From f6546a1a8e3969981fef8f46cc8db740647d08df Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Tue, 13 Feb 2018 13:18:31 +0100 Subject: [PATCH 1/2] fix dovecot 2.3 ssl_dh --- default.nix | 21 +++++++++++++++++++++ mail-server/dovecot.nix | 1 + mail-server/systemd.nix | 10 ++++++++++ tests/extern.nix | 2 ++ tests/intern.nix | 2 ++ 5 files changed, 36 insertions(+) diff --git a/default.nix b/default.nix index 1fc5e3a..f496144 100644 --- a/default.nix +++ b/default.nix @@ -325,6 +325,27 @@ in ''; }; + dovecot23 = mkOption { + type = types.bool; + default = false; + description = + '' + Activate this if you use Dovecot 2.3, so SSL works. + TODO: Remove this! + ''; + }; + + dhParamBitLength = mkOption { + type = types.int; + default = 2048; + description = + '' + Length of the Diffie Hillman prime used (in bits). It might be a good + idea to set this to 4096 for security purposed, but it will take a _very_ + long time to create this prime on startup. + ''; + }; + debug = mkOption { type = types.bool; default = false; diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 0de7452..722bc9d 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -61,6 +61,7 @@ in mail_access_groups = ${vmailGroupName} ssl = required + ${lib.optionalString dovecot23 "ssl_dh = <${certificateDirectory}/dh.pem"} service lmtp { unix_listener /var/lib/postfix/queue/private/dovecot-lmtp { diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix index cfc73d8..88f7baa 100644 --- a/mail-server/systemd.nix +++ b/mail-server/systemd.nix @@ -38,6 +38,14 @@ let '' else ""; + createDhParameterFile = + '' + # Create a dh parameter file + ${pkgs.openssl}/bin/openssl \ + dhparam ${builtins.toString cfg.dhParamBitLength} \ + > "${cfg.certificateDirectory}/dh.pem" + ''; + createDomainDkimCert = dom: let dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key"; @@ -82,6 +90,8 @@ in chmod 02770 "${mailDirectory}" ${create_certificate} + + ${lib.optionalString cfg.dovecot23 "${createDhParameterFile}"} ''; }; diff --git a/tests/extern.nix b/tests/extern.nix index 3f6c88b..53917f9 100644 --- a/tests/extern.nix +++ b/tests/extern.nix @@ -27,6 +27,8 @@ import { enable = true; fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; + dhParamBitLength = 512; + dovecot23 = true; loginAccounts = { "user1@example.com" = { diff --git a/tests/intern.nix b/tests/intern.nix index 76832a8..8cff19e 100644 --- a/tests/intern.nix +++ b/tests/intern.nix @@ -27,6 +27,8 @@ import { enable = true; fqdn = "mail.example.com"; domains = [ "example.com" ]; + dhParamBitLength = 512; + dovecot23 = true; loginAccounts = { "user1@example.com" = { From 5b570ad5a08a35cb528bc919eb8d5ea7c394b408 Mon Sep 17 00:00:00 2001 From: Ruben Maher Date: Sat, 17 Feb 2018 22:17:41 +1030 Subject: [PATCH 2/2] dovecot: read dovecot version into nix variable This allows determining whether it's OK to use particular configuration variables that will throw errors when used in older versions. --- default.nix | 10 ---------- mail-server/dovecot-version.nix | 12 ++++++++++++ mail-server/dovecot.nix | 6 +++++- mail-server/systemd.nix | 7 ++++++- tests/extern.nix | 1 - tests/intern.nix | 1 - 6 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 mail-server/dovecot-version.nix diff --git a/default.nix b/default.nix index f496144..9631a7b 100644 --- a/default.nix +++ b/default.nix @@ -325,16 +325,6 @@ in ''; }; - dovecot23 = mkOption { - type = types.bool; - default = false; - description = - '' - Activate this if you use Dovecot 2.3, so SSL works. - TODO: Remove this! - ''; - }; - dhParamBitLength = mkOption { type = types.int; default = 2048; diff --git a/mail-server/dovecot-version.nix b/mail-server/dovecot-version.nix new file mode 100644 index 0000000..4c00972 --- /dev/null +++ b/mail-server/dovecot-version.nix @@ -0,0 +1,12 @@ +{ dovecot, gawk, gnused, jq, runCommand }: + +runCommand "dovecot-version" { + buildInputs = [dovecot gnused jq]; +} '' + jq -n \ + --arg dovecot_version "$(dovecot --version | + sed 's/\([0-9.]*\).*/\1/' | + awk -F '.' '{ print $1"."$2"."$3 }')" \ + '[$dovecot_version | split("."), ["major", "minor", "patch"]] + | transpose | map( { (.[1]): .[0] | tonumber }) | add' > $out +'' diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 722bc9d..7bd52fa 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -24,6 +24,8 @@ let # maildir in format "/${domain}/${user}" dovecot_maildir = "maildir:${cfg.mailDirectory}/%d/%n"; + dovecotVersion = builtins.fromJSON + (builtins.readFile (pkgs.callPackage ./dovecot-version.nix {})); in { config = with cfg; lib.mkIf enable { @@ -61,7 +63,9 @@ in mail_access_groups = ${vmailGroupName} ssl = required - ${lib.optionalString dovecot23 "ssl_dh = <${certificateDirectory}/dh.pem"} + ${lib.optionalString (dovecotVersion.major == 2 && dovecotVersion.minor >= 3) '' + ssl_dh = <${certificateDirectory}/dh.pem + ''} service lmtp { unix_listener /var/lib/postfix/queue/private/dovecot-lmtp { diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix index 88f7baa..a59e8ce 100644 --- a/mail-server/systemd.nix +++ b/mail-server/systemd.nix @@ -91,7 +91,12 @@ in ${create_certificate} - ${lib.optionalString cfg.dovecot23 "${createDhParameterFile}"} + ${let + dovecotVersion = builtins.fromJSON + (builtins.readFile (pkgs.callPackage ./dovecot-version.nix {})); + in lib.optionalString + (dovecotVersion.major == 2 && dovecotVersion.minor >= 3) + createDhParameterFile} ''; }; diff --git a/tests/extern.nix b/tests/extern.nix index 53917f9..f68c2fb 100644 --- a/tests/extern.nix +++ b/tests/extern.nix @@ -28,7 +28,6 @@ import { fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; dhParamBitLength = 512; - dovecot23 = true; loginAccounts = { "user1@example.com" = { diff --git a/tests/intern.nix b/tests/intern.nix index 8cff19e..9facc44 100644 --- a/tests/intern.nix +++ b/tests/intern.nix @@ -28,7 +28,6 @@ import { fqdn = "mail.example.com"; domains = [ "example.com" ]; dhParamBitLength = 512; - dovecot23 = true; loginAccounts = { "user1@example.com" = {