From ec0965e2672899d25a5a3a8c072de3ea734076a2 Mon Sep 17 00:00:00 2001
From: V <v@unfathomable.blue>
Date: Wed, 9 Jun 2021 15:43:16 +0200
Subject: fleet: init

Co-authored-by: edef <edef@unfathomable.blue>
Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65
---
 fleet/modules/mail.nix | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 fleet/modules/mail.nix

(limited to 'fleet/modules/mail.nix')

diff --git a/fleet/modules/mail.nix b/fleet/modules/mail.nix
new file mode 100644
index 0000000..24f3925
--- /dev/null
+++ b/fleet/modules/mail.nix
@@ -0,0 +1,70 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ config, pkgs, ... }:
+
+{
+  security.acme.certs = {
+    "${config.networking.fqdn}" = {
+      postRun = "systemctl reload postfix.service";
+    };
+
+    # Older mail servers might not support ECDSA
+    "${config.networking.fqdn}-rsa2048" = {
+      domain = config.networking.fqdn;
+      keyType = "rsa2048";
+      postRun = "systemctl reload postfix.service";
+    };
+  };
+
+  services.postfix = {
+    enable = true;
+
+    # 'myhostname' is actually the FQDN, which Postfix incorrectly expects gethostname(3) to return
+    hostname = config.networking.fqdn;
+
+    # TODO(edef): instrument postfix to find out how often opportunistic encryption works, and with which cipher suites/certificates
+    config = {
+      # Disable account enumeration
+      disable_vrfy_command = true;
+
+      # TODO(V): Look into further hardening
+
+      # Block DNSBLed addresses
+      postscreen_dnsbl_sites = [ "zen.spamhaus.org" "ix.dnsbl.manitu.net" ];
+      postscreen_dnsbl_action = "enforce";
+
+      # Block overly eager robots
+      postscreen_greet_action = "enforce";
+
+      # TODO(V): Look into SpamAssassin for more advanced SPAM protection
+
+      # TODO(V): Support https://github.com/NixOS/nixpkgs/pull/89178 so we can remove some of the following boilerplate
+
+      # Outgoing TLS configuration
+      smtp_tls_security_level = "may";
+      smtp_tls_CAfile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+      smtp_tls_loglevel = "1";
+      # TODO(V): disable TLSv1 and other insecure versions?
+
+      # Incoming TLS configuration
+      smtpd_tls_security_level = "may";
+      smtpd_tls_chain_files = [
+        # TODO(V): add ed25519, in the bright, wonderful future of cryptography
+        "/var/lib/acme/${config.networking.fqdn}/full.pem"
+        "/var/lib/acme/${config.networking.fqdn}-rsa2048/full.pem"
+      ];
+      smtpd_tls_loglevel = "1";
+      # TODO(V): disable TLSv1 and other insecure versions?
+    };
+  };
+
+  users.users.postfix.extraGroups = [ "acme" ];
+
+  # TODO(V): Figure out how to ensure that Postfix depends on there being a valid cert on
+  # first-run, without causing issues with mail deliverability for an already running service.
+  # Aren't there self-signed certs that the ACME module has for exactly this reason?
+
+  networking.firewall.allowedTCPPorts = [ 25 ];
+}
-- 
cgit 1.4.1