Unverified Commit 1f92c7c4 authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/dovecot: improve and harden systemd unit 

Remove the major version from the unit name and add an alias for the old
dovecot2 name.

Then restricts what the dovecot service can do, which is very interesting
given that the unit runs as root and spawns less-privileged processes
from there.
parent 054ed056

nixos/modules/services/mail/dovecot.nix

+48 −4
Original line number Diff line number Diff line
@@ -692,23 +692,67 @@ in 


    environment.etc."dovecot/dovecot.conf".source = cfg.configFile;



    systemd.services.dovecot2 = {

    systemd.services.dovecot = {

      aliases = [ "dovecot2.service" ];

      description = "Dovecot IMAP/POP3 server";

      documentation = [

        "man:dovecot(1)"

        "https://doc.dovecot.org"

      ];



      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      restartTriggers = [

        cfg.configFile

      ];

      restartTriggers = [ cfg.configFile ];



      startLimitIntervalSec = 60; # 1 min

      serviceConfig = {

        Type = "notify";

        ExecStart = "${dovecotPkg}/sbin/dovecot -F";

        ExecReload = "${dovecotPkg}/sbin/doveadm reload";



        CapabilityBoundingSet = [

          "CAP_CHOWN"

          "CAP_DAC_OVERRIDE"

          "CAP_FOWNER"

          "CAP_NET_BIND_SERVICE"

          "CAP_SETGID"

          "CAP_SETUID"

          "CAP_SYS_CHROOT"

          "CAP_SYS_RESOURCE"

        ];

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        OOMPolicy = "continue";

        PrivateTmp = true;

        ProcSubset = "pid";

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = lib.mkDefault false;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = "full";

        PrivateDevices = true;

        Restart = "on-failure";

        RestartSec = "1s";

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_UNIX"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = false; # sets sgid on maildirs

        RuntimeDirectory = [ "dovecot2" ];

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service @resources"

          "~@privileged"

          "@chown @setuid capset chroot"

        ];

      };



      # When copying sieve scripts preserve the original time stamp

nixos/tests/dovecot.nix

+3 −1
Original line number Diff line number Diff line
@@ -84,11 +84,13 @@ import ./make-test-python.nix { 


  testScript = ''

    machine.wait_for_unit("postfix.service")

    machine.wait_for_unit("dovecot2.service")

    machine.wait_for_unit("dovecot.service")

    machine.succeed("send-testmail")

    machine.succeed("send-lda")

    machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')

    machine.succeed("test-imap")

    machine.succeed("test-pop")



    machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓"))

  '';

}