mirror of
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git
synced 2025-12-25 04:10:52 +01:00
ff9b046f0f
By passing no method to mkpasswd we make it select the strongest cipher that libxcrypt recommends. Replaces the example hashes with yescrypt hashes, which is the current default.
228 lines
7.8 KiB
Nix
228 lines
7.8 KiB
Nix
# nixos-mailserver: a simple mail server
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
{
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
sendMail = pkgs.writeTextFile {
|
|
"name" = "send-mail-to-send-only-account";
|
|
"text" = ''
|
|
EHLO mail.example.com
|
|
MAIL FROM: none@example.com
|
|
RCPT TO: send-only@example.com
|
|
QUIT
|
|
'';
|
|
};
|
|
|
|
hashPassword =
|
|
password:
|
|
pkgs.runCommand "password-${password}-hashed"
|
|
{
|
|
buildInputs = [ pkgs.mkpasswd ];
|
|
inherit password;
|
|
}
|
|
''
|
|
mkpasswd -s <<<"$password" > $out
|
|
'';
|
|
|
|
hashedPasswordFile = hashPassword "my-password";
|
|
passwordFile = pkgs.writeText "password" "my-password";
|
|
in
|
|
{
|
|
name = "internal";
|
|
|
|
nodes = {
|
|
machine =
|
|
{ pkgs, ... }:
|
|
{
|
|
imports = [
|
|
./../default.nix
|
|
./lib/config.nix
|
|
];
|
|
|
|
virtualisation.memorySize = 1024;
|
|
|
|
environment.systemPackages = [
|
|
(pkgs.writeScriptBin "mail-check" ''
|
|
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
|
'')
|
|
]
|
|
++ (with pkgs; [
|
|
curl
|
|
openssl
|
|
netcat
|
|
]);
|
|
|
|
mailserver = {
|
|
enable = true;
|
|
fqdn = "mail.example.com";
|
|
domains = [
|
|
"example.com"
|
|
"domain.com"
|
|
];
|
|
localDnsResolver = false;
|
|
|
|
loginAccounts = {
|
|
"user1@example.com" = {
|
|
hashedPasswordFile = hashedPasswordFile;
|
|
};
|
|
"user2@example.com" = {
|
|
hashedPasswordFile = hashedPasswordFile;
|
|
aliasesRegexp = [ ''/^user2.*@domain\.com$/'' ];
|
|
};
|
|
"send-only@example.com" = {
|
|
hashedPasswordFile = hashPassword "send-only";
|
|
sendOnly = true;
|
|
};
|
|
};
|
|
forwards = {
|
|
# user2@example.com is a local account and its mails are
|
|
# also forwarded to user1@example.com
|
|
"user2@example.com" = "user1@example.com";
|
|
};
|
|
|
|
vmailGroupName = "vmail";
|
|
vmailUID = 5000;
|
|
indexDir = "/var/lib/dovecot/indices";
|
|
|
|
enableImap = false;
|
|
};
|
|
};
|
|
};
|
|
testScript =
|
|
{
|
|
nodes,
|
|
...
