nixos/kresd: tell resolveconf to use local resolver #124391
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
6.topic: nixos
vcunat
approved these changes
May 25, 2021
There was a problem hiding this comment.
Sounds OK. I expect it's good to be consistent. I can think of ./pdns-recursor.nix as well.
The default overall seems like a good idea, even though there are some unpleasant cases like #122843. I expect those will be fixed by minor tweaks (I hope I can get back soon to look at it closer).
ofborg
bot
added
10.rebuild-darwin: 0
|
@phdoerfler @infinisil After this PR is merged, https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/mail-server/kresd.nix should be simplified. |
|
@SuperSandro2000 Automatic backporting doesn't work yet. |
9 tasks
afilini
pushed a commit
to h4ckbs/nixos-mailserver
that referenced
this pull request
Jan 30, 2023
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
afilini
pushed a commit
to h4ckbs/nixos-mailserver
that referenced
this pull request
Jan 30, 2023
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
agentx3
pushed a commit
to agentx3/simple-nixos-mailserver
that referenced
this pull request
Sep 1, 2023
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
serpent213
pushed a commit
to serpent213/nixos-mailserver
that referenced
this pull request
Nov 13, 2023
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
VictorVSa
pushed a commit
to VictorVSa/nixos-mailserver
that referenced
this pull request
Jan 14, 2024
add doc for full text search Store FTS index in directory per domain & user to avoid collisions Previously all the xapian files and logs would be stored in the same folder for all users. This couid probably lead to weird situations where all users get the same search results. Mention the Freenode IRC chan #nixos-mailserver Use services.clamav.daemon.settings if it is available Feature/configurable delimiter Rework the setup guide Move indexDir option to the mailserver scope This option has been initially in the mailserver.fullTextSearch scope. However, this option modifies the location of all index files of dovecot and not only those used by the full text search feature. It is then more relevant to have this option in the mailserver top level scope. Moreover, the default option has been changed to null in order to keep existing index files where they are: changing the index location means recreating all index files. The fts documentation however recommend to change this default location when enabling the fts feature. corrected some pasting Make vmail_user a system user This is required since NixOS/nixpkgs#115332 Update nixpkgs-unstable tests: increase memory limit for indexer process otherwise fts-xapian with recent versions (1.4.9 at least) prints a warning and the test fails Rename intern/extern tests to internal/external docs: link to an english Wikipedia article instead of a french one Switch from Freenode to Libera hydra: remove useless declInput argument Remove duplicate `default` attribute on mailserver.forwards option hydra: provide nixpkgs to allow Niv to use pkgs.fetchzip kresd: no need to explicitly set nameserver Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`. Remove nixos-20.03 job We only support 2 releases. Make Niv working in restricted evaluation mode Release nixos-21.05 ci: simplify declarative-jobsets.nix readme: switch from freenode to libera Update nixpkgs-unstable Because of NixOS/nixpkgs@b7749c7 we need to `set +o pipefail` several asserts. Switch CI to Nix flakes We also move tests to Flakes. This would allow users to submit PRs with a fork of nixpkgs when they want to test nixpkgs PRs against SNM. Remove Niv It is now useless since we are using Nix Flakes tests: update fts indexer log messages ci: reenable 20.09 and 21.05 jobs :/ They haven't been moved to flake so we still need to keep the non flake Hydra configuration. Update nixpkgs-unstable Remove non longer supported configurations (<21.05) docs: generate the list of options To generate the list of options, we need to generate and commit a rst file to make all files available for ReadTheDoc. An Hydra test ensures this generated file is up-to-date. If it is not up-to-date, the error message explains the user how to generate it: the user just needs to run `nix-shell --run generate-rst-options`. Move the logo Nixify the documentation build Use the Junk mailbox name defined in the mailboxes attrs Previously, the static Junk mailbox was used in sieve script to move spam messages. This patch gets the Junk mailbox defined in the dovecot mailboxes attribute instead. Fixes #224 Ensure locally-delivered mails have the X-Original-To header See #223 docs: remove output paths from generated documentation Otherwise, the `testRstOptions` test would fail too often! docs: fix the test which could never fail Set DKIM policy to relaxed/relaxed And make this policy configurable. Fix typos in indexDir example docs: add .readthedocs.yml conf file to pin Python dependencies nginx.nix: don't reload nginx Fixes #227 Reloading nginx manually is actually not needed (see nginx-config-reload.service) and causes deadlocks. opendkim: don't recreate keys if private key is present rspamd: make sure redis is started over TCP socket Fix fullTextSearch.enable=false Revert "rspamd: make sure redis is started over TCP socket" This reverts commit 4f0f0128d8d4115571b3ff0ce2378ddf7de7278e. Redis does seem to run fine with both unixSocket and TCP enabled. This broke people's setups. nginx: generate certificates for custom domains and subdomains Release nixos-21.11 ci: make release-21.11 a flake job Fix CI job because of Nix new CLI options make option documentation compatible with nixos-search Drop 21.05 branch Update nixos-unstable and drop 21.11 Regenerate options.rst rspamd: set default port for redis Since we are now using services.redis.servers.rspamd, the port defaults to 0 (i.e. do not bind a TCP socket). We still want rspamd to connect to redis via TCP, so set a default port that is one above the default redis port. ci: enable the nix-command feature docs: add how-to to setup roundcube tests: compatibility with fts xapian 1.5.4 Fix typo in title docs/full text search: fix typo; improve ux docecot -> dovecot Also, `indexDir` is not expecting to see %d/%n being passed to that parameter, so remove that to make it easier to cpy the path into there. acme: Switch from `postRun` to `reloadServices` to fix hangs. Fixes #232 monit/rspamd: monitor by process name Release 22.05 Convert minimal test to python test driver