- restructure rspamd config. It's nicer now, and it was getting
overridden the old way.
- "scan_mime_parts = false" apparently must be used in rspamd for ClamAV
to work
- refactor the clamav test a bit for cleanliness
- wait for rspamd and clamd sockets to open, before testing
- use clamdscan for speed, and verify that the virus was found
- verify msmtp returns virus scan result
Their CI environment currently doesn't have KVM. This commit should be
reverted when/if they do, for much better CI speed.
You can still run tests locally on your KVM-enabled machine as documented
on the wiki.
Workaround on GitLab is several pieces (injected through .gitlab-ci.yml):
- Make a /dev/kvm file so that nix thinks we have "kvm" system feature
and proceeds with executing the tests.
- Inject a QEMU package that replaces qemu-kvm with a full emulator.
- Monkey-patch the test script to wait longer for the VM to boot, since
it's slow on full emulation. 1200 seconds, double the previous value.
The patch method is not bulletproof, but better than maintaining forks of
nixpkgs.
- Set systemd's DefaultTimeoutStartSec=15min, so nix's "backdoor" test
service doesn't time out on the slow boot.
TLSv1.0 is as deprecated as the older SSL versions, and should not be
used. I've also disabled a slew of ciphers, and hopefully this will
make us less vulnerable to downgrade attacks and similar.
SNM used to define virtual_alias_maps in extraConfig which collides with
the same parameter defined by the standard services.postfix.virtual
option. This led to *lots* of warnings during postfix startup like
```
May 02 18:29:58 nun postfix/master[24758]: warning: /etc/postfix/main.cf, line 47: overriding earlier entry: virtual_alias_maps=hash:/etc/postfix/virtual
```
Refraining from overriding virtual_alias_maps has the additional
advantage that virtual aliases defined by other modules dont' stop
working with SNM.
Advantages of including the SHA256:
(i) removes the impurity of the tarball contents being changed
(ii) if sha256 is not included, then each nixops deploy triggers a re-download of the tarball
Here's how to get the expected hash:
$ nix-prefetch-url --unpack 'https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz'
unpacking...
[0.0 MiB DL]
path is '/nix/store/dwg8xlfnlw7mhr4cjk1viwmm0b249b74-nixos-mailserver-v2.2.0.tar.gz'
0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc
Fix#136 (stop pulling the files from @griff's poor server), also add a script
to update the files.
The fun thing about this is that due to sourcing the files from
`https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/raw/master/tests/clamav`
during the tests, updates to the `hashes.json` and `*.cvd` files will always
fail CI. I guess this is a reasonable tradeoff as long as people are aware of
it.
It seemed weird to me that preStart on postfix was used to generate
files not needed directly by postfix and for the self-signed
certificate which is also needed by dovecot. nginx.service was also
used as a proxy for when ACME certificate generation was done.
So I have created mailserver-certificates.target for when certificates
are available for other services. For self-signed that means that a
new oneshot service called mailserver-selfsigned-certificate has been
run. And for ACME this means that the target
acme-selfsigned-certificates has been reached (which is when acme has
created the self-signed certificates used before the actual
certificates provided by LetsEncrypt are created). This setup has the
added bonus that if you want to run a service to provide your own
certificates you can set that to run before
mailserver-certificates.target.
DH Parameters are only needed by dovecot so generation of that file has
been moved to the dovecot2 preStart.
And lastly the only remaining reason to for dovecot to start before
postfix was that the auth and lmtp sockets where located in a directory
created by postfix. But since they could just as well be located in
/run/dovecot2 as long as postfix has access to them I have moved them
there.
