{pkgs ? , ...}: let maildomain = "c3d2.de"; hostname = "mail.c3d2.de"; virtual_map = '' ### system # postmaster postmaster root hostmaster@redmine.c3d2.de root hostmaster@pentapad.c3d2.de root hostmaster@wiki.c3d2.de root hostmaster@chat.c3d2.de nulli # hostmaster hostmaster@dresden.ccc.de fb@alien8.de, root hostmaster@datenspuren.de daniel@plominski.eu, root hostmaster root # root root@c3d2.de astro, morphium, nulli, eri, tboston root root@c3d2.de # webmaster webmaster astro, root # c3d2web c3d2web astro # Abuse abuse abuse@c3d2.de abuse@c3d2.de abuse@q-ix.net, root # listmaster listmaster@c3d2.de fb@c3d2.de, ps@c3d2.de, mail@c3d2.de list@c3d2.de nulli, koeart, morphium, vv01f, tboston list list@c3d2.de mailer-daemon list@c3d2.de # logcheck logcheck root # admin fuer gitolite admin@c3d2.de root, blastmaster@c3d2.de, john@tuxcode.org, nulli admin admin@c3d2.de # flatbert admins flatbert-admin@c3d2.de daniel@plominski.eu, astro@spaceboyz.net, john@tuxcode.org, paul@schwanse.de, morphium, ccc@poelzi.org, nulli@c3d2.de wiki@c3d2.de root ## VPN vpn@c3d2.de astro, ccc@poelzi.org, vv01f ### c3d2 user local home # nulli nulli@dresden.ccc.de nulli nulli@c3d2.de nulli webzwo0i@c3d2.de nulli #ispconfig trial, can be removed? hostmaster@jabber.c3d2.de nulli 0i@c3d2.de nulli rec0very@c3d2.de nulli vr@c3d2.de nulli dock@c3d2.de nulli shodan@c3d2.de nulli tkradio@c3d2.de nulli, honky dict@c3d2.de nulli eb@c3d2.de nulli dropbox@c3d2.de nulli ebi@c3d2.de nulli goo@c3d2.de nulli dmi@c3d2.de nulli impffein@c3d2.de nulli gaga@c3d2.de nulli # astro # formerly: astro@spaceboyz.net astro@c3d2.de astro astro@netzbiotop.org astro # alien8 a8 a8, fb@alien8.de a8@c3d2.de a8, fb@alien8.de fb@c3d2.de a8, fb@alien8.de alien8@c3d2.de a8, fb@alien8.de # pentabugs pentabugs@c3d2.de pentabugs # herr flupke hf@c3d2.de hf # santex # formerly: santex@c3d2.de santex hagen@c3d2.de santex #nek0 nek0@c3d2.de nek0 nek0@netzbiotop.org nek0 pizza@c3d2.de nek0 # ju ju@c3d2.de ju # vater vater@c3d2.de vater pavel@c3d2.de vater # flatbert flatbert@c3d2.de flatbert ###Datenspuren datenspuren@c3d2.de martin@christianix.de, blastmaster, bigalex, nek0, honky, koeart, xyrill@c3d2.de twitter@datenspuren.de mail@c3d2.de lightningtalks@datenspuren.de bigalex@c3d2.de, hcx23@mailbox.org, honky ### c3d2 user forwarding # riot riot@c3d2.de riot@bsd-crew.de # fukami fukami@c3d2.de ccc@foo.io # jens jens@c3d2.de weisse_jens@web.de # matthias matthias@c3d2.de matthias@bsd-crew.de # morphium morphium@c3d2.de c3d2@morphium.info morphium c3d2@morphium.info # tibyr tibyr@c3d2.de tibyr@alien8.de # twobit twobit@c3d2.de s8572327@gmail.com tboston tboston@posteo.net xyrill majewsky@posteo.de polaris ursa.minor@posteo.de ### c3d2 aliases ## viele bunte smarties #astro seins eris@c3d2.de astro flauschi@c3d2.de astro kabelsalat@c3d2.de eris@c3d2.de fnord@c3d2.de eris@c3d2.de f.nord@c3d2.de eris@c3d2.de frauke@c3d2.de eris@c3d2.de fridolin@c3d2.de eris@c3d2.de pm@c3d2.de eris@c3d2.de # pre pre urzeit 21c3fpdev@c3d2.de pentabarf@mail.skyhub.de ds-ic@c3d2.de ds-ic@mail.kruitzer.net # pentamusic