diff options
author | V <v@unfathomable.blue> | 2021-06-09 15:43:16 +0200 |
---|---|---|
committer | V <v@unfathomable.blue> | 2021-08-17 03:09:34 +0200 |
commit | ec0965e2672899d25a5a3a8c072de3ea734076a2 (patch) | |
tree | ddf53e6cc5ae47fa1a925f7a7d6414ba03718a84 /fleet/modules/mail.nix | |
parent | db7c54f92f386a94db8af7a12626d2657b4dd640 (diff) | |
download | unf-legacy-ec0965e2672899d25a5a3a8c072de3ea734076a2.tar.zst |
fleet: init
Co-authored-by: edef <edef@unfathomable.blue> Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65
Diffstat (limited to 'fleet/modules/mail.nix')
-rw-r--r-- | fleet/modules/mail.nix | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/fleet/modules/mail.nix b/fleet/modules/mail.nix new file mode 100644 index 0000000..24f3925 --- /dev/null +++ b/fleet/modules/mail.nix @@ -0,0 +1,70 @@ +# SPDX-FileCopyrightText: V <v@unfathomable.blue> +# SPDX-FileCopyrightText: edef <edef@unfathomable.blue> +# SPDX-License-Identifier: OSL-3.0 + +{ config, pkgs, ... }: + +{ + security.acme.certs = { + "${config.networking.fqdn}" = { + postRun = "systemctl reload postfix.service"; + }; + + # Older mail servers might not support ECDSA + "${config.networking.fqdn}-rsa2048" = { + domain = config.networking.fqdn; + keyType = "rsa2048"; + postRun = "systemctl reload postfix.service"; + }; + }; + + services.postfix = { + enable = true; + + # 'myhostname' is actually the FQDN, which Postfix incorrectly expects gethostname(3) to return + hostname = config.networking.fqdn; + + # TODO(edef): instrument postfix to find out how often opportunistic encryption works, and with which cipher suites/certificates + config = { + # Disable account enumeration + disable_vrfy_command = true; + + # TODO(V): Look into further hardening + + # Block DNSBLed addresses + postscreen_dnsbl_sites = [ "zen.spamhaus.org" "ix.dnsbl.manitu.net" ]; + postscreen_dnsbl_action = "enforce"; + + # Block overly eager robots + postscreen_greet_action = "enforce"; + + # TODO(V): Look into SpamAssassin for more advanced SPAM protection + + # TODO(V): Support https://github.com/NixOS/nixpkgs/pull/89178 so we can remove some of the following boilerplate + + # Outgoing TLS configuration + smtp_tls_security_level = "may"; + smtp_tls_CAfile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + smtp_tls_loglevel = "1"; + # TODO(V): disable TLSv1 and other insecure versions? + + # Incoming TLS configuration + smtpd_tls_security_level = "may"; + smtpd_tls_chain_files = [ + # TODO(V): add ed25519, in the bright, wonderful future of cryptography + "/var/lib/acme/${config.networking.fqdn}/full.pem" + "/var/lib/acme/${config.networking.fqdn}-rsa2048/full.pem" + ]; + smtpd_tls_loglevel = "1"; + # TODO(V): disable TLSv1 and other insecure versions? + }; + }; + + users.users.postfix.extraGroups = [ "acme" ]; + + # TODO(V): Figure out how to ensure that Postfix depends on there being a valid cert on + # first-run, without causing issues with mail deliverability for an already running service. + # Aren't there self-signed certs that the ACME module has for exactly this reason? + + networking.firewall.allowedTCPPorts = [ 25 ]; +} |