From c2078d3e8be3bec0248c3f272ec6bebf46093196 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sun, 18 Feb 2024 10:58:23 +0530 Subject: kay/mail: init --- .../dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone | 1 + hosts/kay/modules/dns/ddns.nix | 7 +- hosts/kay/modules/dns/sinanmohd.com.zone | 21 ++++- hosts/kay/modules/hurricane.nix | 1 + hosts/kay/modules/mail.nix | 103 +++++++++++++++++++++ hosts/kay/modules/www.nix | 13 ++- 6 files changed, 141 insertions(+), 5 deletions(-) create mode 100644 hosts/kay/modules/mail.nix (limited to 'hosts/kay/modules') diff --git a/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone b/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone index 3991e1f..69b3524 100644 --- a/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone +++ b/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone @@ -11,3 +11,4 @@ $TTL 2d IN NS ns1.sinanmohd.com. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.sinanmohd.com. +7.3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mail.sinanmohd.com. diff --git a/hosts/kay/modules/dns/ddns.nix b/hosts/kay/modules/dns/ddns.nix index 6d0a944..e6e417a 100644 --- a/hosts/kay/modules/dns/ddns.nix +++ b/hosts/kay/modules/dns/ddns.nix @@ -9,8 +9,11 @@ server 2001:470:ee65::1 zone sinanmohd.com. - update delete sinanmohd.com. A - update add sinanmohd.com. 180 A $4 + update delete sinanmohd.com. A + update add sinanmohd.com. 180 A $4 + + update delete mail.sinanmohd.com. A + update add mail.sinanmohd.com. 180 A $4 send EOF diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone index 5833a2a..5fb9ca5 100644 --- a/hosts/kay/modules/dns/sinanmohd.com.zone +++ b/hosts/kay/modules/dns/sinanmohd.com.zone @@ -1,8 +1,8 @@ $ORIGIN sinanmohd.com. $TTL 2d -@ IN SOA ns1 sinan ( - 2024021100 ; serial +@ IN SOA ns1 hostmaster ( + 2024022500 ; serial 2h ; refresh 5m ; retry 1d ; expire @@ -17,8 +17,25 @@ $TTL 2d 30 IN A 127.0.0.1 30 IN AAAA ::1 + IN MX 10 mail + + IN TXT "v=spf1 mx -all" +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@sinanmohd.com; ruf=mailto:postmaster@sinanmohd.com; adkim=s; aspf=s" + +ed25519._domainkey IN TXT "v=DKIM1; k=ed25519; p=EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU=" +rsa._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4HEqO63fSC0cUnJt9vAQBssTkPfT4QefmAK/1BtAIRIOdGakf7PI7p3A1ETgwfYxuHj7BUSzUtESsHMThbhB1Wko79+AR+5ZBDBmD8CE0dOnZfzeG8xIaGfYkaL4gana6YZWiBT2oi/CimJfc22wacF01SufOs4R8cDpy4BZIgDD/zfF4bFTORQ0vMSJQJkp1zdQelERDU5CEezgxgVYgoSmdEpgkhc23PJSyj4Z7hA69N0amsb3cVVrfVXcYvSqTK3S2vLLA89ws4CUjCCpUW40gVIP8QP6CqTL76936Oo7OVWgmV3Sn3wa8FMN6IATY+fbMlrdOMsPY5PauJyEoQIDAQAB" + ns1 IN AAAA 2001:470:ee65::1 +mail 30 IN A 127.0.0.1 +mail IN AAAA 2001:470:ee65::1337 +smtp IN CNAME @ +imap IN CNAME @ +mta-sts IN CNAME @ + +_mta-sts IN TXT "v=STSv1; id=2024022500" +_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@sinanmohd.com" + www IN CNAME @ git IN CNAME @ bin IN CNAME @ diff --git a/hosts/kay/modules/hurricane.nix b/hosts/kay/modules/hurricane.nix index ede8e8f..9e22bf5 100644 --- a/hosts/kay/modules/hurricane.nix +++ b/hosts/kay/modules/hurricane.nix @@ -33,6 +33,7 @@ in (makeAddr prefix64 "1") (makeAddr prefix48 "1") + (makeAddr prefix48 "1337") ]; }; diff --git a/hosts/kay/modules/mail.nix b/hosts/kay/modules/mail.nix new file mode 100644 index 0000000..b255650 --- /dev/null +++ b/hosts/kay/modules/mail.nix @@ -0,0 +1,103 @@ +{ config, ... }: let + ipv6 = "2001:470:ee65::1337"; + domain = config.userdata.domain; + + username = config.userdata.user; + secret = "$argon2i$v=19$m=4096,t=3,p=1$SWV5aWU3YWUgZWFTNm9oc28gTGFvdDdlRG8ga2FTaWVjaDYgYWV0aDFHb28$O/sDv7oy9wUxFjvKoxB5o8ZnPvjYJo9DjX0C/AZQFF0"; + email = [ + "${username}@${domain}" + "sinanmohd@${domain}" + "me@${domain}" + + "postmaster@${domain}" + "hostmaster@${domain}" + "admin@${domain}" + ]; + + credentials_directory = "/run/credentials/stalwart-mail.service"; +in { + networking.firewall.allowedTCPPorts = [ + 25 # smto + 465 # submission + 587 # submissions + 993 # imap ssl + 4190 # managesieve + ]; + + sops.secrets = { + "mail.${domain}/dkim_rsa" = {}; + "mail.${domain}/dkim_ed25519" = {}; + }; + + services.stalwart-mail = { + enable = true; + loadCredential = [ + "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}" + "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}" + + "cert:${config.security.acme.certs.${domain}.directory}/fullchain.pem" + "key:${config.security.acme.certs.${domain}.directory}/key.pem" + ]; + + settings = { + macros = { + host = "mail.${domain}"; + default_domain = domain; + default_directory = "in-memory"; + default_store = "sqlite"; + }; + + queue.outbound = { + ip-strategy = "ipv6_then_ipv4"; + source-ip.v6 = "['${ipv6}']"; + tls.starttls = "optional"; + }; + server.listener = { + smtp.bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; + jmap.bind = [ "[::]:8034" ]; + }; + + signature = { + rsa = { + private-key = "file://${credentials_directory}/dkim_rsa"; + selector = "rsa"; + set-body-length = true; + }; + ed25519 = { + public-key = "EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU="; + private-key = "file://${credentials_directory}/dkim_ed25519"; + domain = "%{DEFAULT_DOMAIN}%"; + selector = "ed25519"; + headers = [ "From" "To" "Date" "Subject" "Message-ID" ]; + algorithm = "ed25519-sha256"; + canonicalization = "relaxed/relaxed"; + set-body-length = true; + report = true; + }; + }; + + certificate."default" = { + cert = "file://${credentials_directory}/cert"; + private-key = "file://${credentials_directory}/key"; + }; + + storage.blob = "fs"; + store = { + fs.disable = false; + sqlite.disable = false; + }; + + directory."in-memory" = { + type = "memory"; + options.subaddressing = true; + + principals = [{ + inherit email; + inherit secret; + name = username; + type = "admin"; + }]; + }; + }; + }; +} diff --git a/hosts/kay/modules/www.nix b/hosts/kay/modules/www.nix index a0b9c20..1447b1e 100644 --- a/hosts/kay/modules/www.nix +++ b/hosts/kay/modules/www.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let domain = config.userdata.domain; @@ -117,6 +117,17 @@ in extraConfig = "add_header Content-Type text/html;"; }; }; + + "mta-sts.${domain}" = defaultOpts // { + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; + }; }; }; } -- cgit v1.2.3