|
|
}:
|
|
''
|
|
machine.start()
|
|
machine.wait_for_unit("multi-user.target")
|
|
machine.wait_for_unit("dovecot.service")
|
|
|
|
# Regression test for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/205
|
|
with subtest("mail forwarded can are locally kept"):
|
|
# A mail sent to user2@example.com via explicit TLS is in the user1@example.com mailbox
|
|
machine.succeed(
|
|
" ".join(
|
|
[
|
|
"mail-check send-and-read",
|
|
"--smtp-port 587",
|
|
"--smtp-starttls",
|
|
"--smtp-host localhost",
|
|
"--imap-host localhost",
|
|
"--imap-username user1@example.com",
|
|
"--from-addr user1@example.com",
|
|
"--to-addr user2@example.com",
|
|
"--src-password-file ${passwordFile}",
|
|
"--dst-password-file ${passwordFile}",
|
|
"--ignore-dkim-spf",
|
|
]
|
|
)
|
|
)
|
|
# A mail sent to user2@example.com via implicit TLS is in the user2@example.com mailbox
|
|
machine.succeed(
|
|
" ".join(
|
|
[
|
|
"mail-check send-and-read",
|
|
"--smtp-port 465",
|
|
"--smtp-ssl",
|
|
"--smtp-host localhost",
|
|
"--imap-host localhost",
|
|
"--imap-username user2@example.com",
|
|
"--from-addr user1@example.com",
|
|
"--to-addr user2@example.com",
|
|
"--src-password-file ${passwordFile}",
|
|
"--dst-password-file ${passwordFile}",
|
|
"--ignore-dkim-spf",
|
|
]
|
|
)
|
|
)
|
|
|
|
with subtest("regex email alias are received"):
|
|
# A mail sent to user2-regex-alias@domain.com via explicit TLS is in the user2@example.com mailbox
|
|
machine.succeed(
|
|
" ".join(
|
|
[
|
|
"mail-check send-and-read",
|
|
"--smtp-port 587",
|
|
"--smtp-starttls",
|
|
"--smtp-host localhost",
|
|
"--imap-host localhost",
|
|
"--imap-username user2@example.com",
|
|
"--from-addr user1@example.com",
|
|
"--to-addr user2-regex-alias@domain.com",
|
|
"--src-password-file ${passwordFile}",
|
|
"--dst-password-file ${passwordFile}",
|
|
"--ignore-dkim-spf",
|
|
]
|
|
)
|
|
)
|
|
|
|
with subtest("user can send from regex email alias"):
|
|
# A mail sent to user1@example.com from user2-regex-alias@domain.com by
|
|
# user2@example.com via implicit TLS is in the user1@example.com mailbox
|
|
machine.succeed(
|
|
" ".join(
|
|
[
|
|
"mail-check send-and-read",
|
|
"--smtp-port 465",
|
|
"--smtp-ssl",
|
|
"--smtp-host localhost",
|
|
"--imap-host localhost",
|
|
"--smtp-username user2@example.com",
|
|
"--from-addr user2-regex-alias@domain.com",
|
|
"--to-addr user1@example.com",
|
|
"--src-password-file ${passwordFile}",
|
|
"--dst-password-file ${passwordFile}",
|
|
"--ignore-dkim-spf",
|
|
]
|
|
)
|
|
)
|
|
|
|
with subtest("vmail gid is set correctly"):
|
|
machine.succeed("getent group vmail | grep 5000")
|
|
|
|
with subtest("Check dovecot maildir and index locations"):
|
|
# If these paths change we need a migration
|
|
machine.succeed("doveadm user -f home user1@example.com | grep ${nodes.machine.mailserver.mailDirectory}/example.com/user1")
|
|
machine.succeed("doveadm user -f mail user1@example.com | grep 'maildir:~/mail:INDEX=${nodes.machine.mailserver.indexDir}/example.com/user1'")
|
|
|
|
with subtest("mail to send only accounts is rejected"):
|
|
machine.wait_for_open_port(25)
|
|
# TODO put this blocking into the systemd units
|
|
machine.wait_until_succeeds(
|
|
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
|
)
|
|
machine.succeed(
|
|
"cat ${sendMail} | nc localhost 25 | grep -q '554 5.5.0 Error'"
|
|
)
|
|
|
|
with subtest("rspamd controller serves web ui"):
|
|
machine.succeed(
|
|
"set +o pipefail; curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
|
|
)
|
|
|
|
with subtest("imap port 143 is closed and imaps is serving SSL"):
|
|
machine.wait_for_closed_port(143)
|
|
machine.wait_for_open_port(993)
|
|
machine.succeed(
|
|
"echo | openssl s_client -connect localhost:993 | grep 'New, TLS'"
|
|
)
|
|
'';
|
|
}
|