Mostly working postfix+dovecot2+ldap setup

Missing:

1. Figure out how to do some useful aliases for the mail
   addresses. Either something like assigning @kas.agerlinskovgaard.dk
   to kaare@agerlinskovgaard.dk or usual + aliases.
2. Oauth2 login is not working yet.
3. Need to be able to create accounts not handled by LDAP, such
   that eg. forgejo can have an account to send mails from (maybe
   also an account to receive mails?).
4. Once support in kanidm lands, need to look into application passwords
   such that one doesn't have to use their regular posix password,
   and maybe, ideally, doesn't need a posix password at all.

nix/modules/nixos/infrastructure/mailserver/acme.nix

@@ -0,0 +1,9 @@
+{ lib, config, ... }:
+let
+  cfg = config.khscodes.infrastructure.mailserver;
+in
+{
+  config = lib.mkIf cfg.enable {
+    khscodes.services.nginx.virtualHosts."${config.khscodes.networking.fqdn}" = { };
+  };
+}

nix/modules/nixos/infrastructure/mailserver/default.nix

@@ -18,6 +18,7 @@ in
   };
   imports = [
     inputs.simple-nixos-mailserver.nixosModules.mailserver
+    ./acme.nix
     ./dmarc.nix
     ./dane.nix
     ./dkim.nix
@@ -106,10 +107,6 @@ in
       introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect
       introspection_mode = post
     '';
-    services.prometheus.exporters.postfix = {
-      enable = true;
-    };
-    khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ];
     services.fail2ban.jails = {
       postfix = {
         settings = {

nix/modules/nixos/infrastructure/mailserver/dkim.nix

@@ -164,15 +164,24 @@ in
     services.rspamd.locals."dkim_signing.conf" = lib.mkForce {
       text = ''
         enabled = true;
+        allow_username_mismatch = true;
         domain {
           ${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)}
         }
       '';
     };
+    services.postfix.config = {
+      # Need to include this as I disabled the in built support for dkim signing
+      # without this postfix won't forward the mails to rspamd to be signed.
+      non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
+    };
     systemd.services.rspamd = {
       unitConfig = {
         ConditionPathExists = domainKeyPaths;
       };
+      serviceConfig = {
+        ReadOnlyPaths = domainKeyPaths;
+      };
     };
     systemd.services.postfix = {
       unitConfig = {

nix/modules/nixos/infrastructure/mailserver/ldap.nix

@@ -16,7 +16,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    mailserver.debug = true;
     mailserver.ldap = {
       enable = true;
       uris = [ "ldaps://login.kaareskovgaard.net" ];
@@ -30,14 +29,28 @@ in
         # Map LDAP uid to dovecot user, and ldap userPassword to dovecot password
         passAttrs = "uid=user";
         passFilter = "(&(class=account)(memberOf=mail_user)(uid=%u))";
-        userFilter = "(&(class=account)(memberOf=mail_user)(uid=%u))";
+        # This filter is used both when receiving mail (thus needing to lookup by mail address, and when authenticating, requriing the lookup by uid.)
+        # Note that the pass filter only allows looking up by uid, so should still only be able to authenticate using that.
+        userFilter = "(&(class=account)(memberOf=mail_user)(|(mail=%u)(uid=%u)))";
+        userAttrs = "uid=user";
       };
       postfix = {
         filter = "(&(class=account)(memberOf=mail_user)(mail=%s))";
-        mailAttribute = "mail";
+        mailAttribute = "uid";
         uidAttribute = "uid";
       };
     };
+    systemd.services.dovecot2 = {
+      unitConfig = {
+        ConditionPathExists = [ secretFile ];
+      };
+    };
+
+    systemd.services.postfix = {
+      unitConfig = {
+        ConditionPathExists = [ secretFile ];
+      };
+    };
     khscodes.services.vault-agent.templates = [
       {
         contents = ''

nix/modules/nixos/infrastructure/mailserver/mta-sts.nix

@@ -27,7 +27,7 @@ in
           name = "mta-sts.${domain}";
           value = {
             locations."=/.well-known/mta-sts.txt" = {
-              tryFiles = "${mtaStsWellKnown} =404";
+              alias = mtaStsWellKnown;
             };
             locations."/" = {
               return = 404;

nix/modules/nixos/infrastructure/mailserver/prometheus.nix

@@ -1,15 +1,13 @@
 { config, lib, ... }:
 let
-  fqdn = config.khscodes.networking.fqdn;
   cfg = config.khscodes.infrastructure.mailserver;
 in
 {
   config = lib.mkIf cfg.enable {
-    services.stalwart-mail.settings.metrics.prometheus = {
+
+    services.prometheus.exporters.postfix = {
       enable = true;
     };
-    khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = {
-      return = 404;
-    };
+    khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ];
   };
 }

nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix

@@ -157,7 +157,6 @@ in
         persons.khs = {
           present = true;
           mailAddresses = [
-            "kaare@kaareskovgaard.net"
             "kaare@agerlin-skovgaard.dk"
             "kaare@agerlinskovgaard.dk"
           ];