From e65eff5cac1c45cbe430b886496e6dbfc1381020 Mon Sep 17 00:00:00 2001 From: Alejandro Soto Date: Sat, 27 Jul 2024 22:38:28 -0600 Subject: sys/mta: implement mTLS submission --- sys/mta/default.nix | 73 ++++++++++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 29 deletions(-) (limited to 'sys/mta/default.nix') diff --git a/sys/mta/default.nix b/sys/mta/default.nix index 8c261e7..de91dc4 100644 --- a/sys/mta/default.nix +++ b/sys/mta/default.nix @@ -48,7 +48,6 @@ in { enable = true; enableSmtp = true; - enableSubmission = true; enableSubmissions = true; inherit domain; @@ -65,12 +64,10 @@ in # También es postmaster rootAlias = config.local.sysadmin; - extraAliases = concatStrings + extraAliases = concatLines (flatten (mapAttrsToList (name: user: map - (alias: '' - ${alias}: ${name} - '') + (alias: "${alias}: ${name}") user.hardAliases) users)); @@ -78,43 +75,43 @@ in (user: "${user}@${domain}") (attrNames (users // virtual.${domain}.users)); - virtual = concatStrings (flatten (mapAttrsToList + virtual = concatLines (flatten (mapAttrsToList (name: virtual: mapAttrsToList - (alias: targets: '' - ${alias}@${name} ${concatStringsSep ", " targets} - '') + (alias: targets: "${alias}@${name} ${concatStringsSep ", " targets}") virtual.aliases) virtual)); mapFiles = { + sender_ccerts = + pkgs.writeText "postfix-sender_ccerts" + (concatLines (flatten (mapAttrsToList + (username: user: map + (alias: "${alias}@${domain} CCERTS ${concatStringsSep "," (map (certPath: config.local.pki.byPath.${certPath}.fingerprint.sha256) user.mail.certs)}") + ([ username ] ++ user.hardAliases)) + (filterAttrs (_: user: user.mail.certs != [ ]) users)))); + sender_login = pkgs.writeText "postfix-sender_login" - (concatStrings (flatten (mapAttrsToList + (concatLines (flatten (mapAttrsToList (username: user: map - (alias: '' - ${alias}@${domain} ${username} - '') + (alias: "${alias}@${domain} ${username}") ([ username ] ++ user.hardAliases)) users))); virtual_recipients = - pkgs.writeText "postfix-virtual-recipients" - (concatStrings (flatten (mapAttrsToList + pkgs.writeText "postfix-virtual_recipients" + (concatLines (flatten (mapAttrsToList (virtualDomain: virtual: mapAttrsToList # El lado derecho de esta tabla debe existir pero nunca se usa - (username: _: '' - ${username}@${virtualDomain} foo - '') + (username: _: "${username}@${virtualDomain} foo") virtual.users) virtualDomains))); virtual_rules = - pkgs.writeText "postfix-virtual-rules" - (concatStrings (flatten (mapAttrsToList + pkgs.writeText "postfix-virtual_rules" + (concatLines (flatten (mapAttrsToList (name: virtual: map - (rule: '' - /^${rule.pattern}@${name}$/ ${concatStringsSep ", " rule.targets} - '') + (rule: "/^${rule.pattern}@${name}$/ ${concatStringsSep ", " rule.targets}") virtual.rules) virtual))); }; @@ -133,16 +130,28 @@ in local_transport = mdaTransport; virtual_transport = mdaTransport; - smtpd_sasl_auth_enable = true; smtpd_sasl_type = "dovecot"; smtpd_sasl_path = "inet:${cfg.mdaAddr}:${toString cfg.saslPort}"; - smtpd_sasl_tls_security_options = [ "noanonymous" ]; + smtpd_sasl_local_domain = "$mydomain"; + smtpd_sasl_security_options = [ "noanonymous" ]; smtpd_tls_auth_only = true; - smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path; + # Nota: smtpd_tls_dh1024_param_file fue deprecado en 3.9 + + smtpd_tls_CAfile = "${config.local.pki.ca.mail.fullchain}"; + smtpd_tls_ccert_verifydepth = "1"; + tls_append_default_CA = false; # Crítico + + # Inventado, no es parámetro de postfix + local_submission_client_restrictions = [ + "permit_tls_all_clientcerts" + "permit_sasl_authenticated" + "reject" + ]; smtpd_relay_restrictions = [ "permit_mynetworks" + "permit_tls_all_clientcerts" "permit_sasl_authenticated" "reject_unauth_destination" ]; @@ -150,19 +159,25 @@ in smtpd_sender_login_maps = [ "hash:/etc/postfix/sender_login" ]; smtpd_sender_restrictions = [ - "permit_mynetworks" + "check_sender_access hash:/etc/postfix/sender_ccerts" "reject_sender_login_mismatch" - "permit_sasl_authenticated" ]; smtpd_milters = "unix:/run/opendkim/opendkim.sock"; non_smtpd_milters = "$smtpd_milters"; milter_default_action = "accept"; }; + + # Importante: existe submissionOptions por aparte, no son iguales + submissionsOptions = { + smtpd_client_restrictions = "$local_submission_client_restrictions"; + smtpd_sasl_auth_enable = "yes"; + smtpd_tls_ask_ccert = "yes"; + smtpd_tls_security_level = "encrypt"; + }; }; }; - security.dhparams.params.postfix = { }; networking.firewall.allowedTCPPorts = [ 25 465 ]; local = { -- cgit v1.2.3