podcast@c3d2.de pentaradio ps@c3d2.de koeart pentamusic@c3d2.de koeart pentaradio honky, xyrill@c3d2.de, siehm@c3d2.de, mole@mopox.de, vv01f, friedemann@wulff-woesten.de # autotopia - arbeitsgruppe zu atomatisierung autotopia@c3d2.de polaris, nos, nek0, adrien@informancer.eu # datenschleuder datenschleuder@c3d2.de koeart, nulli, john@tuxcode.org, datenschleuder@tuxcode.org # bestellungen fuer wem auch immer fuer den vllt. c3d2 oder privat, man weis es nicht bestellungen@c3d2.de c3d2@xvlc.de, bigalex, mail@c3d2.de #robmail addresse suchen peering@c3d2.de koeart, nulli, astro@spaceboyz.net freifunk@c3d2.de nulli, astro@spaceboyz.net # vorstand, schatzmeister, kassenwart schatzmeister@c3d2.de vorstand@c3d2.de kassenwart@c3d2.de vorstand@c3d2.de kassenwart@netzbiotop.org vorstand@c3d2.de vorstand@netzbiotop.org honky, winzlieb, nek0 vorstand@c3d2.de honky, winzlieb, nek0 # master of coin ln@c3d2.de bitcoin@c3d2.de crypto@c3d2.de bitcoin@c3d2.de bitcoin@c3d2.de vv01f # wire # project address, forward ziel fuer alle *.wire@c3d2.de siehe virtual.regex wire@c3d2.de wire # adressen aus dem c3d2-web git 2c3@c3d2.de mail@c3d2.de keysign@c3d2.de mail@c3d2.de news@c3d2.de mail@c3d2.de presse@c3d2.de mail@c3d2.de info@c3d2.de mail@c3d2.de # CmS Schule schule@c3d2.de cms@lists.c3d2.de ### c3d2 orga # mail@ mail@c3d2.de astro, ibook@klobs.de, koeart, bigalex, morphium, nulli, vv01f, vater, nek0, tboston, xyrill, polaris, winzlieb, simon_ccc@liebing.cc mail@dresden.ccc.de mail@c3d2.de mail@c3dd.de mail@c3d2.de mail@cccdd.de mail@c3d2.de mail mail@c3d2.de werbung@c3d2.de mail@c3d2.de paypal@c3d2.de daniel@plominski.eu, astro, bigalex@c3d2.de, raz@c3d2.de, joerg@higgsboson.tk, mail mail@netzbiotop.org mail@c3d2.de ### ueber /home/blotter/bin/create_vmail_user hinzugefuegt # sven # formerly: sven@elektro-klemm.de sven@c3d2.de sven nevs@c3d2.de sven # blastmaster # formerly: oeste.sebastian@googlemail.com blastmaster@c3d2.de blastmaster blastermaster@c3d2.de blastmaster # koeart # formerly: paul@schwanse.de, koeart@zwoelfelf.org koeart@c3d2.de koeart # eri! # formerly: hans.orter@gmx.de eri@c3d2.de eri eri@cccdd.de eri eri@netzbiotop.org eri # pwnytail # formerly: jakobi@stura.htw-dresden.de pwnytail@c3d2.de pwnytail # darkwake # formerly: darkwake@freenet.de darkwake@c3d2.de darkwake # coeins # formerly: coeins@gmail.com coeins@c3d2.de coeins # bigalex # formerly: bigalex@gmx.de, alexander.lorz@tu-dresden.de bigalex@c3d2.de bigalex bigalex bigalex # lachmoewe # formerly: omg-lachmoewe@gmx.net lachmoewe@c3d2.de lachmoewe tf@c3d2.de lachmoewe # daniel.plominski daniel@c3d2.de daniel, daniel@plominski.eu daniel@dresden.ccc.de daniel, daniel@plominski.eu daniel.plominski@c3d2.de daniel, daniel@plominski.eu daniel.plominski@dresden.ccc.de daniel, daniel@plominski.eu # dodo # formerly: dodo.the.last@gmail.com dodo@c3d2.de dodo dodo@dresden.ccc.de dodo # payload # formerly: payload@payload-bay.de payload payload, s1394474@mail.zih.tu-dresden.de payload@c3d2.de payload, s1394474@mail.zih.tu-dresden.de # nos # formerly: s70341@htw-dresden.de nos@c3d2.de