mailserver accepting thunderbid login ldap

2025-05-30 23:09:51 +02:00 · 2025-05-30 23:09:51 +02:00 · 8cdbd6659f
commit 8cdbd6659f
parent 4b03344165
3 changed files with 125 additions and 38 deletions
--- a/authentik.nix
+++ b/authentik.nix
@ -13,6 +13,7 @@
  };
  services.authentik-ldap = {
    enable = true;
    environmentFile = "/var/lib/authentik-ldap-env";
  };
  services.authentik = {
    enable = true;
@ -32,10 +33,25 @@
      avatars = "initials";
    };
-    nginx = {
+    # nginx = {
-      enable = true;
+    #   enable = true;
-      enableACME = true;
+    #   enableACME = true;
-      host = "auth.${config.networking.domain}";
+    #   host = "auth.${config.networking.domain}";
    # };
  };
  services.nginx = {
    enable = true;
    virtualHosts = {
      "auth.${config.networking.domain}" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9000";
          proxyWebsockets = true;
          recommendedProxySettings = true;
        };
      };
    };
  };
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -4,7 +4,23 @@
  pkgs,
  ...
 }:
 let
  generatedAliases = pkgs.writeText "generated-aliases" (
    lib.concatStringsSep "\n" (
      lib.mapCartesianProduct ({ aliases, domain }: "${aliases}@${domain}  root@test.htw.stura-dresden.de") {
        aliases = [
          "abuse"
          "hostmaster"
          "noreply"
          "postmaster"
          "webmaster"
        ];
        domain = config.mailserver.domains;
      }
    )
  );
 in
 {
  imports = [
    ./hardware-configuration.nix
@ -33,6 +49,9 @@
  boot.loader.grub.efiInstallAsRemovable = true;
  networking.hostName = "mail";
  networking.extraHosts = ''
    127.0.0.1 auth.test.htw.stura-dresden.de
  '';
  networking.domain = "test.htw.stura-dresden.de";
  networking.interfaces.ens18.ipv4.addresses = [
    {
@ -78,6 +97,16 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
  ];
  # users.ldap = {
  #   server = "ldaps://auth.test.htw.stura-dresden.de:6636";
  #   enable = true;
  #   bind = {
  #     distinguishedName = "cn=dovecot,ou=users,dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
  #     passwordFile = "/var/lib/dovecot_ldap_passwd";
  #   };
  #   base = "dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
  # };
  environment.systemPackages = with pkgs; [
    tmux
    git
@ -87,11 +116,11 @@
  services.openssh.enable = true;
  services.dovecot2 = {
-    extraConfig = ''
+    # extraConfig = ''
-      auth_verbose = yes
+    #   auth_verbose = yes
-      auth_debug = yes
+    #   auth_debug = yes
-      auth_debug_passwords = yes
+    #   auth_debug_passwords = yes
-    '';
+    # '';
  };
  services.nginx.virtualHosts."auth.test.htw.stura-dresden.de".locations."/".extraConfig = ''
@ -116,16 +145,6 @@
    ];
  };
  services.postfix.config.relay_domains = [
    "hash:/var/lib/mailman/data/postfix_domains"
  ];
  services.postfix.config.transport_maps = [
    "hash:/var/lib/mailman/data/postfix_lmtp"
  ];
  services.postfix.config.local_recipient_maps = [
    "hash:/var/lib/mailman/data/postfix_lmtp"
  ];
  services.mailman.siteOwner = "mailman@${config.networking.domain}";
  mailserver = {
    enable = true;
@ -138,26 +157,29 @@
    ldap = {
      enable = true;
      bind = {
-        dn = "cn=ldapservice,ou=users,dc=auth,dc=htw,dc=stura-dresden,dc=de";
+        dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
        passwordFile = "/var/lib/dovecot_ldap_passwd";
      };
      dovecot = {
-        #userFilter = "(&(objectClass=posixAccount)(cn=%u))";
+        userFilter = "(&(objectClass=posixAccount)(mail=%u))";
-        #passFilter = "(&(objectClass=posixAccount)(cn=%u))";
+        passFilter = "(&(objectClass=posixAccount)(mail=%u))";
        userAttrs = "mail";
      };
      postfix = {
-        #filter = "(&(objectClass=posixUser)(cn=%s))";
+        filter = "(&(objectClass=posixAccount)(mail=%s))";
        mailAttribute = "mail";
        uidAttribute = "cn";
      };
-      searchBase = "dc=auth,dc=htw,dc=stura-dresden,dc=de";
+      searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
      uris = [
-        "ldap://localhost:389"
+        "ldap://auth.test.htw.stura-dresden.de:3389"
      ];
    };
    certificateScheme = "acme-nginx";
    enableImap = true;
    enableImapSsl = true;
-    enableManageSieve = false;
+    enableManageSieve = true;
    enableSubmission = true;
    enableSubmissionSsl = true;
    extraVirtualAliases = { };
@ -185,8 +207,53 @@
  };
-  services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
+  # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
-  # services.postfix.relayHost = "141.56.51.14";
+  services.postfix =
    let
      submissionOptions = {
        # hash:/etc/postfix/virtual,
        smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
      };
    in
    {
      config = {
        unknown_local_recipient_reject_code = 550;
        virtual_mailbox_domains = [
          "ldap:/run/postfix/ldap-sender-login-map.cf"
        ];
        virtual_mailbox_maps = [
          "ldap:/run/postfix/ldap-virtual-mailbox-map.cf"
        ];
        virtual_alias_maps = [
          "texthash:${generatedAliases}"
          "ldap:/run/postfix/ldap-sender-login-map.cf"
        ];
        smtpd_sender_login_maps = [
          "texthash:${generatedAliases}"
          "ldap:/run/postfix/ldap-sender-login-map.cf"
        ];
        relay_domains = [
          "hash:/var/lib/mailman/data/postfix_domains"
        ];
        transport_maps = [
          "hash:/var/lib/mailman/data/postfix_lmtp"
          "ldap:/run/postfix/ldap-sender-login-map.cf"
        ];
        local_recipient_maps = [
          "hash:/var/lib/mailman/data/postfix_lmtp"
          "ldap:/run/postfix/ldap-sender-login-map.cf"
        ];
      };
      # mapFiles = {
      #   "valias" = lib.mkForce "/var/lib/postfix/valias";
      #   "virtual" = lib.mkForce "/var/lib/postfix/virtual";
      # };
      submissionOptions = submissionOptions;
      submissionsOptions = submissionOptions;
    };
  # virtualisation.docker.enable = true;
  security.acme.acceptTerms = true;
--- a/flake.nix
+++ b/flake.nix
@ -1,14 +1,5 @@
 {
  description = "A very basic flake";
  nixConfig = {
    extra-substituters = [
      "https://nix-community.cachix.org"
    ];
    extra-trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];
  };
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
    authentik = {
@ -21,7 +12,10 @@
        nixpkgs-25_05.follows = "nixpkgs";
      };
    };
-    # mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
+    sops = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
@ -35,10 +29,19 @@
      authentik,
      mailserver,
      disko,
      sops,
    }:
    {
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
      devShells.x86_64-linux = {
        default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
          packages = with nixpkgs.legacyPackages.x86_64-linux; [
            ssh-to-age
            sops
          ];
        };
      };
      nixosConfigurations = {
        authentik = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
@ -48,6 +51,7 @@
            disko.nixosModules.disko
            authentik.nixosModules.default
            mailserver.nixosModules.mailserver
            sops.nixosModules.sops
          ];
        };
      };