Allow TLSv1 for compatibility with older devices

Release 24.05
acme: test acmeCertificateName if module is enabled
2024-06-12 10:14:19 +02:00 · 2024-06-11 07:36:43 +02:00 · 2024-06-04 15:31:28 +00:00 · 2024-06-03 12:34:43 +02:00 · 2024-05-31 09:53:32 +01:00 · 2024-05-03 09:14:16 +02:00
16 changed files with 131 additions and 109 deletions
--- a/.hydra/declarative-jobsets.nix
+++ b/.hydra/declarative-jobsets.nix
@@ -32,8 +32,8 @@ let

  desc = prJobsets // {
    "master" = mkFlakeJobset "master";
-    "nixos-22.11" = mkFlakeJobset "nixos-22.11";
-    "nixos-23.05" = mkFlakeJobset "nixos-23.05";
+    "nixos-23.11" = mkFlakeJobset "nixos-23.11";
+    "nixos-24.05" = mkFlakeJobset "nixos-24.05";
  };

  log = {
--- a/README.md
+++ b/README.md
@@ -8,14 +8,14 @@
 For each NixOS release, we publish a branch. You then have to use the
 SNM branch corresponding to your NixOS version.

-* For NixOS 23.05
-   - Use the [SNM branch `nixos-23.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.05)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/release-notes.html#nixos-23-05)
-* For NixOS 22.11
-   - Use the [SNM branch `nixos-22.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-22.11)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/release-notes.html#nixos-22-11)
+* For NixOS 24.05
+   - Use the [SNM branch `nixos-24.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-24.05)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/release-notes.html#nixos-24-05)
+* For NixOS 23.11
+   - Use the [SNM branch `nixos-23.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.11)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/release-notes.html#nixos-23-11)
 * For NixOS unstable
   - Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
   - [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
--- a/default.nix
+++ b/default.nix
@@ -675,6 +675,19 @@ in
      '';
    };

+    acmeCertificateName = mkOption {
+      type = types.str;
+      default = cfg.fqdn;
+      example = "example.com";
+      description = ''
+          ({option}`mailserver.certificateScheme` == `acme`)
+
+        When the `acme` `certificateScheme` is selected, you can use this option
+        to override the default certificate name. This is useful if you've
+        generated a wildcard certificate, for example.
+      '';
+    };
+
    enableImap = mkOption {
      type = types.bool;
      default = true;
--- a/docs/add-radicale.rst
+++ b/docs/add-radicale.rst
@@ -24,12 +24,13 @@ have to be used. These can still be generated using `mkpasswd -m bcrypt`.
   in {
     services.radicale = {
       enable = true;
-       config = ''
-         [auth]
-         type = htpasswd
-         htpasswd_filename = ${htpasswd}
-         htpasswd_encryption = bcrypt
-       '';
+       settings = {
+         auth = {
+           type = "htpasswd";
+           htpasswd_filename = "${htpasswd}";
+           htpasswd_encryption = "bcrypt";
+         };
+       };
     };

     services.nginx = {
--- a/docs/add-roundcube.rst
+++ b/docs/add-roundcube.rst
@@ -20,7 +20,7 @@ servers may require more work.
        extraConfig = ''
          # starttls needed for authentication, so the fqdn required to match
          # the certificate
-          $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+          $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
          $config['smtp_user'] = "%u";
          $config['smtp_pass'] = "%p";
        '';
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -1,6 +1,17 @@
 Release Notes
 =============

+NixOS 24.05
+-----------
+
+- Add new option ``acmeCertificateName`` which can be used to support
+  wildcard certificates
+
+NixOS 23.11
+-----------
+
+- Add basic support for LDAP users
+- Add support for regex (PCRE) aliases

 NixOS 23.05
 -----------
--- a/flake.lock
+++ b/flake.lock
@@ -19,11 +19,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@@ -34,11 +34,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1670751203,
-        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
+        "lastModified": 1717602782,
+        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
+        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
        "type": "github"
      },
      "original": {
@@ -47,33 +47,18 @@
        "type": "indirect"
      }
    },
-    "nixpkgs-22_11": {
+    "nixpkgs-24_05": {
      "locked": {
-        "lastModified": 1669558522,
-        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "lastModified": 1717144377,
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-22.11",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-23_05": {
-      "locked": {
-        "lastModified": 1684782344,
-        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.05",
+        "ref": "nixos-24.05",
        "type": "indirect"
      }
    },
@@ -82,18 +67,35 @@
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-22_11": "nixpkgs-22_11",
-        "nixpkgs-23_05": "nixpkgs-23_05",
+        "nixpkgs-24_05": "nixpkgs-24_05",
        "utils": "utils"
      }
    },
-    "utils": {
+    "systems": {
      "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -8,15 +8,14 @@
    };
    utils.url = "github:numtide/flake-utils";
    nixpkgs.url = "flake:nixpkgs/nixos-unstable";
-    nixpkgs-22_11.url = "flake:nixpkgs/nixos-22.11";
-    nixpkgs-23_05.url = "flake:nixpkgs/nixos-23.05";
+    nixpkgs-24_05.url = "flake:nixpkgs/nixos-24.05";
    blobs = {
      url = "gitlab:simple-nixos-mailserver/blobs";
      flake = false;
    };
  };

