Allow TLSv1 for compatibility with older devices

2024-01-06 14:45:24 +01:00
16 changed files with 108 additions and 130 deletions
--- a/.hydra/declarative-jobsets.nix
+++ b/.hydra/declarative-jobsets.nix
@@ -32,8 +32,8 @@ let

  desc = prJobsets // {
    "master" = mkFlakeJobset "master";
-    "nixos-23.11" = mkFlakeJobset "nixos-23.11";
-    "nixos-24.05" = mkFlakeJobset "nixos-24.05";
+    "nixos-22.11" = mkFlakeJobset "nixos-22.11";
+    "nixos-23.05" = mkFlakeJobset "nixos-23.05";
  };

  log = {
--- a/README.md
+++ b/README.md
@@ -8,14 +8,14 @@
 For each NixOS release, we publish a branch. You then have to use the
 SNM branch corresponding to your NixOS version.

-* For NixOS 24.05
-   - Use the [SNM branch `nixos-24.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-24.05)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/release-notes.html#nixos-24-05)
-* For NixOS 23.11
-   - Use the [SNM branch `nixos-23.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.11)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/release-notes.html#nixos-23-11)
+* For NixOS 23.05
+   - Use the [SNM branch `nixos-23.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.05)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/release-notes.html#nixos-23-05)
+* For NixOS 22.11
+   - Use the [SNM branch `nixos-22.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-22.11)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/release-notes.html#nixos-22-11)
 * For NixOS unstable
   - Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
   - [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
--- a/default.nix
+++ b/default.nix
@@ -675,19 +675,6 @@ in
      '';
    };

-    acmeCertificateName = mkOption {
-      type = types.str;
-      default = cfg.fqdn;
-      example = "example.com";
-      description = ''
-          ({option}`mailserver.certificateScheme` == `acme`)
-
-        When the `acme` `certificateScheme` is selected, you can use this option
-        to override the default certificate name. This is useful if you've
-        generated a wildcard certificate, for example.
-      '';
-    };
-
    enableImap = mkOption {
      type = types.bool;
      default = true;
--- a/docs/add-radicale.rst
+++ b/docs/add-radicale.rst
@@ -24,13 +24,12 @@ have to be used. These can still be generated using `mkpasswd -m bcrypt`.
   in {
     services.radicale = {
       enable = true;
-       settings = {
-         auth = {
-           type = "htpasswd";
-           htpasswd_filename = "${htpasswd}";
-           htpasswd_encryption = "bcrypt";
-         };
-       };
+       config = ''
+         [auth]
+         type = htpasswd
+         htpasswd_filename = ${htpasswd}
+         htpasswd_encryption = bcrypt
+       '';
     };

     services.nginx = {
--- a/docs/add-roundcube.rst
+++ b/docs/add-roundcube.rst
@@ -20,7 +20,7 @@ servers may require more work.
        extraConfig = ''
          # starttls needed for authentication, so the fqdn required to match
          # the certificate
-          $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
+          $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
          $config['smtp_user'] = "%u";
          $config['smtp_pass'] = "%p";
        '';
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -1,17 +1,6 @@
 Release Notes
 =============

-NixOS 24.05
-----------
-
- Add new option ``acmeCertificateName`` which can be used to support
-  wildcard certificates
-
-NixOS 23.11
-----------
-
- Add basic support for LDAP users
- Add support for regex (PCRE) aliases

 NixOS 23.05
 -----------
--- a/flake.lock
+++ b/flake.lock
@@ -19,11 +19,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
@@ -34,11 +34,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1717602782,
-        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
+        "lastModified": 1670751203,
+        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
+        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
        "type": "github"
      },
      "original": {
@@ -47,18 +47,33 @@
        "type": "indirect"
      }
    },
-    "nixpkgs-24_05": {
+    "nixpkgs-22_11": {
      "locked": {
-        "lastModified": 1717144377,
-        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "lastModified": 1669558522,
+        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.05",
+        "ref": "nixos-22.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-23_05": {
+      "locked": {
+        "lastModified": 1684782344,
+        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
        "type": "indirect"
      }
    },
@@ -67,35 +82,18 @@
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-24_05": "nixpkgs-24_05",
+        "nixpkgs-22_11": "nixpkgs-22_11",
+        "nixpkgs-23_05": "nixpkgs-23_05",
        "utils": "utils"
      }
    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
    "utils": {
-      "inputs": {
-        "systems": "systems"
-      },
      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -8,14 +8,15 @@
    };
    utils.url = "github:numtide/flake-utils";
    nixpkgs.url = "flake:nixpkgs/nixos-unstable";
-    nixpkgs-24_05.url = "flake:nixpkgs/nixos-24.05";
+    nixpkgs-22_11.url = "flake:nixpkgs/nixos-22.11";
+    nixpkgs-23_05.url = "flake:nixpkgs/nixos-23.05";
    blobs = {
      url = "gitlab:simple-nixos-mailserver/blobs";
      flake = false;
    };
  };

