From 8d613f6e57129ca45634d4d6a6a86a3f6d1db56e Mon Sep 17 00:00:00 2001 From: niten Date: Mon, 2 Oct 2023 12:38:56 -0700 Subject: [PATCH] Works without SSSD! Now...accept incoming mail if we're the destination --- dovecot.nix | 38 -------------------------------------- mail-server.nix | 14 -------------- postfix.nix | 3 ++- 3 files changed, 2 insertions(+), 53 deletions(-) diff --git a/dovecot.nix b/dovecot.nix index bb18524..027e51d 100644 --- a/dovecot.nix +++ b/dovecot.nix @@ -260,44 +260,6 @@ in { socketPath = "/var/run/dovecot2/old-stats"; }; - sssd = { - enable = true; - # FIXME: pass as config - environmentFile = "/run/dovecot-secrets/sssd.env"; - config = '' - [nss] - reconnection_retries = 3 - - [sssd] - config_file_version = 2 - reconnection_retries = 3 - domains = $SSSD_LDAP_DOMAIN - services = nss, pam - - [pam] - reconnection_retries = 3 - - [domain/$SSSD_LDAP_DOMAIN] - cache_credentials = False - id_provider = ldap - auth_provider = ldap - ldap_uri = $SSSD_LDAP_SERVER - - ldap_schema = rfc2307bis - ldap_search_base = $SSSD_LDAP_SEARCH_BASE - ldap_user_search_base = $SSSD_LDAP_USER_SEARCH_BASE - ldap_group_search_base = $SSSD_LDAP_GROUP_SEARCH_BASE - - ldap_user_object_class = user - ldap_user_name = cn - ldap_group_object_class = group - ldap_group_name = cn - - ldap_default_bind_dn = $SSSD_LDAP_BIND_DN - ldap_default_authtok = $SSSD_LDAP_AUTH_TOKEN - ''; - }; - dovecot2 = { enable = true; enableImap = true; diff --git a/mail-server.nix b/mail-server.nix index da5516b..1c6a83d 100644 --- a/mail-server.nix +++ b/mail-server.nix @@ -205,19 +205,6 @@ in { target-file = "/run/ldap-proxy/env"; }; - dovecotSssdEnv = { - source-file = pkgs.writeText "dovecot-sssd.env" (concatStringsSep "\n" [ - "SSSD_LDAP_DOMAIN=${cfg.primary-domain}" - "SSSD_LDAP_SERVER=ldap://ldap-proxy:3389/" - "SSSD_LDAP_SEARCH_BASE=${cfg.ldap.base}" - "SSSD_LDAP_USER_SEARCH_BASE=${cfg.ldap.user-ou},${cfg.ldap.base}" - "SSSD_LDAP_GROUP_SEARCH_BASE=${cfg.ldap.group-ou},${cfg.ldap.base}" - "SSSD_LDAP_BIND_DN=${cfg.ldap.bind-dn}" - "SSSD_LDAP_AUTH_TOKEN=${readFile cfg.ldap.bind-password-file}" - ]); - target-file = "/run/dovecot-secrets/sssd.env"; - }; - dovecotLdapConfig = { source-file = pkgs.writeText "dovecot-ldap.conf" (concatStringsSep "\n" [ @@ -343,7 +330,6 @@ in { "${cfg.imap.ssl-directory}:/run/certs/imap:ro" "${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams" "${cfg.state-directory}/mail:/mail" - "${hostSecrets.dovecotSssdEnv.target-file}:/run/dovecot-secrets/sssd.env:ro" ]; depends_on = [ "antispam" "ldap-proxy" ]; }; diff --git a/postfix.nix b/postfix.nix index 8fa2924..59a08a8 100644 --- a/postfix.nix +++ b/postfix.nix @@ -263,7 +263,8 @@ in { "reject_non_fqdn_recipient" "check_policy_service unix:private/policy-spf" ] ++ (map (blacklist: "reject_rbl_client ${blacklist}") - cfg.blacklist.dns) ++ [ "permit_mynetworks" "reject" ]; + cfg.blacklist.dns) + ++ [ "permit_mynetworks" "reject_unauth_destination" ]; client-restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject" ];