diff options
author | makefu <makefu@tsp> | 2015-08-14 14:00:18 +0000 |
---|---|---|
committer | makefu <makefu@tsp> | 2015-08-14 14:00:18 +0000 |
commit | d35de37b0d2b9d5d567a530726aa01f2ec686bf3 (patch) | |
tree | 8bcccdb27a1c0087668cd9d63bb294e71f4cb79a /krebs/3modules | |
parent | c36ea0e029772649e33a727a9be15986cbb1fed2 (diff) | |
parent | b8b2575d8313cfd0696a121cee1b8738faff6638 (diff) |
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/default.nix | 10 | ||||
-rw-r--r-- | krebs/3modules/exim-retiolum.nix | 182 | ||||
-rw-r--r-- | krebs/3modules/exim-smarthost.nix | 219 |
3 files changed, 320 insertions, 91 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index d77d00c05..a0d4f0157 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -7,6 +7,7 @@ let out = { imports = [ ./exim-retiolum.nix + ./exim-smarthost.nix ./github-hosts-sync.nix ./git.nix ./nginx.nix @@ -309,9 +310,11 @@ let users = addNames { lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + mail = "lass@mors.retiolum"; }; uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + mail = "uriel@mors.retiolum"; }; }; }; @@ -455,6 +458,13 @@ let cd = { cores = 2; dc = "tv"; #dc = "cac"; + extraZones = { + "de.krebsco" = '' + mx23 IN A ${elemAt nets.internet.addrs4 0} + cd IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN MX 5 mx23 + ''; + }; nets = rec { internet = { addrs4 = ["162.219.7.216"]; diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 71c091917..e1315d8c8 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -8,11 +8,7 @@ let out = { options.krebs.exim-retiolum = api; config = - # This configuration makes only sense for retiolum-enabled hosts. - # TODO modular configuration - mkIf cfg.enable ( - #assert config.krebs.retiolum.enable; - imp); + mkIf cfg.enable imp; }; api = { @@ -20,121 +16,125 @@ let }; imp = { - services.exim = { - enable = true; - config = '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.krebs.retiolum.enable; + { + enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data - host_lookup = * - rfc1413_hosts = * - rfc1413_query_timeout = 5s + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false - begin acl + begin acl - acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - accept local_parts = postmaster - domains = +local_domains + accept local_parts = postmaster + domains = +local_domains - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify - #require verify = sender + #require verify = sender - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify - accept authenticated = * - control = submission - control = dkim_disable_verify + accept authenticated = * + control = submission + control = dkim_disable_verify - require message = relay not permitted - domains = +local_domains : +relay_to_domains + require message = relay not permitted + domains = +local_domains : +relay_to_domains - require verify = recipient + require verify = recipient - accept + accept - acl_check_data: - accept + acl_check_data: + accept - begin routers + begin routers - retiolum: - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = remote_smtp - route_list = ^.* $0 byname - no_more + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more - local_user: - # debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user - begin transports + begin transports - remote_smtp: - driver = smtp + remote_smtp: + driver = smtp - home_maildir: - driver = appendfile - maildir_format - directory = $home/Maildir - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - # group = mail - # mode = 0660 + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - begin rewrite + begin rewrite - begin authenticators - ''; - }; + begin authenticators + ''; + }; }; # TODO get the hostname from somewhere else. diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix new file mode 100644 index 000000000..a564430ea --- /dev/null +++ b/krebs/3modules/exim-smarthost.nix @@ -0,0 +1,219 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.exim-smarthost; + + out = { + options.krebs.exim-smarthost = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.exim-smarthost"; + + internet-aliases = mkOption { + type = types.listOf (types.submodule ({ + options = { + from = mkOption { + type = types.str; # TODO e-mail address + }; + to = mkOption { + type = types.str; # TODO e-mail address / TODO listOf + }; + }; + })); + }; + + relay_from_hosts = mkOption { + type = with types; listOf str; + default = []; + }; + + primary_hostname = mkOption { + type = types.str; + default = "${config.networking.hostName}.retiolum"; + }; + + sender_domains = mkOption { + type = with types; listOf str; + default = []; + }; + + system-aliases = mkOption { + type = types.listOf (types.submodule ({ + options = { + from = mkOption { + type = types.str; # TODO e-mail address + }; + to = mkOption { + type = types.str; # TODO e-mail address / TODO listOf + }; + }; + })); + }; + }; + + imp = { + services.exim = { + enable = true; + config = '' + primary_hostname = ${cfg.primary_hostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + domainlist relay_to_domains = + hostlist relay_from_hosts = <;${concatStringsSep ";" ( + [ + "127.0.0.1" + "::1" + ] + ++ + cfg.relay_from_hosts + )} + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + never_users = root + + host_lookup = * + + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + accept + + + acl_check_data: + warn + sender_domains = ${concatStringsSep ":" cfg.sender_domains} + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${cfg.primary_hostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + no_more + + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + + remote_smtp: + driver = smtp + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + }; + }; + + + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit (cfg) internet-aliases; + inherit (cfg) system-aliases; + }; + + to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}"); + +in +out |