-  outputs = { self, utils, blobs, nixpkgs, nixpkgs-24_05, ... }: let
+  outputs = { self, utils, blobs, nixpkgs, nixpkgs-22_11, nixpkgs-23_05, ... }: let
    lib = nixpkgs.lib;
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};
@@ -25,8 +26,8 @@
        pkgs = nixpkgs.legacyPackages.${system};
      }
      {
-        name = "24.05";
-        pkgs = nixpkgs-24_05.legacyPackages.${system};
+        name = "23.05";
+        pkgs = nixpkgs-23_05.legacyPackages.${system};
      }
    ];
    testNames = [
@@ -90,7 +91,6 @@
          sphinx
          sphinx_rtd_theme
          myst-parser
-          linkify-it-py
        ])
      )];
      buildPhase = ''
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -13,10 +13,5 @@
      assertion = config.mailserver.forwards == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
    }
-  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
-    {
-      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
-      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
-    }
  ];
 }
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
             else if cfg.certificateScheme == "selfsigned"
                  then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                  else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
                       else throw "unknown certificate scheme";

  # key :: PATH
@@ -35,7 +35,7 @@ in
        else if cfg.certificateScheme == "selfsigned"
             then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
              else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
                   else throw "unknown certificate scheme";

  passwordFiles = let
@@ -49,7 +49,7 @@ in
  # Appends the LDAP bind password to files to avoid writing this
  # password into the Nix store.
  appendLdapBindPwd = {
-    name, file, prefix, suffix ? "", passwordFile, destination
+    name, file, prefix, passwordFile, destination
  }: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
    #!${pkgs.stdenv.shell}
    set -euo pipefail
@@ -61,9 +61,8 @@ in
    fi

    cat ${file} > ${destination}
-    echo -n '${prefix}' >> ${destination}
+    echo -n "${prefix}" >> ${destination}
    cat ${passwordFile} >> ${destination}
-    echo -n '${suffix}' >> ${destination}
    chmod 600 ${destination}
  '';

--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -90,8 +90,7 @@ let
  setPwdInLdapConfFile = appendLdapBindPwd {
    name = "ldap-conf-file";
    file = ldapConfig;
-    prefix = ''dnpass = "'';
-    suffix = ''"'';
+    prefix = "dnpass = ";
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapConfFile;
  };
@@ -176,18 +175,8 @@ in
      mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
      protocols = lib.optional cfg.enableManageSieve "sieve";

-      pluginSettings = {
-        sieve = "file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve";
-        sieve_default = "file:${cfg.sieveDirectory}/%u/default.sieve";
-        sieve_default_name = "default";
-      };
-
-      sieve = {
-        extensions = [
-          "fileinto"
-        ];
-
-        scripts.after = builtins.toFile "spam.sieve" ''
+      sieveScripts = {
+        after = builtins.toFile "spam.sieve" ''
          require "fileinto";

          if header :is "X-Spam" "Yes" {
@@ -195,29 +184,8 @@ in
              stop;
          }
        '';
-
-        pipeBins = map lib.getExe [
-          (pkgs.writeShellScriptBin "sa-learn-ham.sh"
-            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
-          (pkgs.writeShellScriptBin "sa-learn-spam.sh"
-            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
-        ];
      };