-  outputs = { self, utils, blobs, nixpkgs, nixpkgs-22_11, nixpkgs-23_05, ... }: let
+  outputs = { self, utils, blobs, nixpkgs, nixpkgs-24_05, ... }: let
    lib = nixpkgs.lib;
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};
@@ -26,8 +25,8 @@
        pkgs = nixpkgs.legacyPackages.${system};
      }
      {
-        name = "23.05";
-        pkgs = nixpkgs-23_05.legacyPackages.${system};
+        name = "24.05";
+        pkgs = nixpkgs-24_05.legacyPackages.${system};
      }
    ];
    testNames = [
@@ -91,6 +90,7 @@
          sphinx
          sphinx_rtd_theme
          myst-parser
+          linkify-it-py
        ])
      )];
      buildPhase = ''
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -13,5 +13,10 @@
      assertion = config.mailserver.forwards == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
    }
+  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
+    {
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
+    }
  ];
 }
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
             else if cfg.certificateScheme == "selfsigned"
                  then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                  else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                       else throw "unknown certificate scheme";

  # key :: PATH
@@ -35,7 +35,7 @@ in
        else if cfg.certificateScheme == "selfsigned"
             then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
              else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                   else throw "unknown certificate scheme";

  passwordFiles = let
@@ -49,7 +49,7 @@ in
  # Appends the LDAP bind password to files to avoid writing this
  # password into the Nix store.
  appendLdapBindPwd = {
-    name, file, prefix, passwordFile, destination
+    name, file, prefix, suffix ? "", passwordFile, destination
  }: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
    #!${pkgs.stdenv.shell}
    set -euo pipefail
@@ -61,8 +61,9 @@ in
    fi

    cat ${file} > ${destination}
-    echo -n "${prefix}" >> ${destination}
+    echo -n '${prefix}' >> ${destination}
    cat ${passwordFile} >> ${destination}
+    echo -n '${suffix}' >> ${destination}
    chmod 600 ${destination}
  '';

--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -90,7 +90,8 @@ let
  setPwdInLdapConfFile = appendLdapBindPwd {
    name = "ldap-conf-file";
    file = ldapConfig;
-    prefix = "dnpass = ";
+    prefix = ''dnpass = "'';
+    suffix = ''"'';
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapConfFile;
  };
@@ -175,8 +176,18 @@ in
      mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
      protocols = lib.optional cfg.enableManageSieve "sieve";

-      sieveScripts = {
-        after = builtins.toFile "spam.sieve" ''
+      pluginSettings = {
+        sieve = "file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve";
+        sieve_default = "file:${cfg.sieveDirectory}/%u/default.sieve";
+        sieve_default_name = "default";
+      };
+
+      sieve = {
+        extensions = [
+          "fileinto"
+        ];
+
+        scripts.after = builtins.toFile "spam.sieve" ''
          require "fileinto";

          if header :is "X-Spam" "Yes" {
@@ -184,8 +195,29 @@ in
              stop;
          }
        '';
+
+        pipeBins = map lib.getExe [
+          (pkgs.writeShellScriptBin "sa-learn-ham.sh"
+            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
+          (pkgs.writeShellScriptBin "sa-learn-spam.sh"
+            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
+        ];
      };

+      imapsieve.mailbox = [
+        {
+          name = junkMailboxName;
+          causes = [ "COPY" "APPEND" ];
+          before = ./dovecot/imap_sieve/report-spam.sieve;
+        }
+        {
+          name = "*";
+          from = junkMailboxName;
+          causes = [ "COPY" ];
+          before = ./dovecot/imap_sieve/report-ham.sieve;
+        }
+      ];
+
      mailboxes = cfg.mailboxes;

      extraConfig = ''
@@ -307,28 +339,6 @@ in
          inbox = yes
        }

-        plugin {
-          sieve_plugins = sieve_imapsieve sieve_extprograms
-          sieve = file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve
-          sieve_default = file:${cfg.sieveDirectory}/%u/default.sieve
-          sieve_default_name = default
-
-          # From elsewhere to Spam folder
-          imapsieve_mailbox1_name = ${junkMailboxName}
-          imapsieve_mailbox1_causes = COPY,APPEND
-          imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
-
-          # From Spam folder to elsewhere
-          imapsieve_mailbox2_name = *
-          imapsieve_mailbox2_from = ${junkMailboxName}
-          imapsieve_mailbox2_causes = COPY
-          imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
-
-          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
-
-          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
-        }
-
        ${lib.optionalString cfg.fullTextSearch.enable ''
        plugin {
          plugin = fts fts_xapian
@@ -357,13 +367,6 @@ in
    systemd.services.dovecot2 = {
      preStart = ''
        ${genPasswdScript}
-        rm -rf '${stateDir}/imap_sieve'
-        mkdir '${stateDir}/imap_sieve'
-        cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
-        for k in "${stateDir}/imap_sieve"/*.sieve ; do
-          ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
-        done
-        chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
      '' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
    };

