Commit Graph

185 Commits

Author SHA1 Message Date
Benjamin Asbach fb8886547b Enable dovecot option to prefer server ciphers
This might prevent misconfigured clients to use a weak cipher when stronger ciphers are available.
2020-05-27 10:10:59 +02:00
Benjamin Asbach 9b98746515 Set TLSv1.2 as minimal TLS version for dovecot
TLSv1 and TLSv1.1 are commonly opinioned as deprecated.
2020-05-27 10:10:59 +02:00
Ryan Trinkle 066dba1b2f Fix spelling of `lmtp` in option 2020-05-25 18:19:32 -04:00
Brian Olsen aed5d9e523
Switch from using postfix extraConfig to config
`services.postfix.extraConfig` is just a string while the
`services.postfix.config` option configures the same thing but with a
typed attrset instead which is easier to manipulate and override in Nix.
2020-05-22 12:19:50 +02:00
Benjamin Asbach c2ee9f217a Enabled TLS 1.3 support 2020-05-13 00:20:22 +00:00
Antoine Eiche 7788eccc24 Merge branch 'eqyiel/nixos-mailserver-feat/make-lmtp_save_to_detail_mailbox-optional' 2020-05-08 21:02:55 +02:00
Antoine Eiche 41219cc690 Rename rejectMessage to sendOnlyRejectMessage 2020-05-08 20:43:46 +02:00
Galen Abell d47e4ead88 Add send-only accounts 2020-05-08 20:43:46 +02:00
Symphorien Gibol 9e772d166c rspamd: configure redis backend
The sqlite backed is deprecated, and the redis backend is the default
since rspamd 2.0.

Not having redis started results in such errors:
rspamd_redis_init: cannot init redis backend for BAYES_SPAM

To migrate the sqlite database, run

rspamadm statconvert --spam-db /var/lib/rspamd/bayes.spam.sqlite --ham-db /var/lib/rspamd/bayes.ham.sqlite -h 127.0.0.1:6379 --symbol-ham BAYES_HAM --symbol-spam BAYES_SPAM

The current module implements the recommended configuration that this
utility prints out.
2020-05-05 19:07:46 +00:00
Galen Abell 6563abc1c4 Fix password hash file generation behavior
- Move the "create password hash file from hashed password" behavior to
  a separate variable, since having it in the default field of config
  would always cause the warning to trigger
- Change type of hashedPassword to `nullOr str`
2020-03-06 17:27:47 +00:00
Maximilian Bosch 14cabd62e5
Trigger restart of postfix if passwords of mail accounts change 2019-10-18 21:21:01 +02:00
JosephTheEngineer b866182532 Remove use of the deprecated string type 2019-09-22 13:32:37 +00:00
Martin Milata ab33e87cea Delete leftover services.nix 2019-09-16 18:14:20 +02:00
Ruben Maher b4f6d96365 fix: make surprising lmtp_save_to_detail_mailbox behaviour optional 2019-09-01 20:21:11 +09:00
Robin Raymond 4b480d1445 Merge branch 'metapensiero/nixos-mailserver-delimiter-master' 2019-08-13 19:57:31 +02:00
Robin Raymond ee7bb07f25 Merge branch 'scintill/nixos-mailserver-dkim-bits' 2019-08-13 19:56:18 +02:00
Robin Raymond 0bf2bb0b54 Merge branch 'scintill/nixos-mailserver-fix-tests' 2019-08-13 19:51:16 +02:00
Alberto Berti 76922632ca Merge branch 'verbose-spam-header' into verbose-spam-header-master 2019-07-26 19:37:18 +02:00
Alberto Berti 6033364d0b Merge branch 'delimiter' into delimiter-master 2019-07-26 19:28:51 +02:00
Alberto Berti 05bb5518ad Let the milter add to headers the reason for tagging a message as spam 2019-07-26 19:01:54 +02:00
Alberto Berti 0ff81a9593 Make the delimiter configuration work 2019-07-26 19:00:32 +02:00
Alberto Berti fad71d9948 Fix typo 2019-07-25 17:55:01 +02:00
Alberto Berti 253c8732b4 Add subaddresses configuration 2019-07-25 17:30:20 +02:00
Joey Hewitt f789f7a80c add dkimKeyBits configuration 2019-07-09 21:59:28 -06:00
Joey Hewitt 7e718e0e33 dkim: transition to PermissionsStartOnly=false
That's how nixpkgs-unstable is now, so to be compatible with both we
have to force that setting. Use systemd tmpfiles to provision
directory with correct owner.
2019-07-07 21:47:09 -06:00
Joey Hewitt 93660eabcd fixes to tests
- restructure rspamd config. It's nicer now, and it was getting
overridden the old way.
- "scan_mime_parts = false" apparently must be used in rspamd for ClamAV
to work
- refactor the clamav test a bit for cleanliness
- wait for rspamd and clamd sockets to open, before testing
- use clamdscan for speed, and verify that the virus was found
- verify msmtp returns virus scan result
2019-07-07 21:47:09 -06:00
Oscar Carlsson 4e8fbac580 Disable TLSv1.0 and deprecated ciphers.
TLSv1.0 is as deprecated as the older SSL versions, and should not be
used. I've also disabled a slew of ciphers, and hopefully this will
make us less vulnerable to downgrade attacks and similar.
2019-06-21 11:09:30 +02:00
Christian Kauhaus bce95d0229 Use services.postfix.virtual option
SNM used to define virtual_alias_maps in extraConfig which collides with
the same parameter defined by the standard services.postfix.virtual
option. This led to *lots* of warnings during postfix startup like

```
May 02 18:29:58 nun postfix/master[24758]: warning: /etc/postfix/main.cf, line 47: overriding earlier entry: virtual_alias_maps=hash:/etc/postfix/virtual
```

