Commit Graph

578 Commits

Author SHA1 Message Date
Joey Hewitt 7e718e0e33 dkim: transition to PermissionsStartOnly=false
That's how nixpkgs-unstable is now, so to be compatible with both we
have to force that setting. Use systemd tmpfiles to provision
directory with correct owner.
2019-07-07 21:47:09 -06:00
Joey Hewitt 93660eabcd fixes to tests
- restructure rspamd config. It's nicer now, and it was getting
overridden the old way.
- "scan_mime_parts = false" apparently must be used in rspamd for ClamAV
to work
- refactor the clamav test a bit for cleanliness
- wait for rspamd and clamd sockets to open, before testing
- use clamdscan for speed, and verify that the virus was found
- verify msmtp returns virus scan result
2019-07-07 21:47:09 -06:00
Joey Hewitt 0e6bb4e898 workaround GitLab CI KVM issue
Their CI environment currently doesn't have KVM.  This commit should be
reverted when/if they do, for much better CI speed.

You can still run tests locally on your KVM-enabled machine as documented
on the wiki.

Workaround on GitLab is several pieces (injected through .gitlab-ci.yml):
- Make a /dev/kvm file so that nix thinks we have "kvm" system feature
and proceeds with executing the tests.
- Inject a QEMU package that replaces qemu-kvm with a full emulator.
- Monkey-patch the test script to wait longer for the VM to boot, since
it's slow on full emulation. 1200 seconds, double the previous value.
The patch method is not bulletproof, but better than maintaining forks of
nixpkgs.
- Set systemd's DefaultTimeoutStartSec=15min, so nix's "backdoor" test
service doesn't time out on the slow boot.
2019-07-07 21:47:09 -06:00
Joey Hewitt 05d963e751 lower dhparam bits, for faster tests
Make a tests/lib/config.nix file that is imported into the configuration
of all testing VMs.
2019-07-06 21:08:26 -06:00
Oscar Carlsson 4e8fbac580 Disable TLSv1.0 and deprecated ciphers.
TLSv1.0 is as deprecated as the older SSL versions, and should not be
used. I've also disabled a slew of ciphers, and hopefully this will
make us less vulnerable to downgrade attacks and similar.
2019-06-21 11:09:30 +02:00
Robin Raymond ba3336978e correct checksum 2019-05-03 17:35:33 +02:00
Robin Raymond e35959b65f fix checksum 2019-05-03 17:33:39 +02:00
Robin Raymond a658e7fc6c Advertise mailing list a little more 2019-05-03 14:38:41 +02:00
Robin Raymond d127730f27 modify readme for v2.2.1 2019-05-03 14:21:18 +02:00
Robin Raymond 642a15fbf7 Merge branch 'master' of gitlab.com:simple-nixos-mailserver/nixos-mailserver 2019-05-03 14:13:42 +02:00
Robin Raymond 72e79e5c38 fix minimal test 2019-05-03 14:13:22 +02:00
Robin Raymond e2702c8c8e update to nixos 19.03 2019-05-03 14:13:11 +02:00
Christian Kauhaus bce95d0229 Use services.postfix.virtual option
SNM used to define virtual_alias_maps in extraConfig which collides with
the same parameter defined by the standard services.postfix.virtual
option. This led to *lots* of warnings during postfix startup like

```
May 02 18:29:58 nun postfix/master[24758]: warning: /etc/postfix/main.cf, line 47: overriding earlier entry: virtual_alias_maps=hash:/etc/postfix/virtual
```

Refraining from overriding virtual_alias_maps has the additional
advantage that virtual aliases defined by other modules dont' stop
working with SNM.
2019-05-03 11:25:23 +00:00
Robin Raymond a485cb3719 fix nixops file 2019-05-03 13:11:47 +02:00
Christian Kauhaus 184975be76 Fix renamed rspamd_proxy option
Fixes #152
2019-05-03 10:54:15 +02:00
Tom 2c59de8dcb README: include sha256 of the expected release tarball
Advantages of including the SHA256:
(i) removes the impurity of the tarball contents being changed
(ii) if sha256 is not included, then each nixops deploy triggers a re-download of the tarball

Here's how to get the expected hash:

$ nix-prefetch-url --unpack 'https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz'
unpacking...
[0.0 MiB DL]
path is '/nix/store/dwg8xlfnlw7mhr4cjk1viwmm0b249b74-nixos-mailserver-v2.2.0.tar.gz'
0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc
2019-01-28 14:21:51 +00:00
Michishige Kaito c2ca4d1bb0 postfix: allow configuring message_size_limit 2018-11-23 14:29:23 +00:00
Robin Raymond ebf34930a7 udpate readme 2018-11-11 18:18:58 +01:00
Robin Raymond 8b7dde4b54 remove rspamd socket 2018-11-11 18:03:04 +01:00
Robin Raymond 1c1e301c11 Merge branch 'master' of gitlab.com:simple-nixos-mailserver/nixos-mailserver 2018-11-10 14:38:27 +01:00
Robin Raymond 91ce33f0e0 Merge branch 'eqyiel/nixos-mailserver-clamav-db-in-lfs' 2018-11-10 14:37:53 +01:00
Robin Raymond e6069c276a Update .gitlab-ci.yml to 18.09 2018-11-10 13:33:31 +00:00
Robin Raymond acd65c0803 New Feature >>rejectSender<<
Authored by tokudan
2018-11-10 14:29:16 +01:00
Robin Raymond 28cff2497a Merge branch 'plchldr/nixos-mailserver-master' 2018-11-10 14:09:26 +01:00
Robin Raymond d624740db5 Update README.md to use gitlab ci badge 2018-11-10 12:37:38 +00:00
Ruben Maher a4046a1227 Setup ci on gitlab 2018-11-10 12:35:09 +00:00
plchldr fa0541b96b remove Diffie Hillman parameter creation as it is handled by the upstream dovecot2 module as of 18.09 2018-10-30 17:56:25 +01:00
Ruben Maher 9488b6fd43 ci: store Clamav DB in LFS
Fix #136 (stop pulling the files from @griff's poor server), also add a script
to update the files.