-      imapsieve.mailbox = [
-        {
-          name = junkMailboxName;
-          causes = [ "COPY" "APPEND" ];
-          before = ./dovecot/imap_sieve/report-spam.sieve;
-        }
-        {
-          name = "*";
-          from = junkMailboxName;
-          causes = [ "COPY" ];
-          before = ./dovecot/imap_sieve/report-ham.sieve;
-        }
-      ];
-
      mailboxes = cfg.mailboxes;

      extraConfig = ''
@@ -339,6 +307,28 @@ in
          inbox = yes
        }

+        plugin {
+          sieve_plugins = sieve_imapsieve sieve_extprograms
+          sieve = file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve
+          sieve_default = file:${cfg.sieveDirectory}/%u/default.sieve
+          sieve_default_name = default
+
+          # From elsewhere to Spam folder
+          imapsieve_mailbox1_name = ${junkMailboxName}
+          imapsieve_mailbox1_causes = COPY,APPEND
+          imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
+
+          # From Spam folder to elsewhere
+          imapsieve_mailbox2_name = *
+          imapsieve_mailbox2_from = ${junkMailboxName}
+          imapsieve_mailbox2_causes = COPY
+          imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
+
+          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
+
+          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+        }
+
        ${lib.optionalString cfg.fullTextSearch.enable ''
        plugin {
          plugin = fts fts_xapian
@@ -367,6 +357,13 @@ in
    systemd.services.dovecot2 = {
      preStart = ''
        ${genPasswdScript}
+        rm -rf '${stateDir}/imap_sieve'
+        mkdir '${stateDir}/imap_sieve'
+        cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
+        for k in "${stateDir}/imap_sieve"/*.sieve ; do
+          ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
+        done
+        chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
      '' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
    };

--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@@ -17,10 +17,11 @@

 { config, pkgs, lib, ... }:

-with (import ./common.nix { inherit config lib pkgs; });
+with (import ./common.nix { inherit config; });

 let
  cfg = config.mailserver;
+  acmeRoot = "/var/lib/acme/acme-challenge";
 in
 {
  config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
@@ -31,10 +32,11 @@ in
        serverAliases = cfg.certificateDomains;
        forceSSL = true;
        enableACME = true;
+        acmeRoot = acmeRoot;
      };
    };

-    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
+    security.acme.certs."${cfg.fqdn}".reloadServices = [
      "postfix.service"
      "dovecot2.service"
    ];
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -274,6 +274,9 @@ in
        # Submission by mail clients is handled in submissionOptions
        smtpd_tls_security_level = "may";

+        # strong might suffice and is computationally less expensive
+        smtpd_tls_eecdh_grade = "ultra";
+
        # Disable obselete protocols
        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -30,7 +30,7 @@ in
      inherit debug;
      locals = {
          "milter_headers.conf" = { text = ''
-              extended_spam_headers = true;
+              extended_spam_headers = yes;
          ''; };
          "redis.conf" = { text = ''
              servers = "${cfg.redis.address}:${toString cfg.redis.port}";
@@ -69,6 +69,14 @@ in
          ''; };
      };

+      overrides = {
+        "milter_headers.conf" = {
+          text = ''
+            extended_spam_headers = true;
+          '';
+        };
+      };
+
      workers.rspamd_proxy = {
        type = "rspamd_proxy";
        bindSockets = [{
--- a/tests/external.nix
+++ b/tests/external.nix
@@ -501,6 +501,7 @@ pkgs.nixosTest {

      with subtest("dmarc reporting"):
          server.systemctl("start rspamd-dmarc-reporter.service")
+          server.wait_until_succeeds("journalctl -eu rspamd-dmarc-reporter.service -o cat | grep -q 'No reports for '")

      with subtest("no warnings or errors"):
          server.fail("journalctl -u postfix | grep -i error >&2")
@@ -508,7 +509,7 @@ pkgs.nixosTest {
          server.fail("journalctl -u dovecot2 | grep -i error >&2")
          # harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
          server.fail(
-              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -v 'FTS Xapian: Box is empty' | grep -i warning >&2"
+              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -i warning >&2"
          )
    '';
 }
--- a/tests/internal.nix
+++ b/tests/internal.nix
@@ -177,7 +177,7 @@ pkgs.nixosTest {
            "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
        )
        machine.succeed(
-            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q '554 5.5.0 Error'"
+            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q 'This account cannot receive emails'"
        )

    with subtest("rspamd controller serves web ui"):