From 3d50e7386178cd0392d2e1c9ba7b9e933b4c27e3 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 21 Aug 2014 13:28:19 +0200
Subject: initial commit

---
 wu-system/wu-exim.configuration.nix | 126 ++++++++++++++++++++++++++++++++++++
 wu-system/wu-iptables.sh            |  17 +++++
 2 files changed, 143 insertions(+)
 create mode 100644 wu-system/wu-exim.configuration.nix
 create mode 100644 wu-system/wu-iptables.sh

(limited to 'wu-system')

diff --git a/wu-system/wu-exim.configuration.nix b/wu-system/wu-exim.configuration.nix
new file mode 100644
index 0000000..7aaf58e
--- /dev/null
+++ b/wu-system/wu-exim.configuration.nix
@@ -0,0 +1,126 @@
+
+{
+  ...
+
+
+  services.exim =
+    let
+      retiolumHostname = "wu.retiolum"; # TODO "${networking.hostName}.retiolum";
+    in
+      { enable = true;
+        extraConfig = ''
+          primary_hostname = ${retiolumHostname}
+          domainlist local_domains    = @ : localhost
+          domainlist relay_to_domains =
+          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+
+          acl_smtp_rcpt = acl_check_rcpt
+          acl_smtp_data = acl_check_data
+
+          host_lookup = *
+          rfc1413_hosts = *
+          rfc1413_query_timeout = 5s
+
+          log_file_path = syslog
+          syslog_timestamp = false
+          syslog_duplication = false
+
+
+          begin acl
+
+          acl_check_rcpt:
+            accept  hosts = :
+                    control = dkim_disable_verify
+
+            deny    message       = Restricted characters in address
+                    domains       = +local_domains
+                    local_parts   = ^[.] : ^.*[@%!/|]
+
+            deny    message       = Restricted characters in address
+                    domains       = !+local_domains
+                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+            accept  local_parts   = postmaster
+                    domains       = +local_domains
+
+            #accept
+            #  hosts = *.retiolum
+            #  domains = *.retiolum
+            #  control = dkim_disable_verify
+
+            #require verify        = sender
+
+            accept  hosts         = +relay_from_hosts
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            accept  authenticated = *
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            require message = relay not permitted
+                    domains = +local_domains : +relay_to_domains
+
+            require verify = recipient
+
+            accept
+
+
+          acl_check_data:
+            accept
+
+
+          begin routers
+
+          retiolum:
+            driver = manualroute
+            domains = ! ${retiolumHostname} : *.retiolum
+            transport = remote_smtp
+            route_list = ^.* $0 byname
+            no_more
+
+          nonlocal:
+            debug_print = "R: nonlocal for $local_part@$domain"
+            driver = redirect
+            domains = ! +local_domains
+            allow_fail
+            data = :fail: Mailing to remote domains not supported
+            no_more
+
+          local_user:
+            # debug_print = "R: local_user for $local_part@$domain"
+            driver = accept
+            check_local_user
+          # local_part_suffix = +* : -*
+          # local_part_suffix_optional
+            transport = home_maildir
+            cannot_route_message = Unknown user
+
+
+          begin transports
+
+          remote_smtp:
+            driver = smtp
+
+          home_maildir:
+            driver = appendfile
+            maildir_format
+            directory = $home/Maildir
+            directory_mode = 0700
+            delivery_date_add
+            envelope_to_add
+            return_path_add
+          # group = mail
+          # mode = 0660
+
+          begin retry
+          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+          begin rewrite
+
+          begin authenticators
+        '';
+      };
+
+  ...
+}
diff --git a/wu-system/wu-iptables.sh b/wu-system/wu-iptables.sh
new file mode 100644
index 0000000..67b06d4
--- /dev/null
+++ b/wu-system/wu-iptables.sh
@@ -0,0 +1,17 @@
+#? /bin/sh
+
+# reset tables
+ipXtables -P INPUT DROP
+ipXtables -P FORWARD DROP
+ipXtables -F
+ipXtables -X
+
+
+ipXtables -N Retiolum
+
+ipXtables -A INPUT -j Retiolum -i retiolum
+
+ipXtables -A Retiolum -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
+
+
+etc.
-- 
cgit v1.2.3