htpasswd -> mkpasswd docs: explicitly mention a reverse DNS entry is required Fixes https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/234 ci: pin nixpkgs to 22.05 Because hydra-cli build is currently broken on unstable. rspamd: allow configuring dmarc reporting Enabling collects DMARC results in Redis and sends out aggregated reports (RUA) on a daily basis. docs: option docs improvements - add missing description and defaultText fields - add dmarcReporting option group - render examples Removing 22.05 release Because of some incompabilities with the 22.11 release. doc: regenerate it Release 22.11 docs: use MarkDown for option docs docs: drop options.md from the repository Generate the file on the readthedocs builder using Nix. Since there is no root access or user namespaces, we have to use proot (see https://nixos.wiki/wiki/Nix_Installation_Guide#PRoot). Update nixpkgs Option values are now rendered correctly as Nix thanks to NixOS/nixpkgs#199363 docs: add instructions for rfc6186-compliant setup opendkim: make public key world-readable mail-server/dovecot: also learn spam/ham on APPEND The current configuration doesn't work when moving spam from the INBOX to Junk on a local maildir and then syncing the result to the IMAP server with `mbsync(1)`. This is because `mbsync(1)` doesn't support a mvoe-detection[1] (i.e. an IMAP MOVE which subsequently causes a Sieve COPY according to RFC6851 which then triggers report{h,sp}am.sieve), but instead sends `APPEND` (and removes the message in the src mailbox after that). Tested on my own mailserver that this fixes spam learning. This doesn't work the other way round though because `APPEND` doesn't have an origin. However, learning mails as spam happens more often than learning spam as ham, so this is IMHO still useful. [1] https://sourceforge.net/p/isync/mailman/isync-devel/thread/87y2p1tihz.fsf%40ericabrahamsen.net/#msg37030483 dovecot: split passdb and userdb Fix test names tests: use `services.dnsmasq.settings` Gets rid of the warning about `extraConfig` being deprecated. Allow using existing ACME certificates Add a certificate scheme for using an existing ACME certificate without setting up Nginx. Also use names instead of magic numbers for certificate schemes. Remove the NixOS 22.11 support Because the option `nodes.domain1.services.dnsmasq.settings' does not exist. docs: add submissions DNS record for autodiscovery Add the submissions autodiscovery SRV DNS record for implicit TLS in SMTP (submission) connections according to [RFC 8314](https://www.rfc-editor.org/rfc/rfc8314#section-5.1). Improve the certificateScheme number deprecation warning message Preserve the compatibility with nixos-22.11 readme: remove the announcement public key Current maintainer no longer has it. Release 23.05 dovecot: add dovecot_pigeonhole to system packages `sieve-test` can be used to test sieve scripts. It's annoying to nix-shell it in, because it reads the dovecot global config and might stumble over incompatible .so files (as has happened to me). Simply providing it in $PATH is easier. Fix and improve the setup guide Add support for LDAP users Allow configuring lookups for users and their mail addresses from an LDAP directory. The LDAP username will be used as an accountname as opposed to the email address used as the `loginName` for declarative accounts. Mailbox for LDAP users will be stored below `/var/vmail/ldap/<account>`. Configuring domains is out of scope, since domains require further configuration within the NixOS mailserver construct to set up all related services accordingly. Aliases can already be configured using `mailserver.forwards` but could be supported using LDAP at a later point. scripts/mail-check: allow passing the smtp username Will be prefered over the from address when specified. Create LDAP test Sets up a declaratively configured OpenLDAP instance with users alice and bob. They each own one email address, First we test that postfix can communicate with LDAP and do the expected lookups using the defined maps. Then we use doveadm to make sure it can look up the two accounts. Next we check the binding between account and mail address, by logging in as alice and trying to send from [email protected], which alice is not allowed to do. We expect postfix to reject the sender address here. Finally we check mail delivery between alice and bob. Alice tries to send a mail from [email protected] to [email protected] and bob then checks whether it arrived in their mailbox. Make the ldap test working - The smtp/imap user name is now [email protected] - Make the test_lookup function much more robust: it was now getting the correct file from the store. ldap: do not write password to the Nix store ldap: improve the documentation ldap: set assertions to forbid ldap and loginAccounts simultaneously dovecot: fix a typo on userAttrs ldap: add an entry in the doc Use umask for race-free permission setting Without using umask there's a small time window where paths are world readable. That is a bad idea to do for secret files (e.g. the dovecot code path). docs: fix link Add support for regex (PCRE) aliases. Add tests for regex (PCRE) aliases dovecot: add support store mailbox names on disk using UTF-8 postfix: SMTP Smuggling Protection Enable Postfix SMTP Smuggling protection, introduced in Postfix 3.8.4, which is, currently, only available within the nixpkgs' master branch. - NixOS/nixpkgs#276104 - NixOS/nixpkgs#276264 For information about SMTP Smuggling: - https://www.postfix.org/smtp-smuggling.html - https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline postfix: exclude $mynetwork from smtpd_forbid_bare_newline
agentx3
pushed a commit
to agentx3/simple-nixos-mailserver
that referenced
this pull request
Feb 26, 2024
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
RyanGibb
pushed a commit
to RyanGibb/nixos-mailserver
that referenced
this pull request
Mar 21, 2024
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`. Former-commit-id: 49074b7835c6d40846cb23953c04a03e1d2a4a9e
bolives-hax
pushed a commit
to bolives-hax/nixos-mailserver
that referenced
this pull request
May 21, 2024
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
RyanGibb
pushed a commit
to RyanGibb/nixos-mailserver
that referenced
this pull request
Jun 12, 2024
Since NixOS/nixpkgs#124391, enabling kreasd also sets `networking.resolvconf.useLocalResolver = true`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
I ran into resolver loops 😄
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)