feat: enable mail transport security policies

2026-06-01 14:15:16 -07:00 · 2026-06-01 14:15:16 -07:00 · c82a15b415
commit c82a15b415
parent f9f75eb4cd
3 changed files with 27 additions and 3 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -49,9 +49,13 @@
  networking.hostName = "extremist-software";
  networking.firewall.allowedTCPPorts = [
    22
+    25
    80
    443
-  ]; # SSH, HTTP, HTTPS
+    465
+    587
+    993
+  ]; # SSH, SMTP, HTTP, HTTPS, SMTPS, Submission, IMAPS
  # Tailscale
  services.tailscale.enable = true;
  # We assume the user will authenticate manually or via a one-time key service
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -77,6 +77,22 @@
        '';
      };

+      "mta-sts.extremist.software" = {
+        extraConfig = ''
+          handle /.well-known/mta-sts.txt {
+            header Content-Type "text/plain"
+            respond `version: STSv1
+mode: enforce
+mx: mail.extremist.software
+max_age: 604800
+`
+          }
+          handle {
+            respond 404
+          }
+        '';
+      };
+
      "search.extremist.software" = {
        extraConfig = ''
          rate_limit {
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -4,8 +4,7 @@
  services.stalwart = {
    enable = true;
    stateVersion = config.system.stateVersion;
-    # Let stalwart open its own ports if needed for the main services
-    openFirewall = true;
+    openFirewall = false;

    settings = {
      server = {
@ -24,6 +23,11 @@
            protocol = "smtp";
            tls.implicit = true;
          };
+          submission = {
+            bind = "[::]:587";
+            protocol = "smtp";
+            tls.implicit = false;
+          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";