From cc526a27009be1f1cfbc195f7e859f924f19ef68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20P=C3=A4ssler?= Date: Mon, 6 Jul 2020 10:38:12 +0200 Subject: [PATCH] add full support for tls wrapped mode --- README.md | 9 +++++--- default.nix | 38 ++++++++++++++++++-------------- mail-server/dovecot.nix | 45 +++++++++++++++++++++++++++++++++++--- mail-server/networking.nix | 4 +++- mail-server/postfix.nix | 36 +++++++++++++++++------------- 5 files changed, 93 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index 960e8c5..5561bd2 100644 --- a/README.md +++ b/README.md @@ -35,12 +35,15 @@ D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A * [x] Multiple Domains * Postfix MTA - [x] smtp on port 25 - - [x] submission port 587 + - [x] submission tls on port 465 + - [x] submission starttls on port 587 - [x] lmtp with dovecot * Dovecot - [x] maildir folders - - [x] imap starttls on port 143 - - [x] pop3 starttls on port 110 + - [x] imap with tls on port 993 + - [x] pop3 with tls on port 995 + - [x] imap with starttls on port 143 + - [x] pop3 with starttls on port 110 * Certificates - [x] manual certificates - [x] on the fly creation diff --git a/default.nix b/default.nix index 6372574..b5c4799 100644 --- a/default.nix +++ b/default.nix @@ -396,21 +396,31 @@ in type = types.bool; default = true; description = '' - Whether to enable imap / pop3. Both variants are only supported in the - (sane) startTLS configuration. The ports are - - 110 - Pop3 - 143 - IMAP - 587 - SMTP with login + Whether to enable IMAP with STARTTLS on port 143. ''; }; enableImapSsl = mkOption { type = types.bool; - default = false; + default = true; description = '' - Whether to enable IMAPS, setting this option to true will open port 993 - in the firewall. + Whether to enable IMAP with TLS in wrapper-mode on port 993. + ''; + }; + + enableSubmission = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable SMTP with STARTTLS on port 587. + ''; + }; + + enableSubmissionSsl = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable SMTP with TLS in wrapper-mode on port 465. ''; }; @@ -418,12 +428,7 @@ in type = types.bool; default = false; description = '' - Whether to enable POP3. Both variants are only supported in the (sane) - startTLS configuration. The ports are - - 110 - Pop3 - 143 - IMAP - 587 - SMTP with login + Whether to enable POP3 with STARTTLS on port on port 110. ''; }; @@ -431,8 +436,7 @@ in type = types.bool; default = false; description = '' - Whether to enable POP3S, setting this option to true will open port 995 - in the firewall. + Whether to enable POP3 with TLS in wrapper-mode on port 995. ''; }; diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index fa7a3c8..56cc1ab 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -84,8 +84,8 @@ in config = with cfg; lib.mkIf enable { services.dovecot2 = { enable = true; - enableImap = enableImap; - enablePop3 = enablePop3; + enableImap = enableImap || enableImapSsl; + enablePop3 = enablePop3 || enablePop3Ssl; enablePAM = false; enableQuota = true; mailGroup = vmailGroupName; @@ -95,7 +95,7 @@ in sslServerKey = keyPath; enableLmtp = true; modules = [ pkgs.dovecot_pigeonhole ]; - protocols = [ "sieve" ]; + protocols = lib.optional cfg.enableManageSieve "sieve"; sieveScripts = { after = builtins.toFile "spam.sieve" '' @@ -118,6 +118,45 @@ in verbose_ssl = yes ''} + ${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) '' + service imap-login { + inet_listener imap { + ${if cfg.enableImap then '' + port = 143 + '' else '' + port = 0 + ''} + } + inet_listener imaps { + ${if cfg.enableImapSsl then '' + port = 993 + ssl = yes + '' else '' + port = 0 + ''} + } + } + ''} + ${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) '' + service pop3-login { + inet_listener pop3 { + ${if cfg.enablePop3 then '' + port = 110 + '' else '' + port = 0 + ''} + } + inet_listener pop3s { + ${if cfg.enablePop3Ssl then '' + port = 995 + ssl = yes + '' else '' + port = 0 + ''} + } + } + ''} + protocol imap { mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser} mail_plugins = $mail_plugins imap_sieve diff --git a/mail-server/networking.nix b/mail-server/networking.nix index 056e411..8c8a500 100644 --- a/mail-server/networking.nix +++ b/mail-server/networking.nix @@ -23,7 +23,9 @@ in config = with cfg; lib.mkIf enable { networking.firewall = { - allowedTCPPorts = [ 25 587 ] + allowedTCPPorts = [ 25 ] + ++ lib.optional enableSubmission 587 + ++ lib.optional enableSubmissionSsl 465 ++ lib.optional enableImap 143 ++ lib.optional enableImapSsl 993 ++ lib.optional enablePop3 110 diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 77256df..d5281eb 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -121,6 +121,21 @@ let '')); mappedFile = name: "hash:/var/lib/postfix/conf/${name}"; + + submissionOptions = + { + smtpd_tls_security_level = "encrypt"; + smtpd_sasl_auth_enable = "yes"; + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "/run/dovecot2/auth"; + smtpd_sasl_security_options = "noanonymous"; + smtpd_sasl_local_domain = "$myhostname"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts"; + smtpd_sender_restrictions = "reject_sender_login_mismatch"; + smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; + cleanup_service_name = "submission-header-cleanup"; + }; in { config = with cfg; lib.mkIf enable { @@ -136,7 +151,8 @@ in mapFiles."reject_recipients" = reject_recipients_file; sslCert = certificatePath; sslKey = keyPath; - enableSubmission = true; + enableSubmission = cfg.enableSubmission; + enableSubmissions = cfg.enableSubmissionSsl; virtual = (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards)); @@ -219,20 +235,10 @@ in milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}"; }; - submissionOptions = - { - smtpd_tls_security_level = "encrypt"; - smtpd_sasl_auth_enable = "yes"; - smtpd_sasl_type = "dovecot"; - smtpd_sasl_path = "/run/dovecot2/auth"; - smtpd_sasl_security_options = "noanonymous"; - smtpd_sasl_local_domain = "$myhostname"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts"; - smtpd_sender_restrictions = "reject_sender_login_mismatch"; - smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; - cleanup_service_name = "submission-header-cleanup"; - }; + + submissionOptions = submissionOptions; + submissionsOptions = submissionOptions; + masterConfig = { "policy-spf" = { type = "unix";