Commit Graph

79 Commits

Author SHA1 Message Date
Isabel
290a995de5
refactor: policyd-spf -> spf-engine 2024-06-18 09:03:27 +01:00
Martin Weinelt
ed80b589d3
postfix: remove deprecated smtpd_tls_eecdh_grade
Causes a warning that suggests to just leave it at its default.
2024-06-03 12:34:43 +02:00
Antoine Eiche
b5023b36a1 postfix: exclude $mynetwork from smtpd_forbid_bare_newline 2023-12-27 09:46:26 +01:00
Alvar Penning
3f526c08e8
postfix: SMTP Smuggling Protection
Enable Postfix SMTP Smuggling protection, introduced in Postfix 3.8.4,
which is, currently, only available within the nixpkgs' master branch.

- https://github.com/NixOS/nixpkgs/pull/276104
- https://github.com/NixOS/nixpkgs/pull/276264

For information about SMTP Smuggling:

- https://www.postfix.org/smtp-smuggling.html
- https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
2023-12-23 20:15:16 +01:00
Jean-Baptiste Giraudeau
93221e4b25
Add support for regex (PCRE) aliases. 2023-09-05 14:58:10 +02:00
Antoine Eiche
fb3210b932 ldap: do not write password to the Nix store 2023-07-11 19:31:20 +00:00
Antoine Eiche
33554e57ce Make the ldap test working
- The smtp/imap user name is now user@domain.tld
- Make the test_lookup function much more robust: it was now getting
  the correct file from the store.
2023-07-11 19:31:20 +00:00
Martin Weinelt
08f077c5ca Add support for LDAP users
Allow configuring lookups for users and their mail addresses from an
LDAP directory. The LDAP username will be used as an accountname as
opposed to the email address used as the `loginName` for declarative
accounts. Mailbox for LDAP users will be stored below
`/var/vmail/ldap/<account>`.

Configuring domains is out of scope, since domains require further
configuration within the NixOS mailserver construct to set up all
related services accordingly.

Aliases can already be configured using `mailserver.forwards` but could
be supported using LDAP at a later point.
2023-07-11 19:31:20 +00:00
Steve Purcell
fb85a3fe9e Ensure locally-delivered mails have the X-Original-To header
See #223
2021-08-11 12:20:16 +00:00
Emmanouil Kampitakis
d75614a653 Feature/configurable delimiter 2021-03-22 19:05:34 +00:00
Antoine Eiche
5f431207b3 postfix: forwarding emails of login accounts with keeping local copy
When a local account address is forwarded, the mails were not locally
kept. This was due to the way lookup tables were internally managed.

Instead of using lists to represent Postfix lookup tables, we now use
attribute sets: they can then be easily merged.

A regression test for
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/
has been added: it sets a forward on a local address and ensure an
email sent to this address is locally kept.

Fixes #205
2021-02-06 08:17:43 +00:00
Antoine Eiche
ee3d38a157 Set mailserver.policydSPFExtraConfig in a debug module
The line type of this option make its concatenation cleaner: the user
doesn't have to manually add `\n` to its policydSPFExtraConfig value
when debug in set.
2020-12-23 09:39:55 +01:00
Milan Pässler
cc526a2700 add full support for tls wrapped mode 2020-10-05 20:54:46 +02:00
Antoine Eiche
24600377af Add forwards option
This option allow to forward mails to external addresses.
2020-09-28 20:50:45 +02:00
James ‘Twey’ Kay
5cd6f8e7b3 Add a separate sendingFqdn option 2020-09-18 21:38:15 +00:00
Brian Olsen
aed5d9e523
Switch from using postfix extraConfig to config
`services.postfix.extraConfig` is just a string while the
`services.postfix.config` option configures the same thing but with a
typed attrset instead which is easier to manipulate and override in Nix.
2020-05-22 12:19:50 +02:00
Benjamin Asbach
c2ee9f217a Enabled TLS 1.3 support 2020-05-13 00:20:22 +00:00
Antoine Eiche
41219cc690 Rename rejectMessage to sendOnlyRejectMessage 2020-05-08 20:43:46 +02:00
Galen Abell
d47e4ead88 Add send-only accounts 2020-05-08 20:43:46 +02:00
Galen Abell
6563abc1c4 Fix password hash file generation behavior
- Move the "create password hash file from hashed password" behavior to
  a separate variable, since having it in the default field of config
  would always cause the warning to trigger
- Change type of hashedPassword to `nullOr str`
2020-03-06 17:27:47 +00:00
Alberto Berti
6033364d0b Merge branch 'delimiter' into delimiter-master 2019-07-26 19:28:51 +02:00
Alberto Berti
253c8732b4 Add subaddresses configuration 2019-07-25 17:30:20 +02:00
Oscar Carlsson
4e8fbac580 Disable TLSv1.0 and deprecated ciphers.
TLSv1.0 is as deprecated as the older SSL versions, and should not be
used. I've also disabled a slew of ciphers, and hopefully this will
make us less vulnerable to downgrade attacks and similar.
2019-06-21 11:09:30 +02:00
Christian Kauhaus
bce95d0229 Use services.postfix.virtual option
SNM used to define virtual_alias_maps in extraConfig which collides with
the same parameter defined by the standard services.postfix.virtual
option. This led to *lots* of warnings during postfix startup like

```
May 02 18:29:58 nun postfix/master[24758]: warning: /etc/postfix/main.cf, line 47: overriding earlier entry: virtual_alias_maps=hash:/etc/postfix/virtual
```

