sys/mta: implement mTLS submission

1 files changed, 44 insertions, 29 deletions

diff --git a/sys/mta/default.nix b/sys/mta/default.nix
index 8c261e7..de91dc4 100644
--- a/sys/mta/default.nix
+++ b/sys/mta/default.nix
@@ -48,7 +48,6 @@ in
         {
           enable = true;
           enableSmtp = true;
-          enableSubmission = true;
           enableSubmissions = true;
 
           inherit domain;
@@ -65,12 +64,10 @@ in
           # También es postmaster
           rootAlias = config.local.sysadmin;
 
-          extraAliases = concatStrings
+          extraAliases = concatLines
             (flatten (mapAttrsToList
               (name: user: map
-                (alias: ''
-                  ${alias}: ${name}
-                '')
+                (alias: "${alias}: ${name}")
                 user.hardAliases)
               users));
 
@@ -78,43 +75,43 @@ in
             (user: "${user}@${domain}")
             (attrNames (users // virtual.${domain}.users));
 
-          virtual = concatStrings (flatten (mapAttrsToList
+          virtual = concatLines (flatten (mapAttrsToList
             (name: virtual: mapAttrsToList
-              (alias: targets: ''
-                ${alias}@${name} ${concatStringsSep ", " targets}
-              '')
+              (alias: targets: "${alias}@${name} ${concatStringsSep ", " targets}")
               virtual.aliases)
             virtual));
 
           mapFiles = {
+            sender_ccerts =
+              pkgs.writeText "postfix-sender_ccerts"
+                (concatLines (flatten (mapAttrsToList
+                  (username: user: map
+                    (alias: "${alias}@${domain} CCERTS ${concatStringsSep "," (map (certPath: config.local.pki.byPath.${certPath}.fingerprint.sha256) user.mail.certs)}")
+                    ([ username ] ++ user.hardAliases))
+                  (filterAttrs (_: user: user.mail.certs != [ ]) users))));
+
             sender_login =
               pkgs.writeText "postfix-sender_login"
-                (concatStrings (flatten (mapAttrsToList
+                (concatLines (flatten (mapAttrsToList
                   (username: user: map
-                    (alias: ''
-                      ${alias}@${domain} ${username}
-                    '')
+                    (alias: "${alias}@${domain} ${username}")
                     ([ username ] ++ user.hardAliases))
                   users)));
 
             virtual_recipients =
-              pkgs.writeText "postfix-virtual-recipients"
-                (concatStrings (flatten (mapAttrsToList
+              pkgs.writeText "postfix-virtual_recipients"
+                (concatLines (flatten (mapAttrsToList
                   (virtualDomain: virtual: mapAttrsToList
                     # El lado derecho de esta tabla debe existir pero nunca se usa
-                    (username: _: ''
-                      ${username}@${virtualDomain} foo
-                    '')
+                    (username: _: "${username}@${virtualDomain} foo")
                     virtual.users)
                   virtualDomains)));
 
             virtual_rules =
-              pkgs.writeText "postfix-virtual-rules"
-                (concatStrings (flatten (mapAttrsToList
+              pkgs.writeText "postfix-virtual_rules"
+                (concatLines (flatten (mapAttrsToList
                   (name: virtual: map
-                    (rule: ''
-                      /^${rule.pattern}@${name}$/ ${concatStringsSep ", " rule.targets}
-                    '')
+                    (rule: "/^${rule.pattern}@${name}$/ ${concatStringsSep ", " rule.targets}")
                     virtual.rules)
                   virtual)));
           };
@@ -133,16 +130,28 @@ in
               local_transport = mdaTransport;
               virtual_transport = mdaTransport;
 
-              smtpd_sasl_auth_enable = true;
               smtpd_sasl_type = "dovecot";
               smtpd_sasl_path = "inet:${cfg.mdaAddr}:${toString cfg.saslPort}";
-              smtpd_sasl_tls_security_options = [ "noanonymous" ];
+              smtpd_sasl_local_domain = "$mydomain";
+              smtpd_sasl_security_options = [ "noanonymous" ];
 
               smtpd_tls_auth_only = true;
-              smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
+              # Nota: smtpd_tls_dh1024_param_file fue deprecado en 3.9
+
+              smtpd_tls_CAfile = "${config.local.pki.ca.mail.fullchain}";
+              smtpd_tls_ccert_verifydepth = "1";
+              tls_append_default_CA = false; # Crítico
+
+              # Inventado, no es parámetro de postfix
+              local_submission_client_restrictions = [
+                "permit_tls_all_clientcerts"
+                "permit_sasl_authenticated"
+                "reject"
+              ];
 
               smtpd_relay_restrictions = [
                 "permit_mynetworks"
+                "permit_tls_all_clientcerts"
                 "permit_sasl_authenticated"
                 "reject_unauth_destination"
               ];
@@ -150,19 +159,25 @@ in
               smtpd_sender_login_maps = [ "hash:/etc/postfix/sender_login" ];
 
               smtpd_sender_restrictions = [
-                "permit_mynetworks"
+                "check_sender_access hash:/etc/postfix/sender_ccerts"
                 "reject_sender_login_mismatch"
-                "permit_sasl_authenticated"
               ];
 
               smtpd_milters = "unix:/run/opendkim/opendkim.sock";
               non_smtpd_milters = "$smtpd_milters";
               milter_default_action = "accept";
             };
+
+          # Importante: existe submissionOptions por aparte, no son iguales
+          submissionsOptions = {
+            smtpd_client_restrictions = "$local_submission_client_restrictions";
+            smtpd_sasl_auth_enable = "yes";
+            smtpd_tls_ask_ccert = "yes";
+            smtpd_tls_security_level = "encrypt";
+          };
         };
     };
 
-    security.dhparams.params.postfix = { };
     networking.firewall.allowedTCPPorts = [ 25 465 ];
 
     local = {