Refraining from overriding virtual_alias_maps has the additional
advantage that virtual aliases defined by other modules dont' stop
working with SNM.
2019-05-03 11:25:23 +00:00
Christian Kauhaus 184975be76 Fix renamed rspamd_proxy option
Fixes #152
2019-05-03 10:54:15 +02:00
Michishige Kaito c2ca4d1bb0 postfix: allow configuring message_size_limit 2018-11-23 14:29:23 +00:00
Robin Raymond 8b7dde4b54 remove rspamd socket 2018-11-11 18:03:04 +01:00
Robin Raymond acd65c0803 New Feature >>rejectSender<<
Authored by tokudan
2018-11-10 14:29:16 +01:00
plchldr fa0541b96b remove Diffie Hillman parameter creation as it is handled by the upstream dovecot2 module as of 18.09 2018-10-30 17:56:25 +01:00
Brian Olsen 88e292c5b7 postfix: Support setting options for policyd-spf 2018-06-29 21:36:34 +09:30
Brian Olsen 61df799036 dovecot: Add spam filter traning using imapsieve 2018-06-29 21:36:34 +09:30
Brian Olsen 616d779e1f Move from rmilter to rspamd #25 2018-06-29 21:36:34 +09:30
Brian Olsen 410c6c410b Use nixpkgs functions to check dovecot version 2018-06-29 21:36:34 +09:30
Brian Olsen 1c76e0a119 tests: Add ClamAV test and fix errors in virus scanning 2018-06-29 21:36:34 +09:30
Brian Olsen e32a915489 postfix: Use pypolicyd-spf for SPF checking 2018-06-29 21:35:16 +09:30
Brian Olsen f209fa3bf3 postfix: use masterConfig option instead of extraMasterConf
extraMasterConf is just a string while masterConfig is a nix module so
the options are more explicit and has help text.
2018-06-29 21:35:16 +09:30
Brian Olsen 7036371f75 Use OpenDKIM instead of rmilter for DKIM
As part of #61 this moves DKIM handling from rmilter to OpenDKIM.
2018-06-29 21:35:16 +09:30
Brian Olsen 8a27b941bf Start dovecot before postfix and add target for certificates
It seemed weird to me that preStart on postfix was used to generate
files not needed directly by postfix and for the self-signed
certificate which is also needed by dovecot. nginx.service was also
used as a proxy for when ACME certificate generation was done.

So I have created mailserver-certificates.target for when certificates
are available for other services. For self-signed that means that a
new oneshot service called mailserver-selfsigned-certificate has been
run. And for ACME this means that the target
acme-selfsigned-certificates has been reached (which is when acme has
created the self-signed certificates used before the actual
certificates provided by LetsEncrypt are created). This setup has the
added bonus that if you want to run a service to provide your own
certificates you can set that to run before
mailserver-certificates.target.

DH Parameters are only needed by dovecot so generation of that file has
been moved to the dovecot2 preStart.

And lastly the only remaining reason to for dovecot to start before
postfix was that the auth and lmtp sockets where located in a directory
created by postfix. But since they could just as well be located in
/run/dovecot2 as long as postfix has access to them I have moved them
there.
2018-06-29 21:35:16 +09:30
Brian Olsen 0fbfbafb6e Make dovecot sockets use postfix user/group options 2018-06-29 21:35:16 +09:30
Robin Raymond f016b9689a
Merge pull request #128 from Infinisil/fix-enable-conditions
fix conditions for enabling services
2018-06-09 15:18:46 +02:00
Philipp Dörfler 92238c61f6 Disabled scanning of incoming mails for phishing attempts 2018-06-09 09:13:56 +00:00
Silvan Mosberger 845e06e61a
fix conditions for enabling services
Without this fix, kresd and others would get enabled even though the
main mailserver option is disabled.
2018-05-22 23:18:55 +02:00
Robin Raymond 68232ddf87
Merge pull request #116 from phdoerfler/post-upgrade-check
Added option for automatic reboot after a kernel upgrade.
2018-05-10 13:06:46 +02:00
Robin Raymond 6d3ab77a5d
Merge pull request #114 from geistesk/message-id
Fog user's hostname in the Message-ID
2018-05-10 13:05:32 +02:00
Robin Raymond 02b0e867d2
Merge pull request #124 from nlewo/pr-dh.pem
postfix: also create the dh.pem if it is empty
2018-05-10 13:04:35 +02:00
Robin Raymond e0907f489b
Merge pull request #117 from tokudan/reject_recipients
Allow rejecting mails to selected local addresses from remote systems
2018-05-10 13:02:37 +02:00