I am trying to setup a Gitea server which is supposed to send email through the Simple NixOS mailserver running on the same machine. On this mailserver there is one account which acts as a catch-all and send-as-all for the entire domain. For SMTP authentication Gitea needs a password. Since I don’t want to put my email password in plain text on the server, I decided to simply add a second password to the account which can only be used when connecting from localhost.
Here is a VM config gitea.nix to reproduce my setup:
{ config, lib, pkgs, ... }:
let
release = "nixos-20.09";
in {
imports = [
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
(builtins.fetchTarball {
url =
"https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz";
})
];
config = {
virtualisation.memorySize = 512; # rspamd needs a lot of memory
networking.firewall.enable = false;
mailserver = {
enable = true;
fqdn = "localhost";
domains = [ "localhost" ];
loginAccounts = {
"root@localhost" = {
hashedPassword = "{plain}foobar";
aliases = [ "@localhost" ];
};
};
certificateScheme = 2; # self-signed certs
enableImapSsl = true;
};
# Add another password for the main account but only allow from localhost
services.dovecot2.extraConfig = let
passwd = builtins.toFile "dovecot2-local-passwd" ''
root@localhost:{plain}totallysafe::::::allow_nets=local,127.0.0.0/8
'';
in ''
passdb {
driver = passwd-file
args = ${passwd}
}
'';
services.gitea.enable = true;
services.gitea.disableRegistration = true;
services.gitea.settings = {
mailer = {
ENABLED = true;
MAILER_TYPE = "smtp";
HOST = "localhost:587";
USER = "root@localhost";
PASSWD = "totallysafe";
FROM = "Gitea <git@localhost>";
SKIP_VERIFY = true;
};
};
# The Gitea module does not allow adding users declaratively
systemd.services.gitea-add-user = {
description = "gitea-add-user";
wants = [ "gitea.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.gitea ];
script =
"${pkgs.gitea}/bin/gitea admin create-user --admin --username test --password totallysafe --email test@localhost";
serviceConfig = {
Restart = "always";
User = "gitea";
Group = "gitea";
WorkingDirectory = config.services.gitea.stateDir;
};
environment = { GITEA_WORK_DIR = config.services.gitea.stateDir; };
};
environment.systemPackages = [ pkgs.gitea pkgs.neovim pkgs.swaks ];
services.openssh.enable = true;
users.users.root.initialHashedPassword = "";
users.mutableUsers = false;
};
}
Now I build and run the VM, forwarding the Gitea port to the host.
$ nix-build '<nixpkgs/nixos>' -A vm --arg configuration ./gitea.nix
$ QEMU_NET_OPTS="hostfwd=tcp::3000-:3000" result/bin/run-nixos-vm
Login as root without password. Starting up the mailserver in the VM takes quite a while because it has to generate keys and all kinds of stuff. Just monitor whether postfix and dovecot have started by checking systemclt status postfix and systemctl status dovecot2.
Now that everything is started, we can begin the experiments. I login as the gitea user to make sure that everything works as normal user:
[root@nixos:~]# sudo -u gitea -i
First try to send an email using the wrong password:
[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password wrong
[...]
<~* 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
[...]
That was expected, now let’s use the properly configured password
[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password foobar
[...]
<~* 235 2.7.0 Authentication succesful
[...]
<~* 556 5.1.10 <test@example.com>: Recipient address rejected: Domain example.com does not accept mail! (nullMX)
[...]
Sending didn’t work (as expected) but authentication works fine. Now with the local-only password
[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password totallysafe
[...]
<~* 235 2.7.0 Authentication succesful
[...]
<~* 556 5.1.10 <test@example.com>: Recipient address rejected: Domain example.com does not accept mail! (nullMX)
[...]
This works as well. Great! So I expect this to work in Gitea as well. Hence I navigate my browser to http://localhost:3000/admin/config and login with the credentials user=test and password=totallysafe. Then I scroll down to the section “ SMTP Mailer Configuration” and try sending a test email to test@example.com
But instead of the anticipated 5.1.10 error due to using test@example.com, I get an authentication error.
This is where I am having trouble. The logs of Gitea do not contain anything useful in that regard, but my manual experiments using swaks showed that the mail setup should work. What am I doing wrong?