mailserver accepting thunderbid login ldap

2025-05-30 23:09:51 +02:00 · 2025-05-30 23:09:51 +02:00 · 8cdbd6659f
commit 8cdbd6659f
parent 4b03344165
3 changed files with 125 additions and 38 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -4,7 +4,23 @@
  pkgs,
  ...
 }:
+let
+  generatedAliases = pkgs.writeText "generated-aliases" (
+    lib.concatStringsSep "\n" (
+      lib.mapCartesianProduct ({ aliases, domain }: "${aliases}@${domain}  root@test.htw.stura-dresden.de") {
+        aliases = [
+          "abuse"
+          "hostmaster"
+          "noreply"
+          "postmaster"
+          "webmaster"
+        ];
+        domain = config.mailserver.domains;
+      }
+    )
+  );

+in
 {
  imports = [
    ./hardware-configuration.nix
@ -33,6 +49,9 @@
  boot.loader.grub.efiInstallAsRemovable = true;

  networking.hostName = "mail";
+  networking.extraHosts = ''
+    127.0.0.1 auth.test.htw.stura-dresden.de
+  '';
  networking.domain = "test.htw.stura-dresden.de";
  networking.interfaces.ens18.ipv4.addresses = [
    {
@ -78,6 +97,16 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
  ];

+  # users.ldap = {
+  #   server = "ldaps://auth.test.htw.stura-dresden.de:6636";
+  #   enable = true;
+  #   bind = {
+  #     distinguishedName = "cn=dovecot,ou=users,dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
+  #     passwordFile = "/var/lib/dovecot_ldap_passwd";
+  #   };
+  #   base = "dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
+  # };
+
  environment.systemPackages = with pkgs; [
    tmux
    git
@ -87,11 +116,11 @@

  services.openssh.enable = true;
  services.dovecot2 = {
-    extraConfig = ''
-      auth_verbose = yes
-      auth_debug = yes
-      auth_debug_passwords = yes
-    '';
+    # extraConfig = ''
+    #   auth_verbose = yes
+    #   auth_debug = yes
+    #   auth_debug_passwords = yes
+    # '';
  };

  services.nginx.virtualHosts."auth.test.htw.stura-dresden.de".locations."/".extraConfig = ''
@ -116,16 +145,6 @@
    ];
  };

-  services.postfix.config.relay_domains = [
-    "hash:/var/lib/mailman/data/postfix_domains"
-  ];
-  services.postfix.config.transport_maps = [
-    "hash:/var/lib/mailman/data/postfix_lmtp"
-  ];
-  services.postfix.config.local_recipient_maps = [
-    "hash:/var/lib/mailman/data/postfix_lmtp"
-  ];
-
  services.mailman.siteOwner = "mailman@${config.networking.domain}";
  mailserver = {
    enable = true;
@ -138,26 +157,29 @@
    ldap = {
      enable = true;
      bind = {
-        dn = "cn=ldapservice,ou=users,dc=auth,dc=htw,dc=stura-dresden,dc=de";
+        dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
        passwordFile = "/var/lib/dovecot_ldap_passwd";
      };
      dovecot = {
-        #userFilter = "(&(objectClass=posixAccount)(cn=%u))";
-        #passFilter = "(&(objectClass=posixAccount)(cn=%u))";
+        userFilter = "(&(objectClass=posixAccount)(mail=%u))";
+        passFilter = "(&(objectClass=posixAccount)(mail=%u))";
+        userAttrs = "mail";
      };
      postfix = {
-        #filter = "(&(objectClass=posixUser)(cn=%s))";
+        filter = "(&(objectClass=posixAccount)(mail=%s))";
+        mailAttribute = "mail";
+        uidAttribute = "cn";
      };
-      searchBase = "dc=auth,dc=htw,dc=stura-dresden,dc=de";
+      searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
      uris = [
-        "ldap://localhost:389"
+        "ldap://auth.test.htw.stura-dresden.de:3389"
      ];
    };

    certificateScheme = "acme-nginx";
    enableImap = true;
    enableImapSsl = true;
-    enableManageSieve = false;
+    enableManageSieve = true;
    enableSubmission = true;
    enableSubmissionSsl = true;
    extraVirtualAliases = { };
@ -185,8 +207,53 @@

  };

-  services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
-  # services.postfix.relayHost = "141.56.51.14";
+  # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
+  services.postfix =
+    let
+      submissionOptions = {
+        # hash:/etc/postfix/virtual,
+        smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
+        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+      };
+    in
+    {
+      config = {
+        unknown_local_recipient_reject_code = 550;
+        virtual_mailbox_domains = [
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+        virtual_mailbox_maps = [
+          "ldap:/run/postfix/ldap-virtual-mailbox-map.cf"
+        ];
+        virtual_alias_maps = [
+          "texthash:${generatedAliases}"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+
+        smtpd_sender_login_maps = [
+          "texthash:${generatedAliases}"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+
+        relay_domains = [
+          "hash:/var/lib/mailman/data/postfix_domains"
+        ];
+        transport_maps = [
+          "hash:/var/lib/mailman/data/postfix_lmtp"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+        local_recipient_maps = [
+          "hash:/var/lib/mailman/data/postfix_lmtp"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+      };
+      # mapFiles = {
+      #   "valias" = lib.mkForce "/var/lib/postfix/valias";
+      #   "virtual" = lib.mkForce "/var/lib/postfix/virtual";
+      # };
+      submissionOptions = submissionOptions;
+      submissionsOptions = submissionOptions;
+    };

  # virtualisation.docker.enable = true;
  security.acme.acceptTerms = true;