B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add declarative SNM mail stack on mx1 with DNS-01, DANE, MTA-STS

Browse Source 
mx1 runs Simple NixOS Mailserver (Postfix/Dovecot/Rspamd/OpenDKIM) for
cnx.email. The TLS cert is obtained via ACME DNS-01 using a dedicated,
scoped TSIG key (acme_mx1) that ns1 authorizes for only
_acme-challenge.mx1 and _acme-challenge.mta-sts on the cnx.email zone, so
the credential can write nothing else. Mailbox passwords are auto-minted
by a clan vars generator (four-word passphrase + number).

DANE TLSA (3 1 1) is published for _25._tcp.mx1; --reuse-key keeps the
key digest stable across renewals. MTA-STS is enforced via a Caddy vhost
serving the policy on :443 from the same cert (mta-sts SAN). Firewall
opens 25/587/465/143/993/443; 80 stays closed.
This commit is contained in:
Berwn
2026-06-18 14:47:20 +07:00
parent 026a26dd53
commit 1cb6f39ea2
9 changed files with 353 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/hetzner-firewall-rules.nix
+16 -8
View File
@@ -24,16 +24,25 @@ let
description = "ICMP (ping / PMTUD)";
};
# Inbound mail only. mx1 is the MX for cnx.email, so other servers deliver on
# 25. Submission (587/465) and IMAP (993) stay closed until the mail stack and
# mailboxes exist — admin access rides the mesh, same as the other hosts.
smtp = {
# Public mail ports for mx1 (MX for cnx.email). 25 is server-to-server
# delivery; 587/465 are client submission; 143/993 are IMAP. 443 serves only the
# MTA-STS policy (https://mta-sts.cnx.email/.well-known/mta-sts.txt); the cert
# itself uses ACME DNS-01 so port 80 stays closed. Admin still rides the mesh.
mailPort = port: description: {
direction = "in";
protocol = "tcp";
port = "25";
inherit port;
source_ips = world;
description = "SMTP (inbound mail)";
inherit description;
};
mailRules = [
(mailPort "25" "SMTP (inbound mail)")
(mailPort "587" "Submission (STARTTLS)")
(mailPort "465" "Submission (implicit TLS)")
(mailPort "143" "IMAP (STARTTLS)")
(mailPort "993" "IMAP (implicit TLS)")
(mailPort "443" "MTA-STS policy (HTTPS)")
];
dnsRules = [
{
@@ -61,8 +70,7 @@ in
];
"clan-ns1" = dnsRules;
"clan-ns2" = dnsRules;
"clan-mx1" = [
smtp
"clan-mx1" = mailRules ++ [
zerotier
ping
];