Refraining from overriding virtual_alias_maps has the additional
advantage that virtual aliases defined by other modules dont' stop
working with SNM.
2019-05-03 11:25:23 +00:00
Michishige Kaito
c2ca4d1bb0 postfix: allow configuring message_size_limit 2018-11-23 14:29:23 +00:00
Robin Raymond
acd65c0803 New Feature >>rejectSender<<
Authored by tokudan
2018-11-10 14:29:16 +01:00
Brian Olsen
88e292c5b7 postfix: Support setting options for policyd-spf 2018-06-29 21:36:34 +09:30
Brian Olsen
616d779e1f Move from rmilter to rspamd #25 2018-06-29 21:36:34 +09:30
Brian Olsen
e32a915489 postfix: Use pypolicyd-spf for SPF checking 2018-06-29 21:35:16 +09:30
Brian Olsen
f209fa3bf3 postfix: use masterConfig option instead of extraMasterConf
extraMasterConf is just a string while masterConfig is a nix module so
the options are more explicit and has help text.
2018-06-29 21:35:16 +09:30
Brian Olsen
7036371f75 Use OpenDKIM instead of rmilter for DKIM
As part of #61 this moves DKIM handling from rmilter to OpenDKIM.
2018-06-29 21:35:16 +09:30
Brian Olsen
8a27b941bf Start dovecot before postfix and add target for certificates
It seemed weird to me that preStart on postfix was used to generate
files not needed directly by postfix and for the self-signed
certificate which is also needed by dovecot. nginx.service was also
used as a proxy for when ACME certificate generation was done.

So I have created mailserver-certificates.target for when certificates
are available for other services. For self-signed that means that a
new oneshot service called mailserver-selfsigned-certificate has been
run. And for ACME this means that the target
acme-selfsigned-certificates has been reached (which is when acme has
created the self-signed certificates used before the actual
certificates provided by LetsEncrypt are created). This setup has the
added bonus that if you want to run a service to provide your own
certificates you can set that to run before
mailserver-certificates.target.

DH Parameters are only needed by dovecot so generation of that file has
been moved to the dovecot2 preStart.

And lastly the only remaining reason to for dovecot to start before
postfix was that the auth and lmtp sockets where located in a directory
created by postfix. But since they could just as well be located in
/run/dovecot2 as long as postfix has access to them I have moved them
there.
2018-06-29 21:35:16 +09:30
Robin Raymond
6d3ab77a5d
Merge pull request #114 from geistesk/message-id
Fog user's hostname in the Message-ID
2018-05-10 13:05:32 +02:00
Daniel Frank
f613779999 Allow rejecting mails to selected local addresses from remote systems 2018-04-15 01:49:26 +02:00
geistesk
386faf960c Fog user's hostname in the Message-ID 2018-04-09 22:14:17 +02:00
Robin Raymond
e4c6682eb9 Merge branch 'master' of github.com:r-raymond/nixos-mailserver 2018-04-08 15:28:58 +02:00
Robin Raymond
c28d7756c1
Merge pull request #101 from tokudan/mydestination
Avoid accepting mail to xyz@localhost from remote systems
2018-04-08 15:25:48 +02:00
geistesk
c0df22aaae Support for multiple extraVirtualAliases
Should fix #104 by introducing

```
extraVirtualAliases = {
  "single-alias@domain.foobar" = "user1@domain.foobar";
  "multi-alias@domain.foobar" = [
    "user1@domain.foobar" "user2@domain.foobar" ];
};
```
2018-04-03 11:52:03 +02:00
Daniel Frank
f283b6750b Avoid accepting mail to xyz@localhost. Local email should be aliased to another user anyway. 2018-03-10 17:13:30 +01:00
Robin Raymond
f69081226d
Merge pull request #98 from tokudan/fix_backscatter
Avoid backscattering on unknown recipients. Fixes #97
2018-03-06 16:00:54 +01:00
Daniel Frank
330cc73089 Avoid backscattering on unknown recipients. Fixes #97 2018-03-05 20:29:02 +01:00
Robert Schütz
f9820b55ab Don't include identity twice in vaccounts
fixes #94
2018-03-05 16:20:54 +01:00
Robin Raymond
c1c4706519 remove deprecated virtualAliases 2018-02-23 16:48:13 +01:00
Robin Raymond
a3043b2242 fixes #87 2018-02-23 14:52:11 +01:00
Robin Raymond
436cf0513b add vitual mail users 2018-02-18 12:17:32 +01:00
Robin Raymond
aca43875dc update copywright 2018-01-29 10:34:27 +01:00
Robin Raymond
eeb7fd64af implement qutoas 2017-12-22 16:58:35 +01:00
Robin Raymond
2d0648e0f4 move from real users to passwd file 2017-12-22 16:08:42 +01:00
Ruben Maher
3a333ab71a mail-server/postfix: add each loginAccount to virtual_alias_maps 2017-12-20 10:54:57 +10:30
Robin Raymond
fc9b63f0e6 add explicit catchAlls #49 2017-12-18 12:26:54 +01:00