From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:21:45 +0100 Subject: Refactor: Use better file layout --- system/mail/default.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 system/mail/default.nix (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..b09f8f1 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,27 @@ +# vim: ts=2 +{...}: { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + backup.snapshotRoot = "/srv/mail/backup"; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = ["sils@vhack.eu"]; + "postmaster@vhack.eu" = ["sils@vhack.eu"]; + "admin@vhack.eu" = ["sils@vhack.eu"]; + }; + + sieveDirectory = "/srv/mail/sieve"; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; +} -- cgit 1.4.1 From f77f8848301bd0eaf742f177771554f6ce942bb9 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:27:54 +0100 Subject: Fix(system/mail): Disable protocols with STARTTLS This is inherently unsafe because it requires an unencrypted handshake. Considering that all protocols also work directly with TLS i.e., the encrypted variant, disabling this shouldn't be a drawback. --- system/mail/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index b09f8f1..6fe82fd 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -4,6 +4,14 @@ fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; backup.snapshotRoot = "/srv/mail/backup"; -- cgit 1.4.1 From 6ba9c1452144b327963c9f0ae57ec5662b4f6ec1 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:54:20 +0100 Subject: Fix(system/mail): Make extraVirtualAliases fairer --- system/mail/default.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 6fe82fd..67531af 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -1,5 +1,11 @@ # vim: ts=2 -{...}: { +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { enable = true; fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; @@ -23,9 +29,9 @@ }; extraVirtualAliases = { - "abuse@vhack.eu" = ["sils@vhack.eu"]; - "postmaster@vhack.eu" = ["sils@vhack.eu"]; - "admin@vhack.eu" = ["sils@vhack.eu"]; + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; }; sieveDirectory = "/srv/mail/sieve"; -- cgit 1.4.1 From 414ad162bc5ecdf71e3c5d674c18c6d65bd03a45 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:12:34 +0100 Subject: Fix(system/mail): Declare the password directly As outlined in commit 19f0808, placing a password hash in the world readable nix-store is perfectly safe as long as the hashing function is not reversible, which should be a necessity for a password hash. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 67531af..2f58c03 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -24,7 +24,7 @@ in { loginAccounts = { "sils@vhack.eu" = { - hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; }; -- cgit 1.4.1 From a24dc7da41c18ef68ea32b27995c60c9494f579c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:34:44 +0100 Subject: Feat(system/mail): Use '/' to separate mailboxes This is something that just makes the file system easier to traverse, but isn't really necessary. --- system/mail/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 2f58c03..98af119 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -17,6 +17,7 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + useFsLayout = true; mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; -- cgit 1.4.1 From d6fbe642e5762f1bd79dcfb0e68bf7df1c902d8d Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:22:46 +0100 Subject: Style(system/mail): Reorder options I just think this is easier to read. --- system/mail/default.nix | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 98af119..7a206f5 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -10,19 +10,8 @@ in { fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; - enableImap = false; - enableImapSsl = true; - enablePop3 = false; - enablePop3Ssl = true; - # SMTP - enableSubmission = false; - enableSubmissionSsl = true; useFsLayout = true; - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - backup.snapshotRoot = "/srv/mail/backup"; - loginAccounts = { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; @@ -35,7 +24,21 @@ in { "admin@vhack.eu" = all_admins; }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; -- cgit 1.4.1 From f2ab8429778b5b5c422160da6a11c15af815b55c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:52:49 +0100 Subject: Feat(system/mail): Add other users, so the admin thing works --- system/mail/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 7a206f5..8eaa53b 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -16,6 +16,12 @@ in { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; }; extraVirtualAliases = { -- cgit 1.4.1 From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:43:26 +0100 Subject: Fix(system/mail): Only accept connections on safe ports It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same. --- system/mail/default.nix | 4 ++-- system/services/default.nix | 2 ++ system/services/firewall/default.nix | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 system/services/firewall/default.nix (limited to 'system/mail/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 8eaa53b..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -30,13 +30,11 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; backup.snapshotRoot = "/srv/mail/backup"; - enableImap = false; enableImapSsl = true; enablePop3 = false; @@ -44,8 +42,10 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + openFirewall = false; # handled below keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } diff --git a/system/services/default.nix b/system/services/default.nix index acf20f5..4c39b8b 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,8 @@ {config, ...}: { imports = [ ./acme + ./firewall + ./minecraft ./nginx ./nix ./opensshd diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} -- cgit 1.4.1