The fun thing about this is that due to sourcing the files from
`https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/raw/master/tests/clamav`
during the tests, updates to the `hashes.json` and `*.cvd` files will always
fail CI.  I guess this is a reasonable tradeoff as long as people are aware of
it.
2018-08-18 15:13:25 +09:30
Ruben Maher 817d84d36d remove ISSUE_TEMPLATE.md
This file is not used by GitLab.
2018-08-18 12:05:09 +09:30
Ruben Maher 3aecb1299d Merge branch 'pr-old-upstream-126' into 'master'
griff:my-changes

See merge request simple-nixos-mailserver/nixos-mailserver!132
2018-06-29 12:16:19 +00:00
Brian Olsen 88e292c5b7 postfix: Support setting options for policyd-spf 2018-06-29 21:36:34 +09:30
Brian Olsen 61df799036 dovecot: Add spam filter traning using imapsieve 2018-06-29 21:36:34 +09:30
Brian Olsen 616d779e1f Move from rmilter to rspamd #25 2018-06-29 21:36:34 +09:30
Brian Olsen 410c6c410b Use nixpkgs functions to check dovecot version 2018-06-29 21:36:34 +09:30
Brian Olsen 1c76e0a119 tests: Add ClamAV test and fix errors in virus scanning 2018-06-29 21:36:34 +09:30
Brian Olsen e32a915489 postfix: Use pypolicyd-spf for SPF checking 2018-06-29 21:35:16 +09:30
Brian Olsen f209fa3bf3 postfix: use masterConfig option instead of extraMasterConf
extraMasterConf is just a string while masterConfig is a nix module so
the options are more explicit and has help text.
2018-06-29 21:35:16 +09:30
Brian Olsen 7036371f75 Use OpenDKIM instead of rmilter for DKIM
As part of #61 this moves DKIM handling from rmilter to OpenDKIM.
2018-06-29 21:35:16 +09:30
Brian Olsen 0c883d8bcd tests/extern: Fix small errors
1. The lowquota test used the wrong fetchmail username and password
2. When running interactively repeatedly mkdir fails since dir exists
2018-06-29 21:35:16 +09:30
Brian Olsen 8a27b941bf Start dovecot before postfix and add target for certificates
It seemed weird to me that preStart on postfix was used to generate
files not needed directly by postfix and for the self-signed
certificate which is also needed by dovecot. nginx.service was also
used as a proxy for when ACME certificate generation was done.

So I have created mailserver-certificates.target for when certificates
are available for other services. For self-signed that means that a
new oneshot service called mailserver-selfsigned-certificate has been
run. And for ACME this means that the target
acme-selfsigned-certificates has been reached (which is when acme has
created the self-signed certificates used before the actual
certificates provided by LetsEncrypt are created). This setup has the
added bonus that if you want to run a service to provide your own
certificates you can set that to run before
mailserver-certificates.target.

DH Parameters are only needed by dovecot so generation of that file has
been moved to the dovecot2 preStart.

And lastly the only remaining reason to for dovecot to start before
postfix was that the auth and lmtp sockets where located in a directory
created by postfix. But since they could just as well be located in
/run/dovecot2 as long as postfix has access to them I have moved them
there.
2018-06-29 21:35:16 +09:30
Brian Olsen 0fbfbafb6e Make dovecot sockets use postfix user/group options 2018-06-29 21:35:16 +09:30
Robin Raymond 99f64355eb Merge branch 'master' into 'master'
Master

See merge request simple-nixos-mailserver/nixos-mailserver!131
2018-06-27 14:15:15 +00:00
nico202 18da60451f clean extra whitespaces 2018-06-27 14:48:15 +02:00
nico202 3541f76be5 Remove reference to github in sieveScript example 2018-06-27 14:48:15 +02:00
nico202 bb26860cf2 readme: remove references to github -> gitlab 2018-06-27 14:48:15 +02:00
Robin Raymond ffc67fef46 remove cache 2018-06-09 15:21:21 +02:00
Robin Raymond f016b9689a
Merge pull request #128 from Infinisil/fix-enable-conditions
fix conditions for enabling services
2018-06-09 15:18:46 +02:00
Robin Raymond cfb8353f1a
Merge pull request #130 from phdoerfler/clamav-phishing
Disabled scanning of incoming mails for phishing attempts
2018-06-09 15:17:18 +02:00
Philipp Dörfler 92238c61f6 Disabled scanning of incoming mails for phishing attempts 2018-06-09 09:13:56 +00:00
Silvan Mosberger 845e06e61a
fix conditions for enabling services
Without this fix, kresd and others would get enabled even though the
main mailserver option is disabled.
2018-05-22 23:18:55 +02:00