I am trying to setup a Gitea server which is supposed to send email through the Simple NixOS mailserver running on the same machine. On this mailserver there is one account which acts as a catch-all and send-as-all for the entire domain. For SMTP authentication Gitea needs a password. Since I don’t want to put my email password in plain text on the server, I decided to simply add a second password to the account which can only be used when connecting from localhost.
Here is a VM config gitea.nix
to reproduce my setup:
{ config, lib, pkgs, ... }:
let
release = "nixos-20.09";
in {
imports = [
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
(builtins.fetchTarball {
url =
"https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz";
})
];
config = {
virtualisation.memorySize = 512; # rspamd needs a lot of memory
networking.firewall.enable = false;
mailserver = {
enable = true;
fqdn = "localhost";
domains = [ "localhost" ];
loginAccounts = {
"root@localhost" = {
hashedPassword = "{plain}foobar";
aliases = [ "@localhost" ];
};
};
certificateScheme = 2; # self-signed certs
enableImapSsl = true;
};
# Add another password for the main account but only allow from localhost
services.dovecot2.extraConfig = let
passwd = builtins.toFile "dovecot2-local-passwd" ''
root@localhost:{plain}totallysafe::::::allow_nets=local,127.0.0.0/8
'';
in ''
passdb {
driver = passwd-file
args = ${passwd}
}
'';
services.gitea.enable = true;
services.gitea.disableRegistration = true;
services.gitea.settings = {
mailer = {
ENABLED = true;
MAILER_TYPE = "smtp";
HOST = "localhost:587";
USER = "root@localhost";
PASSWD = "totallysafe";
FROM = "Gitea <git@localhost>";
SKIP_VERIFY = true;
};
};
# The Gitea module does not allow adding users declaratively
systemd.services.gitea-add-user = {
description = "gitea-add-user";
wants = [ "gitea.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.gitea ];
script =
"${pkgs.gitea}/bin/gitea admin create-user --admin --username test --password totallysafe --email test@localhost";
serviceConfig = {
Restart = "always";
User = "gitea";
Group = "gitea";
WorkingDirectory = config.services.gitea.stateDir;
};
environment = { GITEA_WORK_DIR = config.services.gitea.stateDir; };
};
environment.systemPackages = [ pkgs.gitea pkgs.neovim pkgs.swaks ];
services.openssh.enable = true;
users.users.root.initialHashedPassword = "";
users.mutableUsers = false;
};
}
Now I build and run the VM, forwarding the Gitea port to the host.
$ nix-build '<nixpkgs/nixos>' -A vm --arg configuration ./gitea.nix
$ QEMU_NET_OPTS="hostfwd=tcp::3000-:3000" result/bin/run-nixos-vm
Login as root without password. Starting up the mailserver in the VM takes quite a while because it has to generate keys and all kinds of stuff. Just monitor whether postfix and dovecot have started by checking systemclt status postfix
and systemctl status dovecot2
.
Now that everything is started, we can begin the experiments. I login as the gitea
user to make sure that everything works as normal user:
[root@nixos:~]# sudo -u gitea -i
First try to send an email using the wrong password:
[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password wrong
[...]
<~* 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
[...]
That was expected, now let’s use the properly configured password
[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password foobar
[...]
<~* 235 2.7.0 Authentication succesful
[...]
<~* 556 5.1.10 <test@example.com>: Recipient address rejected: Domain example.com does not accept mail! (nullMX)
[...]
Sending didn’t work (as expected) but authentication works fine. Now with the local-only password
[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password totallysafe
[...]
<~* 235 2.7.0 Authentication succesful
[...]
<~* 556 5.1.10 <test@example.com>: Recipient address rejected: Domain example.com does not accept mail! (nullMX)
[...]
This works as well. Great! So I expect this to work in Gitea as well. Hence I navigate my browser to http://localhost:3000/admin/config
and login with the credentials user=test and password=totallysafe. Then I scroll down to the section “ SMTP Mailer Configuration” and try sending a test email to test@example.com
But instead of the anticipated 5.1.10 error due to using test@example.com
, I get an authentication error.
This is where I am having trouble. The logs of Gitea do not contain anything useful in that regard, but my manual experiments using swaks
showed that the mail setup should work. What am I doing wrong?