# nixos-mailserver: a simple mail server # Copyright (C) 2016-2018 Robin Raymond # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see import { nodes = { server = { config, pkgs, lib, ... }: let clamav-db-files = lib.mapAttrs (name: value: pkgs.stdenv.mkDerivation rec { inherit name; src = pkgs.fetchurl { url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/raw/master/tests/clamav/${name}"; sha256 = value; }; unpackPhase = "true"; # don't try to unpack the raw .cvd files installPhase = "cp $src $out"; }) (builtins.fromJSON (builtins.readFile ./clamav/hashes.json)); in { imports = [ ../default.nix ]; virtualisation.memorySize = 1500; services.rsyslogd = { enable = true; defaultConfig = '' *.* /dev/console ''; }; services.clamav.updater.enable = lib.mkForce false; systemd.services.old-clam = { before = [ "clamav-daemon.service" ]; requiredBy = [ "clamav-daemon.service" ]; description = "ClamAV virus database"; preStart = '' mkdir -m 0755 -p /var/lib/clamav chown clamav:clamav /var/lib/clamav ''; script = '' cp ${clamav-db-files."bytecode.cvd"} /var/lib/clamav/ cp ${clamav-db-files."main.cvd"} /var/lib/clamav/ cp ${clamav-db-files."daily.cvd"} /var/lib/clamav/ chown clamav:clamav /var/lib/clamav/* ''; serviceConfig = { Type = "oneshot"; PrivateTmp = "yes"; PrivateDevices = "yes"; }; }; mailserver = { enable = true; debug = true; fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; dhParamBitLength = 512; virusScanning = true; loginAccounts = { "user1@example.com" = { hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; aliases = [ "postmaster@example.com" ]; catchAll = [ "example.com" ]; }; "user@example2.com" = { hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0"; }; }; enableImap = true; }; environment.etc = { "root/eicar.com.txt".text = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"; }; }; client = { nodes, config, pkgs, ... }: let serverIP = nodes.server.config.networking.primaryIPAddress; clientIP = nodes.client.config.networking.primaryIPAddress; grep-ip = pkgs.writeScriptBin "grep-ip" '' #!${pkgs.stdenv.shell} echo grep '${clientIP}' "$@" >&2 exec grep '${clientIP}' "$@" ''; in { environment.systemPackages = with pkgs; [ fetchmail msmtp procmail findutils grep-ip ]; environment.etc = { "root/.fetchmailrc" = { text = '' poll ${serverIP} with proto IMAP user 'user1@example.com' there with password 'user1' is 'root' here mda procmail ''; mode = "0700"; }; "root/.procmailrc" = { text = "DEFAULT=$HOME/mail"; }; "root/.msmtprc" = { text = '' account test2 host ${serverIP} port 587 from user@example2.com user user@example2.com password user2 ''; }; "root/virus-email".text = '' From: User2 Content-Type: multipart/mixed; boundary="Apple-Mail=_2689C63E-FD18-4E4D-8822-54797BDA9607" Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: Testy McTest Message-Id: <94550DD9-1FF1-4ED1-9F09-8812FF2E59AA@example.com> Date: Sat, 12 May 2018 14:15:44 +0200 To: User1 X-Mailer: Apple Mail (2.3445.6.18) --Apple-Mail=_2689C63E-FD18-4E4D-8822-54797BDA9607 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Hello I have attached a dangerous virus. Mfg. User2 --Apple-Mail=_2689C63E-FD18-4E4D-8822-54797BDA9607 Content-Disposition: attachment; filename=eicar.com.txt Content-Type: text/plain; x-unix-mode=0644; name="eicar.com.txt" Content-Transfer-Encoding: 7bit X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* --Apple-Mail=_2689C63E-FD18-4E4D-8822-54797BDA9607-- ''; "root/email2".text = '' From: User To: User1 Cc: Bcc: Subject: This is a test Email from user@example2.com to user1 Reply-To: Hello User1, how are you doing today? XOXO User1 ''; }; }; }; testScript = '' startAll; $server->waitForUnit("multi-user.target"); $client->waitForUnit("multi-user.target"); $client->execute("cp -p /etc/root/.* ~/"); $client->succeed("mkdir -p ~/mail"); $client->succeed("ls -la ~/ >&2"); $client->succeed("cat ~/.fetchmailrc >&2"); $client->succeed("cat ~/.procmailrc >&2"); $client->succeed("cat ~/.msmtprc >&2"); # fetchmail returns EXIT_CODE 1 when no new mail $client->succeed("fetchmail -v || [ \$? -eq 1 ] >&2"); # Verify that mail can be sent and received before testing virus scanner $client->execute("rm ~/mail/*"); $client->succeed("msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email2 >&2"); # give the mail server some time to process the mail $server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]'); $client->execute("rm ~/mail/*"); # fetchmail returns EXIT_CODE 0 when it retrieves mail $client->succeed("fetchmail -v >&2"); $client->execute("rm ~/mail/*"); subtest "virus scan file", sub { $server->fail("clamscan --follow-file-symlinks=2 -r /etc/root/ >&2"); }; subtest "virus scanner", sub { $client->fail("msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/virus-email >&2"); # give the mail server some time to process the mail $server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]'); }; subtest "no warnings or errors", sub { $server->fail("journalctl -u postfix | grep -i error >&2"); $server->fail("journalctl -u postfix | grep -i warning >&2"); $server->fail("journalctl -u dovecot2 | grep -i error >&2"); $server->fail("journalctl -u dovecot2 | grep -i warning >&2"); }; ''; }