From 2d0648e0f4c57e8a57ad34bbd8ea514fcf18c543 Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Fri, 22 Dec 2017 16:08:42 +0100 Subject: [PATCH 1/4] move from real users to passwd file --- mail-server/common.nix | 8 +++++++- mail-server/dovecot.nix | 8 +++++++- mail-server/postfix.nix | 2 +- mail-server/users.nix | 12 +----------- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/mail-server/common.nix b/mail-server/common.nix index 910b5c2..56373bd 100644 --- a/mail-server/common.nix +++ b/mail-server/common.nix @@ -14,10 +14,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see -{ config }: +{ config, lib }: let cfg = config.mailserver; + # passwd :: [ String ] + passwd = lib.mapAttrsToList + (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:") + cfg.loginAccounts; in { # cert :: PATH @@ -37,4 +41,6 @@ in else if cfg.certificateScheme == 3 then "/var/lib/acme/${cfg.fqdn}/key.pem" else throw "Error: Certificate Scheme must be in { 1, 2, 3 }"; + # passwdFile :: PATH + passwdFile = builtins.toFile "passwd" (lib.concatStringsSep "\n" passwd); } diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 89249b5..39cf35e 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -16,7 +16,7 @@ { config, pkgs, lib, ... }: -with (import ./common.nix { inherit config; }); +with (import ./common.nix { inherit config lib; }); let cfg = config.mailserver; @@ -31,6 +31,7 @@ in enable = true; enableImap = enableImap; enablePop3 = enablePop3; + enablePAM = false; mailGroup = vmailGroupName; mailUser = vmailUserName; mailLocation = dovecot_maildir; @@ -74,6 +75,11 @@ in mail_plugins = $mail_plugins sieve } + passdb { + driver = passwd-file + args = ${passwdFile} + } + service auth { unix_listener /var/lib/postfix/queue/private/auth { mode = 0660 diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index b36accd..5b373f9 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -16,7 +16,7 @@ { config, pkgs, lib, ... }: -with (import ./common.nix { inherit config; }); +with (import ./common.nix { inherit config lib; }); let inherit (lib.strings) concatStringsSep; diff --git a/mail-server/users.nix b/mail-server/users.nix index 9484882..e8365e4 100644 --- a/mail-server/users.nix +++ b/mail-server/users.nix @@ -28,16 +28,6 @@ let group = vmailGroupName; }; - # accountsToUser :: String -> UserRecord - accountsToUser = account: { - isNormalUser = false; - group = vmailGroupName; - inherit (account) hashedPassword name; - }; - - # mail_users :: { [String]: UserRecord } - mail_users = lib.foldl (prev: next: prev // { "${next.name}" = next; }) {} - (map accountsToUser (lib.attrValues loginAccounts)); virtualMailUsersActivationScript = pkgs.writeScript "activate-virtual-mail-users" '' #!${pkgs.stdenv.shell} @@ -77,7 +67,7 @@ in { }; # define all users - users.users = mail_users // { + users.users = { "${vmail_user.name}" = lib.mkForce vmail_user; }; From eeb7fd64afa0203d537eb903519b77971ac56e02 Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Fri, 22 Dec 2017 16:58:35 +0100 Subject: [PATCH 2/4] implement qutoas --- default.nix | 10 ++++++++++ mail-server/common.nix | 6 +++++- mail-server/dovecot.nix | 6 ++++++ mail-server/postfix.nix | 3 +++ 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/default.nix b/default.nix index 5854226..6e0cedb 100644 --- a/default.nix +++ b/default.nix @@ -78,6 +78,16 @@ in ''; }; + quota = mkOption { + type = with types; nullOr types.str; + default = null; + example = "2G"; + description = '' + Per user quota rules. Accepted sizes are `xx k/M/G/T` with the + obvious meaning. Leave blank for the standard quota `100G`. + ''; + }; + sieveScript = mkOption { type = with types; nullOr lines; default = null; diff --git a/mail-server/common.nix b/mail-server/common.nix index 56373bd..015bfda 100644 --- a/mail-server/common.nix +++ b/mail-server/common.nix @@ -20,7 +20,10 @@ let cfg = config.mailserver; # passwd :: [ String ] passwd = lib.mapAttrsToList - (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:") + (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:" + + (if lib.isString value.quota + then "userdb_quota_rule=*:storage=${value.quota}" + else "")) cfg.loginAccounts; in { @@ -41,6 +44,7 @@ in else if cfg.certificateScheme == 3 then "/var/lib/acme/${cfg.fqdn}/key.pem" else throw "Error: Certificate Scheme must be in { 1, 2, 3 }"; + # passwdFile :: PATH passwdFile = builtins.toFile "passwd" (lib.concatStringsSep "\n" passwd); } diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 39cf35e..61f1fa8 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -32,6 +32,7 @@ in enableImap = enableImap; enablePop3 = enablePop3; enablePAM = false; + enableQuota = true; mailGroup = vmailGroupName; mailUser = vmailUserName; mailLocation = dovecot_maildir; @@ -80,6 +81,11 @@ in args = ${passwdFile} } + userdb { + driver = passwd-file + args = ${passwdFile} + } + service auth { unix_listener /var/lib/postfix/queue/private/auth { mode = 0660 diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 5b373f9..55b8243 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -124,6 +124,9 @@ in smtpd_sasl_auth_enable = yes smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination + # quota + smtpd_recipient_restrictions = check_policy_service inet:mailstore.example.com:12340 + # TLS settings, inspired by https://github.com/jeaye/nix-files # Submission by mail clients is handled in submissionOptions smtpd_tls_security_level = may From 6dd51d6e8835ddbaf1be495188ae7fe69a22bb8d Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Fri, 22 Dec 2017 16:58:49 +0100 Subject: [PATCH 3/4] add quota test --- tests/extern.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/tests/extern.nix b/tests/extern.nix index 28fff3b..d407a5d 100644 --- a/tests/extern.nix +++ b/tests/extern.nix @@ -25,6 +25,7 @@ import { mailserver = { enable = true; + debug = true; fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; @@ -41,6 +42,10 @@ import { "user@example2.com" = { hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0"; }; + "lowquota@example.com" = { + hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0"; + quota = "1B"; + }; }; enableImap = true; @@ -62,6 +67,12 @@ import { user 'user1\@example.com' there with password 'user1' is 'root' here mda procmail ''; + fetchmailRcLowQuota = + '' + poll SERVER with proto IMAP + user 'lowquota\@example.com' there with password 'user1' is 'root' here + mda procmail + ''; procmailRc = '' @@ -231,6 +242,22 @@ import { $client->fail("fetchmail -v"); }; + subtest "quota", sub { + $client->succeed("rm mail.txt"); + + $client->succeed("echo '${fetchmailRcLowQuota}' > ~/.fetchmailrc"); + $client->succeed("sed -i s/SERVER/`getent hosts server | awk '{ print \$1 }'`/g ~/.fetchmailrc"); + + $client->succeed("chmod 0700 ~/.fetchmailrc"); + $client->succeed("echo '${email2}' > mail.txt"); + # send email from chuck to non exsitent account + $client->succeed("msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota\@example.com < mail.txt >&2"); + $client->succeed("sleep 5"); + # fetchmail returns EXIT_CODE 0 when it retrieves mail + $client->fail("fetchmail -v"); + + }; + ''; From 3b9b7961d4c6199198cf8f35678daf14648e62d9 Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Mon, 25 Dec 2017 14:11:39 +0100 Subject: [PATCH 4/4] remove tests of old userdb; fixes #51 --- tests/intern.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tests/intern.nix b/tests/intern.nix index 3d49c15..54262a2 100644 --- a/tests/intern.nix +++ b/tests/intern.nix @@ -44,14 +44,6 @@ import { $machine->start; $machine->waitForUnit("multi-user.target"); - subtest "user exists", sub { - $machine->succeed("cat /etc/shadow | grep 'user1\@example.com'"); - }; - - subtest "password is set", sub { - $machine->succeed("cat /etc/shadow | grep 'user1\@example.com:\$6\$/z4n8AQl6K\$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/:1::::::'"); - }; - subtest "vmail gid is set correctly", sub { $machine->succeed("getent group vmail | grep 5000"); };