Browse Source

Merge uncommitted changes from m1vm

gluster
m1cr0man 2 years ago
parent
commit
bc60593d15
4 changed files with 36 additions and 17 deletions
  1. +1
    -0
      hosts/m1vm/configuration.nix
  2. +11
    -4
      services/dovecot/auth.nix
  3. +20
    -9
      services/dovecot/default.nix
  4. +4
    -4
      services/postfix/default.nix

+ 1
- 0
hosts/m1vm/configuration.nix View File

@@ -22,6 +22,7 @@
boot.loader.grub.device = "/dev/vda";

networking.hostName = "m1cr0man";
networking.hostId = "";
networking.interfaces.enp1s0.ipv4.addresses = [{
address = "192.168.0.135";
prefixLength = 24;


+ 11
- 4
services/dovecot/auth.nix View File

@@ -1,4 +1,4 @@
{common, pkgs, ...}:
{common, pkgs, vmailUserName, ...}:
let
ldapConfig = pkgs.writeText "dovecot-ldap-config" ''
hosts = ${common.ldapHost}
@@ -7,9 +7,9 @@ let
base = ou=accounts,o=redbrick
deref = never
scope = subtree
user_attrs =
user_filter = (&(objectclass=posixAccount)(uid=%n)
pass_attrs = uid=user,userPassword=password
user_attrs = uid=user,homeDirectory=home
user_filter = (&(objectclass=posixAccount)(uid=%n))
pass_attrs = uid=user,homeDirectory=home,userPassword=password
pass_filter = (&(objectclass=posixAccount)(uid=%n))
default_pass_scheme = CRYPT
'';
@@ -28,4 +28,11 @@ in pkgs.writeText "dovecot-auth-config" ''
driver = ldap
args = ${ldapConfig}
}

userdb {
driver = ldap
args = ${ldapConfig}
# driver = static
# args = uid=${vmailUserName} gid=${vmailUserName} home=/var/mail/vhosts/%d/%n
}
''

+ 20
- 9
services/dovecot/default.nix View File

@@ -4,7 +4,9 @@ let

commonDovecot = import ./variables.nix;

authConfig = import ./auth.nix { inherit common pkgs; };
vmailUserName = "vmail";

authConfig = import ./auth.nix { inherit common pkgs vmailUserName; };
masterConfig = import ./master.nix { inherit common pkgs; };
in {
networking.firewall.allowedTCPPorts = [ 993 common.dovecotSaslPort common.dovecotLmtpPort ];
@@ -17,13 +19,15 @@ in {
enable = true;
enableImap = true;
enableLmtp = true;
enablePAM = false;
showPAMFailure = false;

sslServerCert = "${common.certsDir}/${common.tld}/fullchain.pem";
sslServerKey = "${common.certsDir}/${common.tld}/key.pem";
sslCACert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";

mailUser = "vmail";
mailGroup = "vmail";
mailUser = vmailUserName;
mailGroup = vmailUserName;

mailLocation = "maildir:~/Maildir:INDEX=/var/mail/indexes/%u";

@@ -42,6 +46,14 @@ in {
}];

extraConfig = ''
# to improve performance, disable fsync globally - we will enable it for
# some specific services later on
mail_fsync = never

auth_verbose = yes

mail_debug = yes

namespace inbox {
separator = /
inbox = yes
@@ -56,15 +68,14 @@ in {

protocol lmtp {
mail_fsync = optimized
mail_plugins = $mail_plugins sieve
mail_plugins = $mail_plugins
}

# require SSL for all non-localhost connections
ssl = required

# require modern crypto - taken from Mozilla's SSL recommendations page
ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 TLSv1.2
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_prefer_server_ciphers = yes

@@ -80,12 +91,12 @@ in {

plugin {
# location of users' sieve directory and their "active" sieve script
sieve = file:~/sieve;active=~/.dovecot.sieve
# sieve = file:~/sieve;active=~/.dovecot.sieve

# directory of global sieve scripts to run before and after processing ALL
# incoming mail
sieve_before = /usr/local/etc/dovecot/sieve-before.d
sieve_after = /usr/local/etc/dovecot/sieve-after.d
# sieve_before = /usr/local/etc/dovecot/sieve-before.d
# sieve_after = /usr/local/etc/dovecot/sieve-after.d

# make sieve aware of user+tag@domain.tld aliases
recipient_delimiter = +


+ 4
- 4
services/postfix/default.nix View File

@@ -8,12 +8,12 @@ let
bind = no
'';

virtualMailboxMaps = pkgs.writeText "virt-mailbox-maps" ldapCommon + ''
virtualMailboxMaps = pkgs.writeText "virt-mailbox-maps" (ldapCommon + ''
search_base = ou=accounts,o=redbrick
query_filter = (&(objectClass=posixAccount)(uid=%u))
result_attribute = uid
result_format = %s@${common.tld}
'';
'');

commonRestrictions = [
"permit_mynetworks" "permit_sasl_authenticated"
@@ -60,8 +60,8 @@ in {
# http://www.postfix.org/BASIC_CONFIGURATION_README.html#proxy_interfaces
proxy_interfaces = "136.206.15.5";

virtual_mailbox_domains = "static:${common.tld}";
virtual_mailbox_maps = "ldap:${virtualMailboxMaps}";
virtual_mailbox_domains = "${common.tld}";
virtual_mailbox_maps = "hash:/var/lib/postfix/aliases";
# virtual_alias_maps = "ldap:" ++ ./ldap-virtual-alias-maps.cf;

# Generate own DHParams


Loading…
Cancel
Save