nos # mc # formerly: martin@christianix.de mc@c3d2.de mc norbert@c3d2.de mc # vany # formerly: eyke.schoeniger@gmx.de vany@c3d2.de vany # toon # formerly: s71156@htw-dresden.de toon@c3d2.de toon # meo # formerly: meodexter@gmail.com meo@c3d2.de meo meodexter@c3d2.de meo # j03 j03@c3d2.de j03 jo3@c3d2.de j03 # nac nac@c3d2.de nac #vv01f vv01f@c3d2.de vv01f wolf@c3d2.de vv01f vv01f@dresden.ccc.de vv01f vv01f@c3dd.de vv01f vv01f@cccdd.de vv01f wolf@dresden.ccc.de vv01f vv01f@netzbiotop.org vv01f wolf@netzbiotop.org vv01f # polygon polygon@c3d2.de polygon # derped derped@c3d2.de derped # kalipso # formerly: kingkaiserprinz@gmail.com kalipso@c3d2.de kalipso # dzzzniel dzzzniel@c3d2.de dzzzniel # summi summi@c3d2.de summi # hendrix hendrix@c3d2.de ra.anti@gmx.net # testcopy testcopy@c3d2.de testcopy # blottervmail blotter@c3d2.de blotter blotter@c3dd.de blotter blotter@cccdd.de blotter blotter@dresden.ccc.de blotter no blotter blottervmail@c3d2.de blotter blottervmail@mail.c3d2.de blotter # simon # formerly: simon.toermer@gmx.de simon@c3d2.de simon # ventolin # formerly: sackgasse@gmx.net ventolin@c3d2.de ventolin # honky # formerly: honky@defendtheplanet.net honky@c3d2.de honky honky@cccdd.de honky honky@c3dd.de honky honky@netzbiotop.org honky # matemat matemat@c3d2.de matemat # nero # formerly: nero@w1r3.net nero@c3d2.de nero # billy # formerly: annettgerlach@gmx.net billy@c3d2.de annettgerlach@gmx.net # winzlieb winzlieb graviola@posteo.de winzlieb@netzbiotop.org winzlieb # broken_pipe # formerly: urban@subnet.email broken_pipe@c3d2.de broken_pipe # autotopia # formerly: broken_pipe@c3d2.de # servicemail servicemail@c3d2.de servicemail monitoring@c3d2.de monitoring # polaris # formerly: ursa.minor@posteo.de polaris@c3d2.de polaris # xeri xeri@c3d2.de xeri # xyrill # formerly: majewsky@posteo.de xyrill@dresden.ccc.de majewsky@posteo.de xyrill@c3d2.de majewsky@posteo.de xyrill@c3dd.de majewsky@posteo.de xyrill@netzbiotop.org majewsky@posteo.de # neda neda@c3d2.de n.sultova@hzdr.de # ehmry ehmry@c3d2.de ehmry@posteo.net ehmry@dresden.ccc.de ehmry@posteo.net ehmry@c3dd.de ehmry@posteo.net # antranes antranes@c3d2.de antranes # antrares antrares@c3d2.de antrares # siehm: simon_ccc@liebing.cc siehm@c3d2.de simon_ccc@liebing.cc siehm@c3dd.de simon_ccc@liebing.cc siehm@dresden.ccc.de simon_ccc@liebing.cc # sandro # formerly: sandro.jaeckel@posteo.de sandro@c3d2.de sandro # leonvita91 leonvita91@c3d2.de leonvita91 # wiki-sender wiki-sender@c3d2.de wiki-sender # etherpad-notify etherpad-notify@c3d2.de etherpad-notify # zylens # formerly: zylens zylens@c3d2.de zylens # formerly: Mirko mirko@c3d2.de mirko@c3d2.zeiban.de ''; mynetworks = [ "127.0.0.0/8" "172.22.99.0/24" "172.22.100.0/24" "81.201.149.152/32" "24.134.104.53/32" "[::1]/128" "[fe80::]/10" "[2a00:1828:a008::]/48" "[2001:470:6d:670::]/64" "[2001:67c:1400:2240::]/64" "[2a00:8180:2c00:200::]/56" ]; virtual_domains = [ "dresden.ccc.de" "cccdd.de" "c3dd.de" "datenspuren.de" "jabber.c3d2.de" "webmail.c3d2.de" "chat.c3d2.de" "zengelsystem.c3d2.space" "c3d2.space" "netzbiotop.org" # "nc.c3d2.space" ]; in { #imports = [ # #]; networking.hostName = "mail"; networking.useNetworkd = true; networking.interfaces.eth0.ipv4.addresses = [{ address = "172.20.73.58"; prefixLength = 26; }]; networking.defaultGateway = "172.20.73.1"; networking.firewall = { enable = true; allowedTCPPorts = [ 25 587 143 4190 80 443 ]; allowedUDPPorts = [ ]; }; users.users."mailowner" = { createHome = false; extraGroups = []; group = "users"; home = "/vor/spool/mail"; isSystemUser = true; openssh.authorizedKeys.keys = [ ]; uid = 5000; }; services = { postfix = { enable = true; enableSmtp = true; enableSubmission = true; enableHeaderChecks = true; domain = maildomain; hostname = hostname; sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; networks = [ ]; virtual = virtual_map; config = { myorigin = maildomain; mydestination = [ "127.0.0.1" ]; mynetworks = mynetworks; mail_owner = "postfix"; smtp_use_tls = true; smtp_tls_security_level = "may"; smtpd_use_tls = true; smtpd_tls_security_level = "may"; smtpd_recipient_restrictions = [ "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination" ]; smtpd_relay_restrictions = [ "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination" ]; smtpd_sasl_auth_enable = true; smtpd_tls_auth_only = false; smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" ]; smtpd_tls_mandatory_ciphers = "high"; smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_type = "dovecot"; virtual_mailbox_domains = [ maildomain ] ++ virtual_domains; relay_domains = [ "$mydestination" "lists.c3d2.de" ]; message_size_limit = "40960000"; # Dovecot delivery virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; virtual_gid_maps = "static:5000"; virtual_uid_maps = "static:5000"; virtual_minimum_uid = "5000"; virtual_mailbox_base = "/var/vmail"; # tarpitting smtpd_error_sleep_time = "10s"; smtpd_soft_error_limit = 2; smtpd_hard_error_limit = 5; smtpd_junk_command_limit = 2; }; }; dovecot2 = { enable = true; enableImap = true; enableLmtp = true; enablePop3 = false; enablePAM = false; enableQuota = true; createMailUser = true; mailLocation = "maildir:~/maildir"; mailboxes = { Spam = { auto = "create"; specialUse = "Junk"; }; Sent = { auto = "create"; specialUse = "Sent"; }; Drafts = { auto = "create"; specialUse = "Drafts"; }; Trash = { auto = "create"; specialUse = "Trash"; }; }; modules = [ pkgs.dovecot_pigeonhole ]; quotaGlobalPerUser = "1G"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem"; protocols = [ "sieve" ]; mailPlugins = { perProtocol = { imap = { enable = [ "imap_sieve" ]; }; lmtp = { enable = [ "sieve" ]; }; }; }; extraConfig = '' passdb { driver = passwd-file args = username_format=%u /etc/dovecot/auth.d/passwd } userdb { driver = passwd-file args = username_format=%u /etc/dovecot/auth.d/passwd } service lmtp { unix_listener dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service auth { unix_listener /var/lib/postfix/auth { group = postfix mode = 0660 user = postfix } user = dovecot2 } service managesieve-login { } service managesieve { } protocol sieve { } protocol lmtp { postmaster_address = postmaster@nek0.eu } protocol imap { mail_max_userip_connections = 100 } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } ''; }; fail2ban = { enable = true; ignoreIP = mynetworks; jails = { "postfix" = '' enabled = true ''; "dovecot-imap" = '' enabled = true port = imap,imaps filter = dovecot-imap #logpath = /var/log/dovecot.log ''; }; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts."${maildomain}" = { serverAliases = virtual_domains; forceSSL = true; enableACME = true; http2 = true; locations."/rspamd/" = { proxyPass = "http://127.0.0.1:11334/"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; }; }; rspamd = { enable = true; user = "rspamd"; group = "rspamd"; postfix = { enable = true; config = { non_smtpd_milters = [ "inet:127.0.0.1:11332" ]; smtpd_milters = [ "inet:127.0.0.1:11332" ]; milter_protocol = "6"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}"; milter_default_action = "accept"; }; }; workers = { "normal" = { enable = true; type = "normal"; includes = [ "$CONFDIR/worker-normal.inc" ]; bindSockets = [{ socket = "/run/rspamd/rspamd.sock"; mode = "0660"; owner = "rspamd"; group = "rspamd"; }]; }; "controller" = { enable = true; count = 1; type = "controller"; includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ "127.0.0.1:11334" ]; }; "rspamd_proxy" = { enable = true; type = "rspamd_proxy"; includes = [ "$CONFDIR/worker-proxy.inc" ]; extraConfig = '' milter = yes; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } ''; }; }; locals = { "options.inc" = { enable = true; text = '' #local_addrs = "127.0.0.0/8, ::1, 10.0.0.0/8, 2a01:4f8:222:2b41::/64"; local_addrs = ${builtins foldl (acc: a: acc + a + " ") "" mynetworks} dns { nameserver = ["10.0.0.53:53:10"]; } ''; }; "worker-normal.inc" = { enable = true; text = '' bind_socket = "127.0.0.1:11333"; count = 2; ''; }; "worker-controller.inc" = { enable = true; text = '' # create with "rspamadm pw" password = "$2$ybs6zdxgq17ys7azr4iwkwr3tg4ifx5z$79hoz8ah1w6f4b5rs7u8x7gst6ioidzcwijj8uu5zap9t6cw4tjb"; ''; }; "worker-proxy.inc" = { enable = true; text = '' bind_socket = "127.0.0.1:11332"; milter = yes; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } ''; }; "logging.inc" = { enable = true; text = '' type = "file"; filename = "/var/lib/rspamd/rspamd.log"; level = "error"; debug_modules = []; ''; }; "milter_headers.conf" = { enable = true; text = '' use = ["x-spamd-bar", "x-spam-level", "authentication-results"]; authenticated_headers = ["authentication-results"]; ''; }; "classifier-bayes.conf" = { enable = true; text = '' backend = "redis"; servers = "127.0.0.1:6378"; ''; }; }; }; redis = { enable = true; bind = "127.0.0.1"; port = 6378; vmOverCommit = true; settings = { supervised = "systemd"; maxmemory = "1GB"; maxmemory-policy = "volatile-lru"; }; }; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; renewInterval = "*-01,03,05,07,09,11-01 00:00:00"; certs = { "${maildomain}" = { email = "nek0@nek0.eu"; extraDomainNames = [ virtual_domains ]; postRun = "systemctl restart postfix.service dovecot2.service"; }; }; }; }