add full support for tls wrapped mode
This commit is contained in:
parent
823c26fa69
commit
cc526a2700
|
@ -35,12 +35,15 @@ D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A
|
||||||
* [x] Multiple Domains
|
* [x] Multiple Domains
|
||||||
* Postfix MTA
|
* Postfix MTA
|
||||||
- [x] smtp on port 25
|
- [x] smtp on port 25
|
||||||
- [x] submission port 587
|
- [x] submission tls on port 465
|
||||||
|
- [x] submission starttls on port 587
|
||||||
- [x] lmtp with dovecot
|
- [x] lmtp with dovecot
|
||||||
* Dovecot
|
* Dovecot
|
||||||
- [x] maildir folders
|
- [x] maildir folders
|
||||||
- [x] imap starttls on port 143
|
- [x] imap with tls on port 993
|
||||||
- [x] pop3 starttls on port 110
|
- [x] pop3 with tls on port 995
|
||||||
|
- [x] imap with starttls on port 143
|
||||||
|
- [x] pop3 with starttls on port 110
|
||||||
* Certificates
|
* Certificates
|
||||||
- [x] manual certificates
|
- [x] manual certificates
|
||||||
- [x] on the fly creation
|
- [x] on the fly creation
|
||||||
|
|
38
default.nix
38
default.nix
|
@ -396,21 +396,31 @@ in
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Whether to enable imap / pop3. Both variants are only supported in the
|
Whether to enable IMAP with STARTTLS on port 143.
|
||||||
(sane) startTLS configuration. The ports are
|
|
||||||
|
|
||||||
110 - Pop3
|
|
||||||
143 - IMAP
|
|
||||||
587 - SMTP with login
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
enableImapSsl = mkOption {
|
enableImapSsl = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Whether to enable IMAPS, setting this option to true will open port 993
|
Whether to enable IMAP with TLS in wrapper-mode on port 993.
|
||||||
in the firewall.
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
enableSubmission = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether to enable SMTP with STARTTLS on port 587.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
enableSubmissionSsl = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether to enable SMTP with TLS in wrapper-mode on port 465.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -418,12 +428,7 @@ in
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Whether to enable POP3. Both variants are only supported in the (sane)
|
Whether to enable POP3 with STARTTLS on port on port 110.
|
||||||
startTLS configuration. The ports are
|
|
||||||
|
|
||||||
110 - Pop3
|
|
||||||
143 - IMAP
|
|
||||||
587 - SMTP with login
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -431,8 +436,7 @@ in
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Whether to enable POP3S, setting this option to true will open port 995
|
Whether to enable POP3 with TLS in wrapper-mode on port 995.
|
||||||
in the firewall.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -84,8 +84,8 @@ in
|
||||||
config = with cfg; lib.mkIf enable {
|
config = with cfg; lib.mkIf enable {
|
||||||
services.dovecot2 = {
|
services.dovecot2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableImap = enableImap;
|
enableImap = enableImap || enableImapSsl;
|
||||||
enablePop3 = enablePop3;
|
enablePop3 = enablePop3 || enablePop3Ssl;
|
||||||
enablePAM = false;
|
enablePAM = false;
|
||||||
enableQuota = true;
|
enableQuota = true;
|
||||||
mailGroup = vmailGroupName;
|
mailGroup = vmailGroupName;
|
||||||
|
@ -95,7 +95,7 @@ in
|
||||||
sslServerKey = keyPath;
|
sslServerKey = keyPath;
|
||||||
enableLmtp = true;
|
enableLmtp = true;
|
||||||
modules = [ pkgs.dovecot_pigeonhole ];
|
modules = [ pkgs.dovecot_pigeonhole ];
|
||||||
protocols = [ "sieve" ];
|
protocols = lib.optional cfg.enableManageSieve "sieve";
|
||||||
|
|
||||||
sieveScripts = {
|
sieveScripts = {
|
||||||
after = builtins.toFile "spam.sieve" ''
|
after = builtins.toFile "spam.sieve" ''
|
||||||
|
@ -118,6 +118,45 @@ in
|
||||||
verbose_ssl = yes
|
verbose_ssl = yes
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
|
||||||
|
service imap-login {
|
||||||
|
inet_listener imap {
|
||||||
|
${if cfg.enableImap then ''
|
||||||
|
port = 143
|
||||||
|
'' else ''
|
||||||
|
port = 0
|
