services/mail: hardening postfix and dovecot

flake.lock

@@ -413,11 +413,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1734683762,
+        "lastModified": 1734694533,
-        "narHash": "sha256-GnwQCZ9tx9Cb4PjPySnJrCYB4Fc3c288fw+sAeATXJY=",
+        "narHash": "sha256-OPww6Fzq7qnHctBcu6J9vmVdZ4NS8vpdG8JRvWm4i3s=",
         "owner": "rebmit",
         "repo": "nix-exprs",
-        "rev": "13d8ed59016e492edc92407d4691e45b4fc09d4e",
+        "rev": "4a958c802908b90f60f7aac2c85de433c86ec76c",
         "type": "github"
       },
       "original": {

nixos/modules/networking/netns/port-forward.nix

@@ -105,6 +105,7 @@ in
                     "CAP_SYS_ADMIN"
                     "CAP_SYS_PTRACE"
                   ];
+                  SystemCallFilter = [ "@system-service" ];
                 };
               after = [
                 "network.target"

nixos/profiles/services/caddy/default.nix

@@ -15,13 +15,14 @@
   };
 
   systemd.services.caddy.serviceConfig = mylib.misc.serviceHardened // {
-    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    AmbientCapabilities = [
-    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      ""
-  };
+      "CAP_NET_BIND_SERVICE"
-
+    ];
-  systemd.services.caddy-api.serviceConfig = mylib.misc.serviceHardened // {
+    CapabilityBoundingSet = [
-    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      ""
-    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      "CAP_NET_BIND_SERVICE"
+    ];
   };
 
   services.restic.backups.b2.paths = [ config.services.caddy.dataDir ];

nixos/profiles/services/mail/dovecot.nix

@@ -4,6 +4,7 @@
   config,
   lib,
   pkgs,
+  mylib,
   ...
 }:
 let
@@ -95,9 +96,6 @@ in
       listen = 127.0.0.1
       haproxy_trusted_networks = 127.0.0.1/8
 
-      default_internal_user  = ${cfg.user}
-      default_internal_group = ${cfg.group}
-
       auth_username_format   = %Ln
       mail_home = ${maildir}/%u
 
@@ -170,5 +168,23 @@ in
     }
   '';
 
+  systemd.services.dovecot2.serviceConfig = mylib.misc.serviceHardened // {
+    StateDirectory = "dovecot";
+    ReadWritePaths = [ maildir ];
+    CapabilityBoundingSet = [
+      "CAP_CHOWN"
+      "CAP_KILL"
+      "CAP_SYS_CHROOT"
+      "CAP_SETUID"
+      "CAP_SETGID"
+      "CAP_NET_BIND_SERVICE"
+      "CAP_DAC_OVERRIDE"
+    ];
+    SystemCallFilter = [
+      "@system-service"
+      "chroot"
+    ];
+  };
+
   services.restic.backups.b2.paths = [ maildir ];
 }

nixos/profiles/services/mail/postfix.nix

@@ -4,14 +4,33 @@
   config,
   lib,
   pkgs,
+  mylib,
   ...
 }:
 {
-  systemd.services.postfix.serviceConfig = {
+  systemd.services.postfix.serviceConfig = mylib.misc.serviceHardened // {
+    StateDirectory = "postfix";
     PrivateTmp = true;
     ExecStartPre = ''
       ${pkgs.openssl}/bin/openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -batch
     '';
+    ProtectSystem = lib.mkForce "strict";
+    RestrictAddressFamilies = lib.mkForce [
+      "AF_INET"
+      "AF_INET6"
+      "AF_NETLINK"
+      "AF_UNIX"
+    ];
+    CapabilityBoundingSet = lib.mkForce [
+      ""
+      "CAP_DAC_READ_SEARCH"
+      "CAP_DAC_OVERRIDE"
+      "CAP_KILL"
+      "CAP_SETUID"
+      "CAP_SETGID"
+      "CAP_NET_BIND_SERVICE"
+    ];
+    SystemCallFilter = lib.mkForce [ "@system-service" ];
   };
 
   services.postfix = {

nixos/profiles/services/ntfy/default.nix

@@ -16,6 +16,8 @@
   };
 
   systemd.services.ntfy-sh.serviceConfig = mylib.misc.serviceHardened // {
+    AmbientCapabilities = lib.mkForce [ "" ];
+    CapabilityBoundingSet = lib.mkForce [ "" ];
     DynamicUser = lib.mkForce false;
   };