{tv 2 => krebs 3} exim-smarthost

This commit is contained in:
tv 2015-08-14 15:48:17 +02:00
parent cc1baf4d38
commit e8825282a6
4 changed files with 273 additions and 476 deletions

View File

@ -7,6 +7,7 @@ let
out = { out = {
imports = [ imports = [
./exim-retiolum.nix ./exim-retiolum.nix
./exim-smarthost.nix
./github-hosts-sync.nix ./github-hosts-sync.nix
./git.nix ./git.nix
./nginx.nix ./nginx.nix

View File

@ -0,0 +1,219 @@
{ config, pkgs, lib, ... }:
with builtins;
with lib;
let
cfg = config.krebs.exim-smarthost;
out = {
options.krebs.exim-smarthost = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "krebs.exim-smarthost";
internet-aliases = mkOption {
type = types.listOf (types.submodule ({
options = {
from = mkOption {
type = types.str; # TODO e-mail address
};
to = mkOption {
type = types.str; # TODO e-mail address / TODO listOf
};
};
}));
};
relay_from_hosts = mkOption {
type = with types; listOf str;
default = [];
};
primary_hostname = mkOption {
type = types.str;
default = "${config.networking.hostName}.retiolum";
};
sender_domains = mkOption {
type = with types; listOf str;
default = [];
};
system-aliases = mkOption {
type = types.listOf (types.submodule ({
options = {
from = mkOption {
type = types.str; # TODO e-mail address
};
to = mkOption {
type = types.str; # TODO e-mail address / TODO listOf
};
};
}));
};
};
imp = {
services.exim = {
enable = true;
config = ''
primary_hostname = ${cfg.primary_hostname}
# HOST_REDIR contains the real destinations for "local_domains".
#HOST_REDIR = /etc/exim4/host_redirect
# Domains not listed in local_domains need to be deliverable remotely.
# XXX We abuse local_domains to mean "domains, we're the gateway for".
domainlist local_domains = @ : localhost
domainlist relay_to_domains =
hostlist relay_from_hosts = <;${concatStringsSep ";" (
[
"127.0.0.1"
"::1"
]
++
cfg.relay_from_hosts
)}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
log_selector = -queue_run +address_rewrite +all_parents +queue_time
log_file_path = syslog
syslog_timestamp = false
syslog_duplication = false
begin acl
acl_check_rcpt:
accept hosts = :
control = dkim_disable_verify
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
accept authenticated = *
control = submission
control = dkim_disable_verify
accept message = relay not permitted 2
recipients = lsearch;${lsearch.internet-aliases}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require
message = unknown user
verify = recipient/callout
accept
acl_check_data:
warn
sender_domains = ${concatStringsSep ":" cfg.sender_domains}
set acl_m_special_dom = $sender_address_domain
accept
begin routers
# feature RETIOLUM_MAIL
retiolum:
debug_print = "R: retiolum for $local_part@$domain"
driver = manualroute
domains = ! ${cfg.primary_hostname} : *.retiolum
transport = retiolum_smtp
route_list = ^.* $0 byname
no_more
internet_aliases:
debug_print = "R: internet_aliases for $local_part@$domain"
driver = redirect
data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
dnslookup:
debug_print = "R: dnslookup for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
check_local_user
transport = home_maildir
cannot_route_message = Unknown user
begin transports
retiolum_smtp:
driver = smtp
retry_include_ip_address = false
remote_smtp:
driver = smtp
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
{$acl_m_special_dom} }
home_maildir:
driver = appendfile
maildir_format
maildir_use_size_file
directory = $home/Mail
directory_mode = 0700
delivery_date_add
envelope_to_add
return_path_add
begin retry
*.retiolum * F,42d,1m
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
'';
};
};
lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) {
inherit (cfg) internet-aliases;
inherit (cfg) system-aliases;
};
to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}");
in
out

View File

@ -30,7 +30,6 @@ in
../2configs/CAC-CentOS-7-64bit.nix ../2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix ../2configs/base.nix
../2configs/consul-server.nix ../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix ../2configs/git.nix
{ {
imports = [ ../2configs/charybdis.nix ]; imports = [ ../2configs/charybdis.nix ];
@ -45,6 +44,59 @@ in
hosts = [ "jabber.viljetic.de" ]; hosts = [ "jabber.viljetic.de" ];
}; };
} }
{
krebs.exim-smarthost = {
enable = true;
primary_hostname = "${config.networking.hostName}.retiolum";
sender_domains = [
"shackspace.de"
"viljetic.de"
];
relay_from_hosts = [
"10.243.13.37"
];
internet-aliases = with config.krebs.users; [
{ from = "tomislav@viljetic.de"; to = tv.mail; }
# (mindestens) lisp-stammtisch und elli haben die:
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
{ from = "mirko@viljetic.de"; to = mv.mail; }
# TODO killme (wo wird die benutzt?)
{ from = "tv@cd.retiolum"; to = tv.mail; }
# TODO lists@smtp.retiolum [consul]
{ from = "postmaster@krebsco.de"; to = tv.mail; }
{ from = "spam@krebsco.de";
to = pkgs.lib.concatStringsSep "," [
tv.mail
lass.mail
makefu.mail
];
}
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "tv"; }
{ from = "mirko"; to = "mv"; }
];
};
}
{ {
krebs.github-hosts-sync.enable = true; krebs.github-hosts-sync.enable = true;
tv.iptables.input-internet-accept-new-tcp = tv.iptables.input-internet-accept-new-tcp =

