From b6352c36c12b1bc3b4396bd5eff19736a3f260c3 Mon Sep 17 00:00:00 2001 From: Lyes Saadi Date: Sun, 15 Feb 2026 03:41:52 +0100 Subject: [PATCH] First attempt at ldap for mail --- hosts/zora/default.nix | 1 + hosts/zora/reverse-proxy.nix | 2 +- modules/server/link/default.nix | 2 +- modules/server/taf/default.nix | 264 +++++++++++--------------------- secrets.nix | 2 +- secrets/lyes/hidden-sieve.age | Bin 532 -> 0 bytes secrets/lyes/sieve.age | Bin 0 -> 4569 bytes users/lyes/server/default.nix | 8 + users/lyes/server/sieve.nix | 13 ++ 9 files changed, 118 insertions(+), 174 deletions(-) delete mode 100644 secrets/lyes/hidden-sieve.age create mode 100644 secrets/lyes/sieve.age create mode 100644 users/lyes/server/default.nix create mode 100644 users/lyes/server/sieve.nix diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix index 6d3d543..a9352bc 100644 --- a/hosts/zora/default.nix +++ b/hosts/zora/default.nix @@ -13,6 +13,7 @@ ./users.nix ../../users/lyes + ../../users/lyes/server ../../modules ../../modules/server diff --git a/hosts/zora/reverse-proxy.nix b/hosts/zora/reverse-proxy.nix index 5c597fd..f4e6501 100644 --- a/hosts/zora/reverse-proxy.nix +++ b/hosts/zora/reverse-proxy.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - defaults.email = "security@lyes.eu"; + defaults.email = "root.security@lyes.eu"; }; services.nginx = { diff --git a/modules/server/link/default.nix b/modules/server/link/default.nix index a76f5e3..b2627d7 100644 --- a/modules/server/link/default.nix +++ b/modules/server/link/default.nix @@ -14,7 +14,7 @@ in # package = pkgs.kanidmWithSecretProvisioning_1_7; enableServer = true; - serverSettings = { + server.settings = { bindaddress = "127.0.0.1:${port}"; ldapbindaddress = "0.0.0.0:636"; domain = hostname; diff --git a/modules/server/taf/default.nix b/modules/server/taf/default.nix index ca0c361..c4a461d 100644 --- a/modules/server/taf/default.nix +++ b/modules/server/taf/default.nix @@ -1,5 +1,20 @@ -{ config, ... }: +{ config, lib, ... }: +let + alias = '' + @lyes.eu lyes + lyes@mail.lyes.eu lyes + abuse@taf.lyes.eu lyes + abuse@mail.lyes.eu lyes + abuse@minish.fr lyes + abuse@minish.link lyes + postmaster@taf.lyes.eu lyes + postmaster@mail.lyes.eu lyes + postmaster@minish.fr lyes + postmaster@minish.link lyes + ''; + aliasFile = lib.toFile "alias" alias; +in { mailserver = { enable = true; @@ -7,7 +22,10 @@ fqdn = "taf.lyes.eu"; domains = [ "lyes.eu" + "taf.lyes.eu" "mail.lyes.eu" + "minish.fr" + "minish.link" ]; localDnsResolver = false; @@ -15,175 +33,85 @@ # debug.all = true; - # ldap = { - # enable = true; + ldap = { + enable = true; - # uris = [ "ldaps://auth.lyes.eu:636" ]; - # searchBase = "dc=auth,dc=lyes,dc=eu"; - # searchScope = "sub"; + uris = [ "ldaps://auth.lyes.eu:636" ]; + searchBase = "dc=auth,dc=lyes,dc=eu"; + searchScope = "sub"; - # bind = { - # # dn = "dn=token,dc=auth,dc=lyes,dc=eu"; - # dn = "dn=token"; - # passwordFile = config.age.secrets.taf-token.path; - # }; + bind = { + # dn = "dn=token,dc=auth,dc=lyes,dc=eu"; + dn = "dn=token"; + passwordFile = config.age.secrets.taf-token.path; + }; - # dovecot = { - # userFilter = "(name=%u)"; - # passFilter = "(name=%u)"; - # }; + dovecot = { + userFilter = "(&(memberof=taf_users)(mail=%u))"; + passFilter = "(&(memberof=taf_users)(mail=%u))"; + }; - # postfix = { - # filter = "(name=%s)"; - # mailAttribute = "mail"; - # uidAttribute = "name"; - # }; - # }; - - loginAccounts = { - "lyes@mail.lyes.eu" = { - hashedPasswordFile = config.age.secrets.lyes-mail-passwd.path; - aliases = [ - "@lyes.eu" - ]; - quota = "1T"; - sieveScript = '' - require ["include", "fileinto", "mailbox", "copy", "regex", "variables", "imap4flags"]; - - include :personal "hiddensieve"; - - # lyes.eu filters - if address :is :domain "X-Original-To" "lyes.eu" { - # If the mail comes from my crans mailbox - if address :is :localpart "X-Original-To" "crans" { - # Aurore Support - if header :contains "List-Id" "" { - fileinto :create "Crans.aurore.support"; - } - # Mailman moderation request - elsif address :matches :all "To" "*-owner@lists.crans.org" { - fileinto :create "Crans.moderation"; - } - # Crans Bureau - elsif anyof ( - header :contains "List-Id" "", - header :contains "List-Id" "", - header :contains "List-Id" "" - ) { - fileinto :create "Crans.crans.bureau"; - } - # Crans CA - elsif header :contains "List-Id" "" { - fileinto :create "Crans.crans.ca"; - } - # Crans Root Postmaster - elsif address :is :all "To" "postmaster@crans.org" { - addflag "\\Seen"; - fileinto :create "Crans.crans.root.postmaster"; - } - # Crans Root Mailer - elsif address :is :all "From" "MAILER-DAEMON@crans.org" { - fileinto :create "Crans.crans.root.mailer"; - } - # Crans Nounou - elsif anyof ( - header :contains "List-Id" "", - header :contains "List-Id" "", - address :is :all "To" "contact@crans.org", - address :is :all "From" "contact@crans.org" - ) { - fileinto :create "Crans.crans.nounou"; - } - # Crans Root - elsif anyof ( - address :is :all "To" "root@crans.org", - address :is :all "From" "root@crans.org", - address :is :all "From" "www-data@crans.org" - ) { - fileinto :create "Crans.crans.root"; - } - # Crans Gitlab - elsif address :is :all "From" "gitlab@crans.org" { - fileinto :create "Crans.crans.gitlab"; - } - # Crans Wiki - elsif address :is :all "From" "wiki@crans.org" { - fileinto :create "Crans.crans.wiki"; - } - # Aurore CA - elsif header :contains "List-Id" "" { - fileinto :create "Crans.aurore.ca"; - } - # BDL - elsif anyof ( - header :contains "List-Id" "", - header :contains "List-Id" "" - ) { - fileinto :create "Crans.asso.bdl"; - } - # Med - elsif anyof ( - header :contains "List-Id" "", - header :contains "List-Id" "" - ) { - fileinto :create "Crans.asso.med"; - } - # NL BDE - elsif header :contains "List-Id" "" { - fileinto :create "Crans.asso.nl.bde"; - } - # NL BDA - elsif header :contains "List-Id" "" { - fileinto :create "Crans.asso.nl.bda"; - } - # Any other associative mail - elsif anyof ( - header :contains "List-Id" "", - header :contains "List-Id" "", - header :matches "List-Id" "<*.lists.crans.org>" - ) { - fileinto :create "Crans.asso"; - } - # Otherwise it's for the generic mailbox - else { - fileinto :create "Crans"; - } - } - - # Otherwise it's for my different accounts - # It's automatically sorted using the localpart - elsif address :localpart :regex "X-Original-To" "^(([a-zA-Z]+\\.)*([a-zA-Z]+))(-([a-zA-Z0-9_.\\-]*))?''$" { - set :lower "sub_folder" "''${1}"; - set "mbox_candidate" "INBOX.''${sub_folder}"; - fileinto :create "''${mbox_candidate}"; - } - - # Other unknown origin - else { - fileinto :create "INBOX.other"; - } - } - - # It's destined to my main inbox - elsif address :is "X-Original-To" "lyes@mail.lyes.eu" { - fileinto :create "INBOX"; - } - - # Other unknown origin - else { - fileinto :create "INBOX.other"; - } - ''; + postfix = { + filter = "(&(memberof=taf_users)(mail=%s))"; + mailAttribute = "mail"; + uidAttribute = "name"; }; }; + # fullTextSearch = { + # enable = true; + # autoIndex = true; + # enforced = "body"; + # }; + + # loginAccounts = { + # "lyes@mail.lyes.eu" = { + # # hashedPasswordFile = config.age.secrets.lyes-mail-passwd.path; + # # aliases = [ + # # "@lyes.eu" + # # ]; + # # quota = "1T"; + # }; + # }; + # extraVirtualAliases = { - # "@lyes.eu" = "lyes@mail.lyes.eu"; + # "@lyes.eu" = "lyes"; + # "abuse@mail.lyes.eu" = "lyes"; + # # "abuse@minish.fr" = "lyes"; + # # "abuse@minish.link" = "lyes"; + # "postmaster@mail.lyes.eu" = "lyes"; + # # "postmaster@minish.fr" = "lyes"; + # # "postmaster@minish.link" = "lyes"; # }; x509.useACMEHost = config.mailserver.fqdn; }; + services.postfix = { + mapFiles."valias" = lib.mkForce aliasFile; + mapFiles."vaccounts" = lib.mkForce aliasFile; + virtual = lib.mkForce alias; + + settings = { + main = { + # local_recipient_maps = ""; + # virtual_alias_maps = lib.mkForce "ldap:/run/postfix/ldap-virtual-mailbox-map.cf"; + + maximal_queue_lifetime = "31d"; + + relay_domains = [ + "skaven.org" + "agreg.info" + ]; + + smtpd_recipient_restrictions = [ + "permit_mynetworks" + "permit_sasl_authenticated" + ]; + }; + }; + }; + # services.dovecot2.extraConfig = '' # userdb { # driver = ldap @@ -200,7 +128,10 @@ # } # ''; - services.dovecot2.sieve.extensions = [ "imap4flags" ]; + services.dovecot2 = { + # enableQuota = lib.mkForce false; + sieve.extensions = [ "imap4flags" ]; + }; services.roundcube = { enable = true; @@ -217,21 +148,12 @@ age.secrets = { taf-token = { - owner = "postfix"; file = ../../../secrets/zora/services/taf-token.age; }; - lyes-mail-passwd = { - owner = "postfix"; - file = ../../../secrets/lyes/mail-passwd.age; - }; - - lyes-hidden-sieve = { - file = ../../../secrets/lyes/hidden-sieve.age; - path = "/var/sieve/lyes@mail.lyes.eu/scripts/hiddensieve.sieve"; - owner = "virtualMail"; - group = "virtualMail"; - mode = "660"; - }; + # lyes-mail-passwd = { + # owner = "postfix"; + # file = ../../../secrets/lyes/mail-passwd.age; + # }; }; } diff --git a/secrets.nix b/secrets.nix index be69f5d..743eef3 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,7 +8,7 @@ in { # Lyes "secrets/lyes/mail-passwd.age".publicKeys = [ lyes zora ]; - "secrets/lyes/hidden-sieve.age".publicKeys = [ lyes zora ]; + "secrets/lyes/sieve.age".publicKeys = [ lyes zora ]; # Zora "secrets/zora/services/kanidm-admin-password.age".publicKeys = all; diff --git a/secrets/lyes/hidden-sieve.age b/secrets/lyes/hidden-sieve.age deleted file mode 100644 index 18607ae3c75821ebe93b293e374be7cd5e51474c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 532 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH&nOKl2vi6#_i#=& za;}O<4NT7Ub<8y@c64$t)HY5xEYmhHGIF%Y@pKE-POl2gwBRx|$VkmLHB2fn3$UmR zc8&^8%L%P0&381iEORpn@UX~_C`*s@EHtXjEJwF3#H}#hGhHD(BE(qRFEu@&Ous0? zC)L!oz%M-5JH;TSw8S~XAgiPzEX>)^EyCX~%a^Ot+_=cKD%--yFQO#O$SbTODaXYk%+c7w zD8n!`GSD%q%F)fpAUVSZd9{*97Ja9u5@uvBa3f({`?N9(GVlZUSw$6QUia^WG{vN`*d zT%(iUij@~Wwg2g{MfJzT*%elA&&w@~G(O~fj6ERhw9AIGfw`f==}SC!x>|pax7)T% zTtw*4w0zB*u_j5+KN|)L+CP6?9V%aV&Wh#Xk(qxVoKaDDTlHnG zPAn=mC{4+YEH2mA*VZ;o$|?%ZsVpl>v~-FrFhI90#H}#hGhM;UrNkh;!ZM{K(Ze(; z*vl`+)g;u!+cUB%%rws^HPSM*+#tu(E3Cjjq?{|b!Yj?hx1!J>wIIqX$2Hf~w7|Er zG%&f?JIJZX*v%r@t<0>TGB7taBalm1S63mxx3EILG$LK!C&MMk$t26uB{DL^FxxFH z-Pg%2%qS?k$|xx>AUwm}znJT&YyW|zfs9;X-x?n}ZexporYkdZS){7!8Iw$&sB^c> zvQ^)ot`A;)&Rvu3X^JFgl#t;yyAEZ(s}Bp`2I)zB;J?vZtY26)Q|}t*k*jk~G%0F+ zF;CS=c=>#?_;c60e@qpx6(1>@Vp+Z}+`L24y?&=wz21w3w`U4_D9h#C_VrXzD$r}= zj}+3>`<$$IIw@W7OZK{EubtnEp1eE6pSAqMmvxrk*JZwr&(`b9NS+veB6Pk&MX$bg zu~D`7>}vLdTontCo($OOr@5lY*`Yo9QJ{!zEKBHZg|DxKH-Gb%ihU8dM_cK0>`R`r z`VJia)Augub4vrob%Q-h~BBlYYoad;W@?d$M`Y zy302zo~ej%MLw}+cJB>+#CATB_w4eJlZ+11xke8)-gq^b{(oF-dn$#S)F)r0|?&wIDM;CtVEJNYB;ClvY>J2>|LcB)vrHMJ0S4)X4I4mIib&2-TUCG zKG}b^wd2Wq{K-$AXHD~)e!$KkRsPw#0I5q^m*iw*4FA^k8trJVu@9cV_H5S74Q{{R z^zGF4iSjp^y5d>I0|m3}iyWQxCoNb#f8=#`v8$(u@}1LpvHxOgpxu&a$CdR{DpsyP zT^(}bLYB*B(@EuapVb$%yJ@#7&pEZM_8F5%>D1M)c6w~ry>#*R?Uk>jBK^9!cq1I9 zz2ptLSHY9JZI!