M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 5
Code Issues 10 Pull Requests 2 Releases Wiki Activity

WIP: Use postfix options for routing mails through tunnel #45

Draft
esavkin wants to merge 9 commits from enable-mail-proxy-and-tunnel into master
pull from: enable-mail-proxy-and-tunnel
merge into: M-Labs:master
Conversation 1 Commits 9 Files Changed 2 +47 -3
2 changed files with 47 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
nixbld-etc-nixos/configuration.nix
View File

@ -90,7 +90,7 @@ in
hostId = "e423f012";
firewall = {
allowedTCPPorts = [ 53 80 443 2222 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ];
allowedUDPPorts = [ 53 67 500 4500 51820 ];
trustedInterfaces = [ netifLan ];
};
useDHCP = false;
@ -246,6 +246,30 @@ in
}
];
};
wireguard.interfaces = {
intl0 = {
ips = [ "10.42.0.2/30" ];
esavkin marked this conversation as resolved Outdated
sb10q commented 2024-09-10 15:36:06 +08:00
Outdated
Review
Copy Link

I think you'd want /31 and then route the default traffic on table 3 through 10.42.0.1 (which would be the VPS)?

I suppose you are then using a regular NAT on the VPS to forward that to the internet and also do the port redirections? Sounds hacky but should work.

I think you'd want /31 and then route the default traffic on table 3 through 10.42.0.1 (which would be the VPS)? I suppose you are then using a regular NAT on the VPS to forward that to the internet and also do the port redirections? Sounds hacky but should work.
esavkin commented 2024-09-10 15:38:56 +08:00
Outdated
Review
Copy Link

This IP is to acquire.
But for now its a draft anyway, I'll test and update.

This IP is to acquire. But for now its a draft anyway, I'll test and update.
sb10q commented 2024-09-10 15:39:33 +08:00
Outdated
Review
Copy Link

If you use /32 then you can't reach any other hosts.

If you use /32 then you can't reach any other hosts.
sb10q commented 2024-09-10 15:40:21 +08:00
Outdated
Review
Copy Link

Also with a /31 the last digits should be .0 and .1, .2 is not going to work.

Also with a /31 the last digits should be .0 and .1, .2 is not going to work.
sb10q commented 2024-09-10 15:41:25 +08:00
Outdated
Review
Copy Link

This IP is to acquire.

What does that mean anyway?

> This IP is to acquire. What does that mean anyway?
esavkin commented 2024-09-10 15:44:45 +08:00
Outdated
Review
Copy Link

It corresponds to Interface.Address in the wg.conf, which results in ip -4 address add 10.42.0.2/32 dev intl0. Routes are done separately.

It corresponds to Interface.Address in the wg.conf, which results in `ip -4 address add 10.42.0.2/32 dev intl0`. Routes are done separately.
sb10q commented 2024-09-10 15:45:57 +08:00
Outdated
Review
Copy Link

And to where will you route? I repeat: with a /32 address you cannot reach any other host.

And to where will you route? I repeat: with a /32 address you cannot reach any other host.
esavkin commented 2024-09-10 15:49:02 +08:00
Outdated
Review
Copy Link

For example ip route add 10.42.0.0/30 dev wg0.

The current problem with nix configuration is to ensure that it doesn't route too much by default, as it happens wg.conf (but it can be disabled by disabling tables).

For example `ip route add 10.42.0.0/30 dev wg0`. The current problem with nix configuration is to ensure that it doesn't route too much by default, as it happens wg.conf (but it can be disabled by disabling tables).
sb10q commented 2024-09-10 15:50:44 +08:00
Outdated
Review
Copy Link

And why not just set the correct netmask in the first place?

Regarding the routing tables: You complain about strongswan (despite having been provided with fully working configuration files where you just had to change the IP addresses), but you should note that it doesn't mess up the routing tables. Your private network/NAT hack would also work with strongswan.

And why not just set the correct netmask in the first place? Regarding the routing tables: You complain about strongswan (despite having been provided with fully working configuration files where you just had to change the IP addresses), but you should note that it doesn't mess up the routing tables. Your private network/NAT hack would also work with strongswan.
listenPort = 51820;
privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
postUp = ''
${pkgs.iproute2}/bin/ip rule add from 10.42.0.0/30 lookup 51820
${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
'';
preDown = ''
${pkgs.iproute2}/bin/ip rule del from 10.42.0.0/30 lookup 51820
esavkin marked this conversation as resolved Outdated
esavkin commented 2024-09-10 11:37:51 +08:00
Outdated
Review
Copy Link

TODO: needs disabling routing tables (Table = off in wg conf file), so it will open interface and let apps choose to use interface instead of forwarding all the traffic

TODO: needs disabling routing tables (`Table = off` in wg conf file), so it will open interface and let apps choose to use interface instead of forwarding all the traffic
sb10q commented 2024-09-10 15:37:46 +08:00
Outdated
Review
Copy Link

You need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections.

You need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections.
${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
'';
peers = [
{
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
allowedIPs = [ "0.0.0.0/0" ];
allowedIPsAsRoutes = false;
endpoint = "2a01:4ff:1f0:83de::1:51820";
persistentKeepalive = 25;
}
];
};
};
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
@ -1179,6 +1203,18 @@ in
};
};
environment.etc."postfix/sender_relay".text = ''
m-labs-intl.com smtptun:
* :
'';
systemd.services.postfix-rebuild-sender-relay = {
description = "Postfix Rebuild Sender Dependent Relayhost Maps";
serviceConfig = {
ExecStart = "${pkgs.postfix}/sbin/postmap /etc/postfix/sender_relay";
};
wantedBy = [ "multi-user.target" ];
};
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
@ -1187,8 +1223,17 @@ in
enablePop3 = true;
enablePop3Ssl = true;
certificateScheme = "acme-nginx";
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
} // (import /etc/nixos/secret/email_settings.nix);
services.postfix = {
config = {
sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
masterConfig.smtptun = {
type = "smtp";
command = "smtp";
args = "-o smtp_bind_address=10.42.0.2";
};
};
};
services.roundcube = {
enable = true;
hostName = "mail.m-labs.hk";

1
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -23,7 +23,6 @@ ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"