View File

@ -1,475 +0,0 @@
{ config, pkgs, ... }:
let
inherit (builtins) toFile;
inherit (pkgs.lib.attrsets) mapAttrs;
inherit (pkgs.lib.strings) concatMapStringsSep;
in
{
services.exim =
let
retiolumHostname = "${config.networking.hostName}.retiolum";
internet-aliases = with config.krebs.users; [
{ from = "tomislav@viljetic.de"; to = tv.mail; }
# (mindestens) lisp-stammtisch und elli haben die:
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
{ from = "mirko@viljetic.de"; to = mv.mail; }
# TODO killme (wo wird die benutzt?)
{ from = "tv@cd.retiolum"; to = tv.mail; }
# TODO lists@smtp.retiolum [consul]
{ from = "postmaster@krebsco.de"; to = tv.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "tv"; }
{ from = "mirko"; to = "mv"; }
];
to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}");
lsearch =
mapAttrs (name: set: toFile name (to-lsearch set)) {
inherit internet-aliases;
inherit system-aliases;
};
in
{
enable = true;
config =
''
primary_hostname = ${retiolumHostname}
# HOST_REDIR contains the real destinations for "local_domains".
#HOST_REDIR = /etc/exim4/host_redirect
# Domains not listed in local_domains need to be deliverable remotely.
# XXX We abuse local_domains to mean "domains, we're the gateway for".
domainlist local_domains = @ : localhost
#: viljetic.de : SHACK_REDIR_HOSTNAME
domainlist relay_to_domains =
hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
# av_scanner = clamd:/tmp/clamd
# spamd_address = 127.0.0.1 783
# tls_advertise_hosts = *
# tls_certificate = /etc/ssl/exim.crt
# tls_privatekey = /etc/ssl/exim.pem
# (debian) tls_verify_certificates (to check client certs)
# daemon_smtp_ports = 25 : 465 : 587
# tls_on_connect_ports = 465
# qualify_domain defaults to primary_hostname
# qualify_recipient defaults to qualify_domain
# allow_domain_literals
never_users = root
host_lookup = *
# ident callbacks for all incoming SMTP calls
rfc1413_hosts = *
rfc1413_query_timeout = 5s
# sender_unqualified_hosts =
# recipient_unqualified_hosts =
# percent_hack_domains =
# arch & debian
#ignore_bounce_errors_after = 2d
#timeout_frozen_after = 7d
# debian
#smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
#freeze_tell = postmaster
#trusted_users = uucp
# arch
#split_spool_directory = true
log_selector = -queue_run +address_rewrite +all_parents +queue_time
log_file_path = syslog
syslog_timestamp = false
syslog_duplication = false
begin acl
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
# arch & debian:
control = dkim_disable_verify
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
## feature RETIOLUM_MAIL
#accept
# hosts = *.retiolum
# domains = *.retiolum
# control = dkim_disable_verify
#require verify = sender
accept hosts = +relay_from_hosts
control = submission
# debian: control = submission/sender_retain
# arch & debian:
control = dkim_disable_verify
accept authenticated = *
control = submission
control = dkim_disable_verify
accept message = relay not permitted 2
recipients = lsearch;${lsearch.internet-aliases}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require
message = unknown user
verify = recipient/callout
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
# Client SMTP Authorization (csa) checks on the sending host.
# Such checks do DNS lookups for special SRV records.
# require verify = csa
accept
acl_check_data:
# see av_scanner
#deny malware = *
# message = This message contains a virus ($malware_name).
# Add headers to a message if it is judged to be spam. Before enabling this,
# you must install SpamAssassin. You may also need to set the spamd_address
# option above.
#
# warn spam = nobody
# add_header = X-Spam_score: $spam_score\n\
# X-Spam_score_int: $spam_score_int\n\
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report
# feature HELO_REWRITE
# XXX note that the public ip (162.219.5.183) resolves to viljetic.de
warn
sender_domains = viljetic.de : shackspace.de
set acl_m_special_dom = $sender_address_domain
accept
begin routers
# feature RETIOLUM_MAIL
retiolum:
debug_print = "R: retiolum for $local_part@$domain"
driver = manualroute
domains = ! ${retiolumHostname} : *.retiolum
transport = retiolum_smtp
route_list = ^.* $0 byname
no_more
internet_aliases:
debug_print = "R: internet_aliases for $local_part@$domain"
driver = redirect
data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
dnslookup:
debug_print = "R: dnslookup for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