--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@@ -17,11 +17,10 @@

 { config, pkgs, lib, ... }:

-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });

 let
  cfg = config.mailserver;
-  acmeRoot = "/var/lib/acme/acme-challenge";
 in
 {
  config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
@@ -32,11 +31,10 @@ in
        serverAliases = cfg.certificateDomains;
        forceSSL = true;
        enableACME = true;
-        acmeRoot = acmeRoot;
      };
    };

-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
      "postfix.service"
      "dovecot2.service"
    ];
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -274,9 +274,6 @@ in
        # Submission by mail clients is handled in submissionOptions
        smtpd_tls_security_level = "may";

-        # strong might suffice and is computationally less expensive
-        smtpd_tls_eecdh_grade = "ultra";
-
        # Disable obselete protocols
        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -30,7 +30,7 @@ in
      inherit debug;
      locals = {
          "milter_headers.conf" = { text = ''
-              extended_spam_headers = yes;
+              extended_spam_headers = true;
          ''; };
          "redis.conf" = { text = ''
              servers = "${cfg.redis.address}:${toString cfg.redis.port}";
@@ -69,14 +69,6 @@ in
          ''; };
      };

-      overrides = {
-        "milter_headers.conf" = {
-          text = ''
-            extended_spam_headers = true;
-          '';
-        };
-      };
-
      workers.rspamd_proxy = {
        type = "rspamd_proxy";
        bindSockets = [{
--- a/tests/external.nix
+++ b/tests/external.nix
@@ -501,7 +501,6 @@ pkgs.nixosTest {

      with subtest("dmarc reporting"):
          server.systemctl("start rspamd-dmarc-reporter.service")
-          server.wait_until_succeeds("journalctl -eu rspamd-dmarc-reporter.service -o cat | grep -q 'No reports for '")

      with subtest("no warnings or errors"):
          server.fail("journalctl -u postfix | grep -i error >&2")
@@ -509,7 +508,7 @@ pkgs.nixosTest {
          server.fail("journalctl -u dovecot2 | grep -i error >&2")
          # harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
          server.fail(
-              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -i warning >&2"
+              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -v 'FTS Xapian: Box is empty' | grep -i warning >&2"
          )
    '';
 }
--- a/tests/internal.nix
+++ b/tests/internal.nix
@@ -177,7 +177,7 @@ pkgs.nixosTest {
            "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
        )
        machine.succeed(
-            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q 'This account cannot receive emails'"
+            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q '554 5.5.0 Error'"
        )

    with subtest("rspamd controller serves web ui"):
Author	SHA1	Message	Date
Jakub Skokan	4c1ad4797f	Allow TLSv1 for compatibility with older devices	2024-06-12 10:14:19 +02:00
Antoine Eiche	29916981e7	Release 24.05	2024-06-11 07:36:43 +02:00
RoastedCheese	0d51a32e47	acme: test acmeCertificateName if module is enabled	2024-06-04 15:31:28 +00:00
Martin Weinelt	ed80b589d3	postfix: remove deprecated smtpd_tls_eecdh_grade Causes a warning that suggests to just leave it at its default.	2024-06-03 12:34:43 +02:00
Matthew Leach	46a0829aa8	acme: Add new option acmeCertificateName Allow the user to specify the name of the ACME configuration that the mailserver should use. This allows users that request certificates that aren't the FQDN of the mailserver, for example a wildcard certificate.	2024-05-31 09:53:32 +01:00
jopejoe1	41059fc548	docs: use settings instead of config in radicale	2024-05-03 09:14:16 +02:00
Sandro Jäckel	ef4756bcfc	Quote ldap password Otherwise special characters like # do not work	2024-04-28 10:02:48 +00:00
Sandro	9f6635a035	Drop default acmeRoot	2024-04-13 12:42:45 +00:00
Antoine Eiche	79c8cfcd58	Remove the support of 23.05 and 23.11 This is because SNM now supports the new sieve nixpkgs interface, which is not backward compatible with previous releases.	2024-03-14 21:51:05 +01:00
Gaetan Lepage	799fe34c12	Update nixpkgs	2024-03-14 21:51:05 +01:00
Gaetan Lepage	d507bd9c95	dovecot: no longer need to copy sieve scripts	2024-03-14 21:50:46 +01:00
Raito Bezarius	fe6d325397	dovecot: support new `sieve` API in nixpkgs Since https://github.com/NixOS/nixpkgs/pull/275031 things have became more structured when it comes to the sieve plugin. Relies on https://github.com/NixOS/nixpkgs/pull/281001 for full features.	2024-03-09 23:23:17 +01:00
Christian Theune	572c1b4d69	rspamd: fix duplicate and syntactically wrong header settings Fixes #280	2024-03-08 14:52:52 +01:00
Sleepful	9e36323ae3	Update roundcube example configuration: smtp_server is deprecated Related issue on GH: https://github.com/roundcube/roundcubemail/issues/8756	2024-01-31 17:08:06 -06:00
Antoine Eiche	e47f3719f1	Release 23.11	2024-01-25 22:52:54 +01:00