diff options
| -rw-r--r-- | .gitlab-ci.yml | 41 | ||||
| -rw-r--r-- | .travis.yml | 8 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | default.nix | 21 | ||||
| -rw-r--r-- | mail-server/dovecot.nix | 3 | ||||
| -rw-r--r-- | mail-server/postfix.nix | 19 | ||||
| -rw-r--r-- | mail-server/systemd.nix | 18 | ||||
| -rw-r--r-- | tests/clamav.nix | 1 | ||||
| -rw-r--r-- | tests/extern.nix | 1 | ||||
| -rw-r--r-- | tests/intern.nix | 1 |
10 files changed, 69 insertions, 46 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..843593c --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,41 @@ +nixos-intern: + image: nixos/nix + variables: + NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.03.tar.gz" + script: + - nix-build tests/intern.nix + +nixos-extern: + image: nixos/nix + variables: + NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.03.tar.gz" + script: + - nix-build tests/extern.nix + +nixos-clamav: + image: nixos/nix + variables: + NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.03.tar.gz" + script: + - nix-build tests/clamav.nix + +nixos-unstable-intern: + image: nixos/nix + variables: + NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz" + script: + - nix-build tests/intern.nix + +nixos-unstable-extern: + image: nixos/nix + variables: + NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz" + script: + - nix-build tests/extern.nix + +nixos-unstable-clamav: + image: nixos/nix + variables: + NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz" + script: + - nix-build tests/clamav.nix diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 39faf05..0000000 --- a/.travis.yml +++ /dev/null @@ -1,8 +0,0 @@ -language: nix -env: - - NIX_PATH="nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.03.tar.gz" - - NIX_PATH="nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz" -script: - - nix-build tests/intern.nix - - nix-build tests/extern.nix - - nix-build tests/clamav.nix @@ -1,6 +1,6 @@ # ![Simple Nixos MailServer][logo]  - +[](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/commits/master) ## Stable Releases diff --git a/default.nix b/default.nix index 0134541..db68f2e 100644 --- a/default.nix +++ b/default.nix @@ -166,6 +166,16 @@ in default = {}; }; + rejectSender = mkOption { + type = types.listOf types.str; + example = [ "@example.com" "spammer@example.net" ]; + description = '' + Reject emails from these addresses from unauthorized senders. + Use if a spammer is using the same domain or the same sender over and over. + ''; + default = []; + }; + rejectRecipients = mkOption { type = types.listOf types.str; example = [ "sales@example.com" "info@example.com" ]; @@ -405,17 +415,6 @@ in ''; }; - dhParamBitLength = mkOption { - type = types.int; - default = 2048; - description = - '' - Length of the Diffie Hillman prime used (in bits). It might be a good - idea to set this to 4096 for security purposed, but it will take a _very_ - long time to create this prime on startup. - ''; - }; - debug = mkOption { type = types.bool; default = false; diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 2be417d..fed2189 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -97,9 +97,6 @@ in mail_access_groups = ${vmailGroupName} ssl = required - ${lib.optionalString (lib.versionAtLeast (lib.getVersion pkgs.dovecot) "2.3") '' - ssl_dh = <${certificateDirectory}/dh.pem - ''} service lmtp { unix_listener dovecot-lmtp { diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 4a00e39..cea787f 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -55,6 +55,13 @@ let (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix)); + reject_senders_postfix = (map + (sender: + "${sender} REJECT") + (cfg.rejectSender)); + reject_senders_file = builtins.toFile "reject_senders" (lib.concatStringsSep "\n" (reject_senders_postfix)) ; + + reject_recipients_postfix = (map (recipient: "${recipient} REJECT") @@ -103,6 +110,8 @@ let + (lib.optionalString cfg.debug '' debugLevel = 4 '')); + + mappedFile = name: "hash:/var/lib/postfix/conf/${name}"; in { config = with cfg; lib.mkIf enable { @@ -113,6 +122,7 @@ in networksStyle = "host"; mapFiles."valias" = valiases_file; mapFiles."vaccounts" = vaccounts_file; + mapFiles."reject_senders" = reject_senders_file; mapFiles."reject_recipients" = reject_recipients_file; sslCert = certificatePath; sslKey = keyPath; @@ -132,8 +142,8 @@ in virtual_gid_maps = static:5000 virtual_mailbox_base = ${mailDirectory} virtual_mailbox_domains = ${vhosts_file} - virtual_mailbox_maps = hash:/var/lib/postfix/conf/valias - virtual_alias_maps = hash:/var/lib/postfix/conf/valias + virtual_mailbox_maps = ${mappedFile "valias"} + virtual_alias_maps = ${mappedFile "valias"} virtual_transport = lmtp:unix:/run/dovecot2/dovecot-lmtp # sasl with dovecot @@ -144,9 +154,12 @@ in policy-spf_time_limit = 3600s + # reject selected senders + smtpd_sender_restrictions = check_sender_access ${mappedFile "reject_senders"} + # quota and spf checking smtpd_recipient_restrictions = - check_recipient_access hash:/var/lib/postfix/conf/reject_recipients, + check_recipient_access ${mappedFile "reject_recipients"}, check_policy_service inet:localhost:12340, check_policy_service unix:private/policy-spf diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix index a4a9285..378e07d 100644 --- a/mail-server/systemd.nix +++ b/mail-server/systemd.nix @@ -18,20 +18,6 @@ let cfg = config.mailserver; - - createDhParameterFile = - lib.optionalString (lib.versionAtLeast (lib.getVersion pkgs.dovecot) "2.3") - '' - # Create a dh parameter file - if [ ! -s "${cfg.certificateDirectory}/dh.pem" ] - then - mkdir -p "${cfg.certificateDirectory}" - ${pkgs.openssl}/bin/openssl \ - dhparam ${builtins.toString cfg.dhParamBitLength} \ - > "${cfg.certificateDirectory}/dh.pem" - fi - ''; - preliminarySelfsigned = config.security.acme.preliminarySelfsigned; acmeWantsTarget = [ "acme-certificates.target" ] ++ (lib.optional preliminarySelfsigned "acme-selfsigned-certificates.target"); @@ -74,7 +60,7 @@ in }; }; - # Create maildir folder and dh parameters before dovecot startup + # Create maildir folder before dovecot startup systemd.services.dovecot2 = { after = [ "mailserver-certificates.target" ]; wants = [ "mailserver-certificates.target" ]; @@ -84,8 +70,6 @@ in mkdir -p "${mailDirectory}" chgrp "${vmailGroupName}" "${mailDirectory}" chmod 02770 "${mailDirectory}" - - ${createDhParameterFile} ''; }; diff --git a/tests/clamav.nix b/tests/clamav.nix index 49f3c07..7c81b2d 100644 --- a/tests/clamav.nix +++ b/tests/clamav.nix @@ -75,7 +75,6 @@ import <nixpkgs/nixos/tests/make-test.nix> { debug = true; fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; - dhParamBitLength = 512; virusScanning = true; loginAccounts = { diff --git a/tests/extern.nix b/tests/extern.nix index 7ccd9ca..0816d91 100644 --- a/tests/extern.nix +++ b/tests/extern.nix @@ -36,7 +36,6 @@ import <nixpkgs/nixos/tests/make-test.nix> { debug = true; fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; - dhParamBitLength = 512; rewriteMessageId = true; loginAccounts = { diff --git a/tests/intern.nix b/tests/intern.nix index e191d60..ce50123 100644 --- a/tests/intern.nix +++ b/tests/intern.nix @@ -27,7 +27,6 @@ import <nixpkgs/nixos/tests/make-test.nix> { enable = true; fqdn = "mail.example.com"; domains = [ "example.com" ]; - dhParamBitLength = 512; loginAccounts = { "user1@example.com" = { |