# (debian) same_domain_copy_routing = yes
# (debian) ignore private rfc1918 and APIPA addresses
# (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
# 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
# 255.255.255.255
# Fail and bounce if the router does not find the domain in the DNS.
# I.e. no more routers are tried.
# There are a few cases where a dnslookup router will decline to accept an
# address; if such a router is expected to handle "all remaining non-local
# domains", then it is important to set no_more.
no_more
# XXX this is only used because these "well known aliases" goto tv@cd.retiolum
# TODO bounce everything, there is no @cd.retiolum
system_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
# TODO this is only b/c mv here... send mv's mails somewhere else...
local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
transport = home_maildir
cannot_route_message = Unknown user
begin transports
retiolum_smtp:
driver = smtp
retry_include_ip_address = false
# serialize_hosts = TODO-all-slow-hosts
remote_smtp:
driver = smtp
# debian has also stuff for tls, headers_rewrite and more here
# feature HELO_REWRITE
# XXX note that the public ip (162.219.5.183) resolves to viljetic.de
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
{$acl_m_special_dom} }
home_maildir:
driver = appendfile
maildir_format
maildir_use_size_file
directory = $home/Mail
directory_mode = 0700
delivery_date_add
envelope_to_add
return_path_add
begin retry
*.retiolum * F,42d,1m
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
'';
# group = mail
# mode = 0660
#address_pipe:
# driver = pipe
# return_output
#
#address_file:
# driver = appendfile
# delivery_date_add
# envelope_to_add
# return_path_add
#
#address_reply:
# driver = autoreply
#maildrop_pipe:
# debug_print = "T: maildrop_pipe for $local_part@$domain"
# driver = pipe
# path = "/bin:/usr/bin:/usr/local/bin"
# command = "/usr/bin/maildrop"
# return_path_add
# delivery_date_add
# envelope_to_add
##begin retry
# Address or Domain Error Retries
# Our host_redirect destinations might be offline a lot.
# TODO define fallback destinations(?)
#lsearch;${lsearch.internet-aliases} * F,42d,1m
## begin rewrite
# just in case (shackspace.de should already do this)
#tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T
## begin authenticators
#PLAIN:
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
# server_advertise_condition = ''${if def:tls_in_cipher }
#LOGIN:
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
# server_advertise_condition = ''${if def:tls_in_cipher }
};
}
# config = ''
# primary_hostname = ${retiolumHostname}
# domainlist local_domains = @ : localhost
# domainlist relay_to_domains = *.retiolum
# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1
#
# acl_smtp_rcpt = acl_check_rcpt
# acl_smtp_data = acl_check_data
#
# host_lookup = *
# rfc1413_hosts = *
# rfc1413_query_timeout = 5s
#
# log_file_path = syslog
# syslog_timestamp = false
# syslog_duplication = false
#
# begin acl
#
# acl_check_rcpt:
# accept hosts = :
# control = dkim_disable_verify
#
# deny message = Restricted characters in address
# domains = +local_domains
# local_parts = ^[.] : ^.*[@%!/|]
#
# deny message = Restricted characters in address
# domains = !+local_domains
# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#
# accept local_parts = postmaster
# domains = +local_domains
#
# #accept
# # hosts = *.retiolum
# # domains = *.retiolum
# # control = dkim_disable_verify
#
# #require verify = sender
#
# accept hosts = +relay_from_hosts
# control = submission
# control = dkim_disable_verify
#
# accept authenticated = *
# control = submission
# control = dkim_disable_verify
#
# require message = relay not permitted
# domains = +local_domains : +relay_to_domains
#
# require verify = recipient
#
# accept
#
#
# acl_check_data:
# accept
#
#
# begin routers
#
# retiolum:
# driver = manualroute
# domains = ! ${retiolumHostname} : *.retiolum
# transport = remote_smtp
# route_list = ^.* $0 byname
# no_more
#
# nonlocal:
# debug_print = "R: nonlocal for $local_part@$domain"
# driver = redirect
# domains = ! +local_domains
# allow_fail
# data = :fail: Mailing to remote domains not supported
# no_more
#
# local_user:
# # debug_print = "R: local_user for $local_part@$domain"
# driver = accept
# check_local_user
# # local_part_suffix = +* : -*
# # local_part_suffix_optional
# transport = home_maildir
# cannot_route_message = Unknown user
#
#
# begin transports
#
# remote_smtp:
# driver = smtp
#
# home_maildir:
# driver = appendfile
# maildir_format
# directory = $home/Maildir
# directory_mode = 0700
# delivery_date_add
# envelope_to_add
# return_path_add
# # group = mail
# # mode = 0660
#
# begin retry
# *.retiolum * F,42d,1m
# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
#
# begin rewrite
#
# begin authenticators
# '';
# };
#}