix + "/${domain}.nix")) domains;
+options = {
+  services.postfix = {
+    tls_server_sni_maps = lib.mkOption {
+      type = types.attrsOf (types.listOf types.path);
+      default = {};
+      apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: x509: ''
+        ${domain} ${unwords x509}
+      '') m));
+    };
+  };
+};
 config = {
-systemd.services.postfix.after = [
-  "openldap.service"
-];
+users.groups.acme.members = [ postfix.user ];
+systemd.services.postfix = {
+  wants = ["openldap.service"];
+  after = ["openldap.service"];
+  preStart = ''
+    install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/keys/postfix-sni
+    ${pkgs.postfix}/bin/postmap -F hash:/run/keys/postfix-sni
+  '';
+};
 services.postfix = {
   enable = true;
   networksStyle = "host";
@@ -29,12 +47,13 @@ services.postfix = {
   ];
   postmasterAlias = "root";
   rootAlias = "root@${networking.domain}";
-  sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem");
-  sslKey = "/run/keys/${networking.domain}.key.pem";
+  sslKey = "/var/lib/acme/${networking.domain}/key.pem";
+  sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem";
   networks = [
     "127.0.0.0/8"
     "[::1]/128"
   ];
+  setSendmail = true;
   # Parse the extension in email address, eg. contact+extension@
   recipientDelimiter = "+";
   config = {
@@ -42,6 +61,7 @@ services.postfix = {
     debug_peer_list = [
       #"chomsky.autogeree.net"
       #"localhost"
+      #"mail.sourcephile.fr"
     ];
 
     #
@@ -141,13 +161,14 @@ services.postfix = {
       # Reject if the domain is not working, even before bothering to check the address
       "reject_unknown_recipient_domain"
       # Reject if the address is not working
+      # WARNING: this does not work if the recipient is greylisting.
       # WARNING: verify(8) has a cache, dumpable if verify(8) is stopped, with:
       # postmap -s btree:/var/lib/postfix/data/verify_cache
-      "reject_unverified_recipient"
+      #"reject_unverified_recipient"
       "permit"
     ];
     # Trust the verify database
-    unverified_recipient_reject_code = "550";
+    #unverified_recipient_reject_code = "550";
     smtpd_data_restrictions = [
       # Force the smtpd's client to wait OK before sending
       "reject_unauth_pipelining"
@@ -172,7 +193,7 @@ services.postfix = {
     smtpd_tls_ask_ccert = false;
     #smtpd_tls_ccert_verifydepth = "5";
     smtpd_tls_ciphers = "high";
-    smtpd_tls_eecdh_grade = "ultra";
+    smtpd_tls_eecdh_grade = "auto";
     # Disable weak ciphers as reported by https://ssl-tools.net
     # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
     smtpd_tls_exclude_ciphers = [ "ADH" "MD5" "CAMELLIA" "SEED" "3DES" "DES" "RC4" "eNULL" "aNULL" ];
@@ -193,6 +214,7 @@ services.postfix = {
     smtpd_tls_security_level = "may";
     smtpd_tls_session_cache_database = "btree:$data_directory/smtpd_tls_session_cache";
     #smtpd_tls_session_cache_timeout = "3600s";
+    #smtpd_tls_chain_files =
 
     relayhost = [];
     #relay_clientcerts = hash:/var/lib/postfix/conf/relay_clientcerts
@@ -200,15 +222,10 @@ services.postfix = {
     relay_domains = [];
     relay_recipient_maps = [];
 
-    # postconf(5) discourages to change this
-    #tls_high_cipherlist = "AES256-SHA";
-    #tls_random_bytes = "32";
-    # Must not be in a chroot
-    #tls_random_exchange_name = "$data_directory/prng_exch";
-    #tls_random_prng_update_period = "3600s";
-    #tls_random_reseed_period = "3600s";
     # Use a non blocking source of randomness
     tls_random_source = "dev:/dev/urandom";
+    # Map each domain to a specific X.509 certificate
+    tls_server_sni_maps = "hash:/run/keys/postfix-sni";
 
     # Only explicitely aliased accounts have a mail, not all the passwd
     local_recipient_maps = "$alias_maps";
@@ -221,8 +238,8 @@ services.postfix = {
     forward_path = [
       /*
       "$home/.forward''${recipient_delimiter}''${extension}"
-      "$home/.forward"
       */
+      "$home/.forward"
     ];
 
     # Filled by the postfix/*.nix
@@ -232,6 +249,10 @@ services.postfix = {
       "hash:/etc/postfix/virtual"
     ];
     virtual_transport = "lmtp:unix:private/dovecot-lmtp";
+    /*
+    dovecot_destination_recipient_limit = "1";
+    virtual_transport = "dovecot";
+    */
 
     # There is no fallback
     fallback_transport = "";
@@ -249,6 +270,11 @@ services.postfix = {
       mkKeyVal = opt: val: [ "-o" (opt + "=" + mkVal val) ];
       mkArgs = args: lib.concatLists (lib.mapAttrsToList mkKeyVal args);
     in {
+    pickup = {
+      args = mkArgs {
+        cleanup_service_name = "submissions-header-cleanup";
+      };
+    };
     # Implicit TLS on port 465
     # https://tools.ietf.org/html/rfc8314#section-3.3
     submissions = {
@@ -265,6 +291,9 @@ services.postfix = {
           "TLSv1.2"
         ];
         milter_macro_daemon_name = "ORIGINATING";
+        smtpd_helo_restrictions = [
+          "permit_sasl_authenticated"
+        ] ++ postfix.config.smtpd_helo_restrictions;
         smtpd_relay_restrictions = [
           # SASL authorizes to send to the world
           "permit_sasl_authenticated"