talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/postfix-tlspol: fix postfix integration

Browse Source 
Fixes the group membership for postfix processes in the postfix-tlspol
group.

Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
This commit is contained in:
Martin Weinelt 2025-06-21 00:35:23 +02:00
parent 30d29123c6
commit 64e7fad038
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
2 changed files with 109 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
nixos/modules/services/mail/postfix-tlspol.nix
View File

@ -10,6 +10,7 @@ let
hasPrefix
mkEnableOption
mkIf
mkMerge
mkOption
mkPackageOption
types
@ -121,100 +122,111 @@ in
};
};
config = mkIf cfg.enable {
environment.etc."postfix-tlspol/config.yaml".source =
format.generate "postfix-tlspol.yaml" cfg.settings;
environment.systemPackages = [ cfg.package ];
# https://github.com/Zuplu/postfix-tlspol#postfix-configuration
services.postfix.config = mkIf (config.services.postfix.enable && cfg.configurePostfix) {
smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane";
smtp_tls_policy_maps =
let
address =
if (hasPrefix "unix:" cfg.settings.server.address) then
cfg.settings.server.address
else
"inet:${cfg.settings.server.address}";
in
[ "socketmap:${address}:QUERYwithTLSRPT" ];
};
systemd.services.postfix-tlspol = {
after = [
"nss-lookup.target"
"network-online.target"
];
wants = [
"nss-lookup.target"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
description = "Postfix DANE/MTA-STS TLS policy socketmap service";
documentation = [ "https://github.com/Zuplu/postfix-tlspol" ];
# https://github.com/Zuplu/postfix-tlspol/blob/main/init/postfix-tlspol.service
serviceConfig = {
ExecStart = toString [
(lib.getExe cfg.package)
"-config"
"/etc/postfix-tlspol/config.yaml"
];
ExecReload = "${lib.getExe' pkgs.util-linux "kill"} -HUP $MAINPID";
Restart = "always";
RestartSec = 5;
DynamicUser = true;
CacheDirectory = "postfix-tlspol";
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadOnlyPaths = [ "/etc/postfix-tlspol/config.yaml" ];
RemoveIPC = true;
RestrictAddressFamilies =
[
"AF_INET"
"AF_INET6"
]
++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
"AF_UNIX"
];
RestrictNamespace = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallErrorNumber = "EPERM";
SecureBits = [
"noroot"
"noroot-locked"
];
RuntimeDirectory = "postfix-tlspol";
RuntimeDirectoryMode = "1750";
WorkingDirectory = "/var/cache/postfix-tlspol";
UMask = "0117";
config = mkMerge [
(mkIf (cfg.enable && config.services.postfix.enable && cfg.configurePostfix) {
# https://github.com/Zuplu/postfix-tlspol#postfix-configuration
services.postfix.config = {
smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane";
smtp_tls_policy_maps =
let
address =
if (hasPrefix "unix:" cfg.settings.server.address) then
cfg.settings.server.address
else
"inet:${cfg.settings.server.address}";
in
[ "socketmap:${address}:QUERYwithTLSRPT" ];
};
};
};
systemd.services.postfix = {
wants = [ "postfix-tlspol.service" ];
after = [ "postfix-tlspol.service" ];
};
users.users.postfix.extraGroups = [ "postfix-tlspol" ];
})
(mkIf cfg.enable {
environment.etc."postfix-tlspol/config.yaml".source =
format.generate "postfix-tlspol.yaml" cfg.settings;
environment.systemPackages = [ cfg.package ];
systemd.services.postfix-tlspol = {
after = [
"nss-lookup.target"
"network-online.target"
];
wants = [
"nss-lookup.target"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
description = "Postfix DANE/MTA-STS TLS policy socketmap service";
documentation = [ "https://github.com/Zuplu/postfix-tlspol" ];
# https://github.com/Zuplu/postfix-tlspol/blob/main/init/postfix-tlspol.service
serviceConfig = {
ExecStart = toString [
(lib.getExe cfg.package)
"-config"
"/etc/postfix-tlspol/config.yaml"
];
ExecReload = "${lib.getExe' pkgs.util-linux "kill"} -HUP $MAINPID";
Restart = "always";
RestartSec = 5;
DynamicUser = true;
CacheDirectory = "postfix-tlspol";
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadOnlyPaths = [ "/etc/postfix-tlspol/config.yaml" ];
RemoveIPC = true;
RestrictAddressFamilies =
[
"AF_INET"
"AF_INET6"
]
++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
"AF_UNIX"
];
RestrictNamespace = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallErrorNumber = "EPERM";
SecureBits = [
"noroot"
"noroot-locked"
];
RuntimeDirectory = "postfix-tlspol";
RuntimeDirectoryMode = "1750";
WorkingDirectory = "/var/cache/postfix-tlspol";
UMask = "0117";
};
};
})
];
}

2
nixos/tests/postfix-tlspol.nix
View File

@ -8,6 +8,7 @@
meta.maintainers = with lib.maintainers; [ hexa ];
nodes.machine = {
services.postfix.enable = true;
services.postfix-tlspol.enable = true;
};
@ -17,6 +18,7 @@
import json
machine.wait_for_unit("postfix-tlspol.service")
machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol")
with subtest("Interact with the service"):
machine.succeed("postfix-tlspol -purge")