From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:43:26 +0100 Subject: Fix(system/mail): Only accept connections on safe ports It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same. --- system/mail/default.nix | 4 ++-- system/services/default.nix | 2 ++ system/services/firewall/default.nix | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 system/services/firewall/default.nix (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 8eaa53b..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -30,13 +30,11 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; backup.snapshotRoot = "/srv/mail/backup"; - enableImap = false; enableImapSsl = true; enablePop3 = false; @@ -44,8 +42,10 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + openFirewall = false; # handled below keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } diff --git a/system/services/default.nix b/system/services/default.nix index acf20f5..4c39b8b 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,8 @@ {config, ...}: { imports = [ ./acme + ./firewall + ./minecraft ./nginx ./nix ./opensshd diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} -- cgit 1.4.1