add full support for tls wrapped mode

This commit is contained in:
Milan Pässler 2020-07-06 10:38:12 +02:00 committed by Antoine Eiche
parent 823c26fa69
commit cc526a2700
5 changed files with 93 additions and 39 deletions

View file

@ -35,12 +35,15 @@ D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A
* [x] Multiple Domains * [x] Multiple Domains
* Postfix MTA * Postfix MTA
- [x] smtp on port 25 - [x] smtp on port 25
- [x] submission port 587 - [x] submission tls on port 465
- [x] submission starttls on port 587
- [x] lmtp with dovecot - [x] lmtp with dovecot
* Dovecot * Dovecot
- [x] maildir folders - [x] maildir folders
- [x] imap starttls on port 143 - [x] imap with tls on port 993
- [x] pop3 starttls on port 110 - [x] pop3 with tls on port 995
- [x] imap with starttls on port 143
- [x] pop3 with starttls on port 110
* Certificates * Certificates
- [x] manual certificates - [x] manual certificates
- [x] on the fly creation - [x] on the fly creation

View file

@ -396,21 +396,31 @@ in
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = ''
Whether to enable imap / pop3. Both variants are only supported in the Whether to enable IMAP with STARTTLS on port 143.
(sane) startTLS configuration. The ports are
110 - Pop3
143 - IMAP
587 - SMTP with login
''; '';
}; };
enableImapSsl = mkOption { enableImapSsl = mkOption {
type = types.bool; type = types.bool;
default = false; default = true;
description = '' description = ''
Whether to enable IMAPS, setting this option to true will open port 993 Whether to enable IMAP with TLS in wrapper-mode on port 993.
in the firewall. '';
};
enableSubmission = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable SMTP with STARTTLS on port 587.
'';
};
enableSubmissionSsl = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable SMTP with TLS in wrapper-mode on port 465.
''; '';
}; };
@ -418,12 +428,7 @@ in
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''
Whether to enable POP3. Both variants are only supported in the (sane) Whether to enable POP3 with STARTTLS on port on port 110.
startTLS configuration. The ports are
110 - Pop3
143 - IMAP
587 - SMTP with login
''; '';
}; };
@ -431,8 +436,7 @@ in
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''
Whether to enable POP3S, setting this option to true will open port 995 Whether to enable POP3 with TLS in wrapper-mode on port 995.
in the firewall.
''; '';
}; };

View file

@ -84,8 +84,8 @@ in
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
enableImap = enableImap; enableImap = enableImap || enableImapSsl;
enablePop3 = enablePop3; enablePop3 = enablePop3 || enablePop3Ssl;
enablePAM = false; enablePAM = false;
enableQuota = true; enableQuota = true;
mailGroup = vmailGroupName; mailGroup = vmailGroupName;
@ -95,7 +95,7 @@ in
sslServerKey = keyPath; sslServerKey = keyPath;
enableLmtp = true; enableLmtp = true;
modules = [ pkgs.dovecot_pigeonhole ]; modules = [ pkgs.dovecot_pigeonhole ];
protocols = [ "sieve" ]; protocols = lib.optional cfg.enableManageSieve "sieve";
sieveScripts = { sieveScripts = {
after = builtins.toFile "spam.sieve" '' after = builtins.toFile "spam.sieve" ''
@ -118,6 +118,45 @@ in
verbose_ssl = yes verbose_ssl = yes
''} ''}
${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
service imap-login {
inet_listener imap {
${if cfg.enableImap then ''
port = 143
'' else ''
port = 0
''}
}
inet_listener imaps {
${if cfg.enableImapSsl then ''
port = 993
ssl = yes
'' else ''
port = 0
''}
}
}
''}
${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
service pop3-login {
inet_listener pop3 {
${if cfg.enablePop3 then ''
port = 110
'' else ''
port = 0
''}
}
inet_listener pop3s {
${if cfg.enablePop3Ssl then ''
port = 995
ssl = yes
'' else ''
port = 0
''}
}
}
''}
protocol imap { protocol imap {
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser} mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
mail_plugins = $mail_plugins imap_sieve mail_plugins = $mail_plugins imap_sieve

View file

@ -23,7 +23,9 @@ in
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 25 587 ] allowedTCPPorts = [ 25 ]
++ lib.optional enableSubmission 587
++ lib.optional enableSubmissionSsl 465
++ lib.optional enableImap 143 ++ lib.optional enableImap 143
++ lib.optional enableImapSsl 993 ++ lib.optional enableImapSsl 993
++ lib.optional enablePop3 110 ++ lib.optional enablePop3 110

View file

@ -121,6 +121,21 @@ let
'')); ''));
mappedFile = name: "hash:/var/lib/postfix/conf/${name}"; mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
submissionOptions =
{
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/run/dovecot2/auth";
smtpd_sasl_security_options = "noanonymous";
smtpd_sasl_local_domain = "$myhostname";
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
smtpd_sender_restrictions = "reject_sender_login_mismatch";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
cleanup_service_name = "submission-header-cleanup";
};
in in
{ {
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
@ -136,7 +151,8 @@ in
mapFiles."reject_recipients" = reject_recipients_file; mapFiles."reject_recipients" = reject_recipients_file;
sslCert = certificatePath; sslCert = certificatePath;
sslKey = keyPath; sslKey = keyPath;
enableSubmission = true; enableSubmission = cfg.enableSubmission;
enableSubmissions = cfg.enableSubmissionSsl;
virtual = virtual =
(lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards)); (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards));
@ -219,20 +235,10 @@ in
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
}; };
submissionOptions =
{ submissionOptions = submissionOptions;
smtpd_tls_security_level = "encrypt"; submissionsOptions = submissionOptions;
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/run/dovecot2/auth";
smtpd_sasl_security_options = "noanonymous";
smtpd_sasl_local_domain = "$myhostname";
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
smtpd_sender_restrictions = "reject_sender_login_mismatch";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
cleanup_service_name = "submission-header-cleanup";
};
masterConfig = { masterConfig = {
"policy-spf" = { "policy-spf" = {
type = "unix"; type = "unix";