From 9596e0e75c6a49083167ef6e2edca9cc448695e1 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 11 Feb 2023 19:14:07 -0600
Subject: env/users: implement mail client certificates

---
 env/users/mailbox.nix | 96 +++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 86 insertions(+), 10 deletions(-)

(limited to 'env/users/mailbox.nix')

diff --git a/env/users/mailbox.nix b/env/users/mailbox.nix
index 9fe460e..8b2c4b2 100644
--- a/env/users/mailbox.nix
+++ b/env/users/mailbox.nix
@@ -56,19 +56,75 @@ in
                 ${username}:::::::user=${canonical} nopassword userdb_user=${canonical}
               '';
 
-              localEntries = concatStrings
-                (flatten (mapAttrsToList
+              localMailboxes =
+                pkgs.writeText "local-mailboxes"
+                  (concatStrings
+                    (flatten (mapAttrsToList
+                      (canonical: user:
+                        map (localEntry canonical) ([ canonical ] ++ user.hardAliases))
+                      cfg.users)));
+
+              localCerts =
+                flatten (mapAttrsToList
                   (canonical: user:
-                    map (localEntry canonical) ([ canonical ] ++ user.hardAliases))
-                  cfg.users));
-
-              localMailboxes = pkgs.writeText "local-mailboxes" localEntries;
+                    let
+                      certNames = {
+                        inherit canonical;
+                        logins = [ canonical ] ++ user.hardAliases;
+                      };
+                    in
+                    map (flip nameValuePair certNames) user.mail.certs)
+                  cfg.users);
+
+              vmailCerts =
+                flatten (flatten (mapAttrsToList
+                  (domain: virtual: mapAttrsToList
+                    (username: user:
+                      let
+                        address = "${username}@${domain}";
+
+                        certNames = {
+                          canonical = address;
+                          logins = [ address ];
+                        };
+                      in
+                      map (flip nameValuePair certNames) user.mail.certs)
+                    virtual.users)
+                  cfg.virtual));
+
+              certLogins =
+                pkgs.writeText "cert-logins"
+                  (concatStrings (flatten (mapAttrsToList
+                    (uuid: names: map
+                      (addr: ''
+                        ${uuid}.mail-client@nodomain,${addr}:::::::user=${names.canonical}
+                      '')
+                      names.logins)
+                    (listToAttrs (localCerts ++ vmailCerts)))));
 
               vmailPath = "/var/lib/vmail/%{if;%d;ne;;%Ld;${domain}}";
             in
             ''
               auth_mechanisms = plain login external
 
+              #TODO: automatizar implantación de archivo de CA
+
+              # Orden de concatenación de mail-fullchain-crl.crt:
+              # - Issuing CA cert
+              # - Issuing CA CRL
+              # - Intermediate CA cert
+              # - Intermediate CA CRL
+              # - Root CA cert
+              # - Root CA CRL
+              ssl_ca = </var/trust/ca/mail-fullchain-crl.crt
+              ssl_require_crl = yes
+              ssl_verify_client_cert = yes
+
+              # Esto descarta @domain.tld de locales explícitos, pero lo exige para los demás.
+              # Implicación: locales implícitos sin dominio fallan en autenticar
+              auth_username_format = %{if;%Ld;eq;${domain};%Ln;%{if;%d;ne;;%Lu;%Ln@nodomain}}
+              auth_ssl_username_from_cert = yes
+
               # TODO: los defaults de nixpkgs dejan los sockets bajo
               # /run/dovecot2 con demasiados permisos rwx, arreglar
 
@@ -86,13 +142,33 @@ in
                 }
               }
 
-              # Esto enfuerza user@domain.tld
-              auth_username_format = %{if;%Ld;eq;${domain};%Ln;%{if;%d;ne;;%Lu;%Ln@invalid}}
-
               # FIXME: Esta cadena de passdbs hace que 'doveadm user lookup'
               # falle para usuarios locales, pero todo lo demás sirve. Parece
               # ser debido a que pam no puede enumerar.
 
+              passdb {
+                driver = static
+                args = nopassword
+
+                master = yes
+                mechanisms = external
+
+                result_success = continue-fail
+                result_failure = return-fail
+                result_internalfail = return-fail
+              }
+
+              passdb {
+                driver = passwd-file
+                args = scheme=PLAIN username_format=%{master_user},%Lu ${certLogins}
+
+                mechanisms = external
+                override_fields = nopassword
+
+                result_failure = return-fail
+                result_internalfail = return-fail
+              }
+
               passdb {
                 driver = passwd-file
                 args = username_format=%Ln ${vmailPath}/passwd
@@ -100,7 +176,7 @@ in
 
               passdb {
                 driver = passwd-file
-                args = ${localMailboxes}
+                args = scheme=PLAIN ${localMailboxes}
 
                 # Esta es una forma de determinar si se encontró el usuario en
                 # el passwd-file por medio de nopassword sin realmente
-- 
cgit v1.2.3