fleet/modules/mail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0

{ config, pkgs, ... }:

{
  security.acme.certs = {
    "${config.networking.fqdn}" = {
      postRun = "systemctl reload postfix.service";
    };

    # Older mail servers might not support ECDSA
    "${config.networking.fqdn}-rsa2048" = {
      domain = config.networking.fqdn;
      keyType = "rsa2048";
      postRun = "systemctl reload postfix.service";
    };
  };

  services.postfix = {
    enable = true;

    # 'myhostname' is actually the FQDN, which Postfix incorrectly expects gethostname(3) to return
    hostname = config.networking.fqdn;

    # TODO(edef): instrument postfix to find out how often opportunistic encryption works, and with which cipher suites/certificates
    config = {
      # Disable account enumeration
      disable_vrfy_command = true;

      # TODO(V): Look into further hardening

      # Block DNSBLed addresses
      postscreen_dnsbl_sites = [ "zen.spamhaus.org" "ix.dnsbl.manitu.net" ];
      postscreen_dnsbl_action = "enforce";

      # Block overly eager robots
      postscreen_greet_action = "enforce";

      # TODO(V): Look into SpamAssassin for more advanced SPAM protection

      # TODO(V): Support https://github.com/NixOS/nixpkgs/pull/89178 so we can remove some of the following boilerplate

      # Outgoing TLS configuration
      smtp_tls_security_level = "may";
      smtp_tls_CAfile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
      smtp_tls_loglevel = "1";
      # TODO(V): disable TLSv1 and other insecure versions?

      # Incoming TLS configuration
      smtpd_tls_security_level = "may";
      smtpd_tls_chain_files = [
        # TODO(V): add ed25519, in the bright, wonderful future of cryptography
        "/var/lib/acme/${config.networking.fqdn}/full.pem"
        "/var/lib/acme/${config.networking.fqdn}-rsa2048/full.pem"
      ];
      smtpd_tls_loglevel = "1";
      # TODO(V): disable TLSv1 and other insecure versions?
    };
  };

  users.users.postfix.extraGroups = [ "acme" ];

  # TODO(V): Figure out how to ensure that Postfix depends on there being a valid cert on
  # first-run, without causing issues with mail deliverability for an already running service.
  # Aren't there self-signed certs that the ACME module has for exactly this reason?

  networking.firewall.allowedTCPPorts = [ 25 ];
}