&m1K)|~lJ3l!Q}oj|d+83|vt6zM!UwY6g?tQ`O^!d2p`86Lb>7QU z2?EaBrlyJ?-*#p~`b2m31%fB%FLcT1iPvAvnch_=U6()0DBCzpK3}t8hT|Tw*H<6U ztav9gslZ=$uab7!3CD3C{_WbYk0-O+zxuFf zi~6O>56q91dR0x}{(F0B-@{*@Uhvdw-ZM%|L**t)$yvkH!6ldmRx%zcU91#_Zzz-@+RxZuami|n6b*Up|<*iyYV)s zOYKT&f;LO~N;ASZ-}K#cJ$mZPg^hPw1-0%w2XVey(t5#DdB&QTf90k3Gk)jj(N?E)XVD?2lsOdp575VqA?G41(_vstC$+(FlVJ=IFJO8FMONBjMjjqa60p^N&nro2GWcXo~Ze$Br@eJ=xzB zzCEp+vrBEtYtif(HR;{|3tJ_h>~nK0sd1WqWZM-9jmeMGrz#$PwN=7ee@AK2eS;Y) z&Fp8(9)|yCl1gZ|a#5^JN%h z794+-xnlp`HdzmLn>%h_g+G4t%}nLccP{+4GF6=8-D%ZBf-OZ)ed4~K+vvp{V0m%z zvN_c^Wh^a9s~mp5y0;@*f+g!`)fGLDA5zmxJs3FE8NQx;;j?5kNfJSErMTyZ;*ONi&=8Tsi_SMJq6zN=iz6eIUA zx9PzP9n-hjbK(*LWlWMfIX;G5dNX^Dl6iAy@cX5w5@op;saStFu(GaA=l8dLycxR8 zUv?~h-Y#bO@H0z9g8H5LQm>5cBwj@?opd2*DpQED|IUo1G3}|VSyYqGX1!<#{~s_r zl=FB|A2dh%WgW;zUDR07ZRyk<)vAgsms(e zU+SE|UGdm@lfLgaj>k_9JgfbxSxJ5+E8~%Zcz(^FPLu4zenc*NH(U1g1@>siT~;e6 zrk=Mrs@mJ~Zx-9it@F8-SRGnBAoHO)$5fkgNr|0TZ*N&Q@8GL^6OL21YvOK7OZ#tRm(yfW((#=wUAwZidB(-8 z#fb<1_f*9tZoc|_*Sk=4o7ILlM3$ejex&+#$?mihtJZ$lE?08B`faZJpLJPmhfMC- zuvRumMP6CBnsHLus{fX&d#m5vUK3oL{m=8!QC_{YEsxqwG7s&WHbdvmdPlSKJ2$5v zv;Qcqf8biH(BtRAQ9ZAelSJNqNiLe?XJyfQYw3lW&dSabg@n_^yNy=8wNO0xihY)+ zj7asT4Qy}JJln57tbZdZmlnOjjK%)Bq|up~ox;s+dn=#Mp3}YHh+3$~LU~q}f*U6# ziUm)`MsRb+aKw}_`m&_&w^*bgTC`)8*219|ZS^ zf9ks$w{XjeGoG+y-{vMjBg-T(Vnu-#d)nbq2Aq2{E#lp|La6jsNa&Xr79VjX>N+XbenF9Jl~ zFVf75n!J9}vz_0q?gx2mPE?CtJN3t;wO%in`tm~S43jT5*yR7HjTKQ~`*%t5tmxuB z8-sY=x?_JyMEyx@5pK_XYPRfXkX=0EiKu8M zi?fGsm6pyr+SPN#=uoZS(*84+oe#R->g_yezdKjnoA0Q``Mx#VuXw)=`F?tN_w?Fh zXCtor{dU;y7*lrGPxNEIWnF55gFWAoiHap*2i@fh&Y8CE+``g)_SMRzGyo(AKZtp+;{sK#;pVs-<&Ohbh z7V$w&8d-)5%60lRR8BBiMv0#4{#)~VO;F19&HEkB?h=<4jLb;;SClJbqxyP0=*`m8)5dRW6ZH|~dJhHh2Pu6GlZ-}$`ZC}GXY~)D=;KpYb6aOQWsdykT8Bd2VR^y+y{X?e=p|of1kJSDl_NA{99=)Rriw;SQJV-+9O@FzMd|+ zns|_>nIrzl*2l@o-)a{47>4yLen_?1z07?j>!Y)Rn_kcAS#_qGt7=p7iIBaXn)z4n zwC?_~c%DeAAK5fH~~% zPJeywg%fmpnw>&zTrZVn3eKM|W>-1!&OT_QBK|Lb)}KkG9GvD~r)W;UQFdU$qiRl5 z2^JP3JIRf;S9`p_R6YLwdCAR%(Tfb*R#!c+Zu$LL$Lf}?XACx(X?4@zUlu@=9zkNGS9CSk(uvS zXcd30O!)kYx%ZOH%4a=d^Dg_k;P0=)IdeKS7r*)Uu&qHhx$0lZj0Km|ybrohyzlzc z_SK>OKc?;L*ROsgvv&3Bok7#nQ_aujx$b!EYaV-FI{hs3 zgWKy#I~86w{@!wRhUUu&|5O)-YaN(*+x#ELDx>iF(4Gj}xt{_geJXzY)gEXsbk?7E z;$G$HI@TwV#U&i(Q$?2O81Q6zT`awjGta`N)6{-vz47NYQMV?nOAb9?6TI(&0{_bc zbDy%Gm~V34=DpiJxAY4fD=YjxG|gsLKK<$;X(ZgjHH|^ym-u68tw6u`Hzp;u?rOVb zmF^+?an5PhW2SADYYu1?2%MdCc=GZ+@BhwU(xKRSg!}5vg}WSUAG!XJ+iep3HtW}$ zn}N^XWcvECOz^Y)Abv!lX0hP?Ih7W(d+k_cTdKu| zDc=QQf5cQgS?$C%I)l$^PFs;&=(k=)_SClxGkERIOa6qOby=;mN76`Z53j6^P3!qn zRwn`uE$I6p+tR}tf9$PDbHatL{ic2wmdjbkRB|j=l8h2JT6;vre1Xx+r(*X$-QTmh zxhgHD$z;mrZApErr+Vd!|JB~SZsET@szUcaJxtmZt-kuW+9%PuGry(S9JF%%5qnEq za`Uyz_t|W=nq1O~3;S2V_QSYvOZ%EN+iTym%W&