Cloonar/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Cloonar:479b52edf96c7c4a7c690feaf7c74aecf73466e4
Branches Tags
Cloonar:master
...
compare: Cloonar:fe0c455bc6996426a3dc27fdbb681c507f3e0a47
Branches Tags
Cloonar:master

4 commits
479b52edf9 ... fe0c455bc6

Author SHA1 Message Date
Dominik Polakovics
fe0c455bc6 fix: postfix allow send from mailSendOnly 2026-02-18 15:07:28 +01:00
Dominik Polakovics
6072d13dc0 feat: add mailSendOnly possibility 2026-02-18 14:15:48 +01:00
Dominik Polakovics
133d031386 feat: add header for fueltide 2026-02-18 09:12:23 +01:00
Dominik Polakovics
0cd882602e fix: add more fishing protection to mail server 2026-02-18 09:12:15 +01:00
5 changed files with 47 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/mail/modules/dovecot.nix
View file

@ -14,7 +14,7 @@ let
auth_bind = no auth_bind = no
ldap_version = 3 ldap_version = 3
base = ou=users,dc=%Dd base = ou=users,dc=%Dd
user_filter = (&(objectClass=mailAccount)(mail=%u)) user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
user_attrs = \ user_attrs = \
quota=quota_rule=*:bytes=%$, \ quota=quota_rule=*:bytes=%$, \
=home=/var/vmail/%d/%n/, \ =home=/var/vmail/%d/%n/, \

10
hosts/mail/modules/openldap.nix
View file

@ -376,6 +376,12 @@ in
SUBSTR caseIgnoreIA5SubstringsMatch SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}) SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
'' ''
''
(1.3.6.1.4.1.12461.1.1.9 NAME 'mailSendOnly'
DESC 'If TRUE, account can only send mail, not receive'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
]; ];
olcObjectClasses = [ olcObjectClasses = [
'' ''
@ -383,14 +389,14 @@ in
SUP top AUXILIARY SUP top AUXILIARY
DESC 'Mail account objects' DESC 'Mail account objects'
MUST ( mail $ userPassword ) MUST ( mail $ userPassword )
MAY ( cn $ description $ quota)) MAY ( cn $ description $ quota $ mailSendOnly))
'' ''
'' ''
(1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias' (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
SUP top STRUCTURAL SUP top STRUCTURAL
DESC 'Mail aliasing/forwarding entry' DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop ) MUST ( mail $ maildrop )
MAY ( cn $ description )) MAY ( cn $ description $ mailSendOnly ))
'' ''
'' ''
(1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain' (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'

5
hosts/mail/modules/postfix.nix
View file

@ -31,7 +31,7 @@ let
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@ bind_pw = @ldap-password@
scope = sub scope = sub
query_filter = (&(uid=%u)(objectClass=mailAccount)) query_filter = (&(uid=%u)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
result_attribute = mail result_attribute = mail
debuglevel = 0 debuglevel = 0
''; '';
@ -73,7 +73,7 @@ let
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@ bind_pw = @ldap-password@
scope = one scope = one
query_filter = (&(objectClass=mailAlias)(mail=%s)) query_filter = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
result_attribute = maildrop result_attribute = maildrop
debuglevel = 0 debuglevel = 0
''; '';
@ -180,6 +180,7 @@ in
smtpd_helo_restrictions = " smtpd_helo_restrictions = "
permit_mynetworks, permit_mynetworks,
permit_sasl_authenticated, permit_sasl_authenticated,
check_helo_access regexp:/var/lib/postfix/conf/helo_access,
reject_unauth_pipelining, reject_unauth_pipelining,
reject_non_fqdn_hostname, reject_non_fqdn_hostname,
reject_invalid_hostname, reject_invalid_hostname,

20
hosts/mail/modules/rspamd.nix
View file

@ -52,6 +52,13 @@ let
} }
} }
} }
dmarc {
actions {
reject = "reject";
quarantine = "add header";
softfail = "no action";
}
}
''; '';
sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { }; sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
@ -63,6 +70,19 @@ in
.include(priority=1,duplicate=merge) "${localConfig}" .include(priority=1,duplicate=merge) "${localConfig}"
''; '';
locals."groups.conf".text = ''
symbols {
"R_SPF_DNSFAIL" {
weight = 2.0;
description = "SPF DNS failure";
}
"DMARC_DNSFAIL" {
weight = 2.0;
description = "DMARC DNS failure";
}
}
'';
postfix.enable = true; postfix.enable = true;
workers.controller = { workers.controller = {
extraConfig = '' extraConfig = ''

15
hosts/web-arm/sites/fueltide.io.nix
View file

@ -21,6 +21,11 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
]; ];
extraConfig = ''
add_header Cross-Origin-Embedder-Policy "credentialless" always;
add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
'';
locations."/".extraConfig = '' locations."/".extraConfig = ''
index index.html; index index.html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
@ -41,6 +46,11 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
]; ];
extraConfig = ''
add_header Cross-Origin-Embedder-Policy "credentialless" always;
add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
'';
locations."/".extraConfig = '' locations."/".extraConfig = ''
index index.html; index index.html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
@ -61,6 +71,11 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
]; ];
extraConfig = ''
add_header Cross-Origin-Embedder-Policy "credentialless" always;
add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
'';
locations."/".extraConfig = '' locations."/".extraConfig = ''
index index.html; index index.html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;