||||||
|
''}
|
||||||
|
}
|
||||||
|
inet_listener imaps {
|
||||||
|
${if cfg.enableImapSsl then ''
|
||||||
|
port = 993
|
||||||
|
ssl = yes
|
||||||
|
'' else ''
|
||||||
|
port = 0
|
||||||
|
''}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
|
||||||
|
service pop3-login {
|
||||||
|
inet_listener pop3 {
|
||||||
|
${if cfg.enablePop3 then ''
|
||||||
|
port = 110
|
||||||
|
'' else ''
|
||||||
|
port = 0
|
||||||
|
''}
|
||||||
|
}
|
||||||
|
inet_listener pop3s {
|
||||||
|
${if cfg.enablePop3Ssl then ''
|
||||||
|
port = 995
|
||||||
|
ssl = yes
|
||||||
|
'' else ''
|
||||||
|
port = 0
|
||||||
|
''}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
|
||||||
protocol imap {
|
protocol imap {
|
||||||
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
||||||
mail_plugins = $mail_plugins imap_sieve
|
mail_plugins = $mail_plugins imap_sieve
|
||||||
|
|
|
@ -23,7 +23,9 @@ in
|
||||||
config = with cfg; lib.mkIf enable {
|
config = with cfg; lib.mkIf enable {
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedTCPPorts = [ 25 587 ]
|
allowedTCPPorts = [ 25 ]
|
||||||
|
++ lib.optional enableSubmission 587
|
||||||
|
++ lib.optional enableSubmissionSsl 465
|
||||||
++ lib.optional enableImap 143
|
++ lib.optional enableImap 143
|
||||||
++ lib.optional enableImapSsl 993
|
++ lib.optional enableImapSsl 993
|
||||||
++ lib.optional enablePop3 110
|
++ lib.optional enablePop3 110
|
||||||
|
|
|
@ -121,6 +121,21 @@ let
|
||||||
''));
|
''));
|
||||||
|
|
||||||
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
|
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
|
||||||
|
|
||||||
|
submissionOptions =
|
||||||
|
{
|
||||||
|
smtpd_tls_security_level = "encrypt";
|
||||||
|
smtpd_sasl_auth_enable = "yes";
|
||||||
|
smtpd_sasl_type = "dovecot";
|
||||||
|
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||||
|
smtpd_sasl_security_options = "noanonymous";
|
||||||
|
smtpd_sasl_local_domain = "$myhostname";
|
||||||
|
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
||||||
|
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
|
||||||
|
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
||||||
|
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||||
|
cleanup_service_name = "submission-header-cleanup";
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = with cfg; lib.mkIf enable {
|
config = with cfg; lib.mkIf enable {
|
||||||
|
@ -136,7 +151,8 @@ in
|
||||||
mapFiles."reject_recipients" = reject_recipients_file;
|
mapFiles."reject_recipients" = reject_recipients_file;
|
||||||
sslCert = certificatePath;
|
sslCert = certificatePath;
|
||||||
sslKey = keyPath;
|
sslKey = keyPath;
|
||||||
enableSubmission = true;
|
enableSubmission = cfg.enableSubmission;
|
||||||
|
enableSubmissions = cfg.enableSubmissionSsl;
|
||||||
virtual =
|
virtual =
|
||||||
(lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards));
|
(lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards));
|
||||||
|
|
||||||
|
@ -219,20 +235,10 @@ in
|
||||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
|
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
|
||||||
|
|
||||||
};
|
};
|
||||||
submissionOptions =
|
|
||||||
{
|
submissionOptions = submissionOptions;
|
||||||
smtpd_tls_security_level = "encrypt";
|
submissionsOptions = submissionOptions;
|
||||||
smtpd_sasl_auth_enable = "yes";
|
|
||||||
smtpd_sasl_type = "dovecot";
|
|
||||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
|
||||||
smtpd_sasl_security_options = "noanonymous";
|
|
||||||
smtpd_sasl_local_domain = "$myhostname";
|
|
||||||
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
|
||||||
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
|
|
||||||
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
|
||||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
|
||||||
cleanup_service_name = "submission-header-cleanup";
|
|
||||||
};
|
|
||||||
masterConfig = {
|
masterConfig = {
|
||||||
"policy-spf" = {
|
"policy-spf" = {
|
||||||
type = "unix";
|
type = "unix";
|
||||||
|
|
Loading…
Reference in New Issue