Need help setting up Gitea and SMTP

I am trying to setup a Gitea server which is supposed to send email through the Simple NixOS mailserver running on the same machine. On this mailserver there is one account which acts as a catch-all and send-as-all for the entire domain. For SMTP authentication Gitea needs a password. Since I don’t want to put my email password in plain text on the server, I decided to simply add a second password to the account which can only be used when connecting from localhost.

Here is a VM config gitea.nix to reproduce my setup:

{ config, lib, pkgs, ... }:

let

  release = "nixos-20.09";

in {
  imports = [
    <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
    (builtins.fetchTarball {
      url =
        "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz";
    })
  ];

  config = {
    virtualisation.memorySize = 512; # rspamd needs a lot of memory

    networking.firewall.enable = false;

    mailserver = {
      enable = true;
      fqdn = "localhost";
      domains = [ "localhost" ];
      loginAccounts = {
        "root@localhost" = {
          hashedPassword = "{plain}foobar";
          aliases = [ "@localhost" ];
        };
      };
      certificateScheme = 2; # self-signed certs
      enableImapSsl = true;
    };

    # Add another password for the main account but only allow from localhost
    services.dovecot2.extraConfig = let
      passwd = builtins.toFile "dovecot2-local-passwd" ''
        root@localhost:{plain}totallysafe::::::allow_nets=local,127.0.0.0/8
      '';
    in ''
      passdb {
        driver = passwd-file
        args = ${passwd}
      }
    '';

    services.gitea.enable = true;
    services.gitea.disableRegistration = true;
    services.gitea.settings = {
      mailer = {
        ENABLED = true;
        MAILER_TYPE = "smtp";
        HOST = "localhost:587";
        USER = "root@localhost";
        PASSWD = "totallysafe";
        FROM = "Gitea <git@localhost>";
        SKIP_VERIFY = true;
      };
    };

    # The Gitea module does not allow adding users declaratively
    systemd.services.gitea-add-user = {
      description = "gitea-add-user";
      wants = [ "gitea.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.gitea ];
      script =
        "${pkgs.gitea}/bin/gitea admin create-user --admin --username test --password totallysafe --email test@localhost";
      serviceConfig = {
        Restart = "always";
        User = "gitea";
        Group = "gitea";
        WorkingDirectory = config.services.gitea.stateDir;
      };
      environment = { GITEA_WORK_DIR = config.services.gitea.stateDir; };
    };

    environment.systemPackages = [ pkgs.gitea pkgs.neovim pkgs.swaks ];

    services.openssh.enable = true;

    users.users.root.initialHashedPassword = "";
    users.mutableUsers = false;
  };
}

Now I build and run the VM, forwarding the Gitea port to the host.

$ nix-build '<nixpkgs/nixos>' -A vm --arg configuration ./gitea.nix
$ QEMU_NET_OPTS="hostfwd=tcp::3000-:3000" result/bin/run-nixos-vm

Login as root without password. Starting up the mailserver in the VM takes quite a while because it has to generate keys and all kinds of stuff. Just monitor whether postfix and dovecot have started by checking systemclt status postfix and systemctl status dovecot2.

Now that everything is started, we can begin the experiments. I login as the gitea user to make sure that everything works as normal user:

[root@nixos:~]# sudo -u gitea -i

First try to send an email using the wrong password:

[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password wrong
[...]
<~* 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
[...]

That was expected, now let’s use the properly configured password

[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password foobar
[...]
<~* 235 2.7.0 Authentication succesful
[...]
<~* 556 5.1.10 <test@example.com>: Recipient address rejected: Domain example.com does not accept mail! (nullMX)
[...]

Sending didn’t work (as expected) but authentication works fine. Now with the local-only password

[gitea@nixos:~]$ swaks --to test@example.com --from git@localhost --server localhost:587 -tls --auth-user root@localhost --auth-password totallysafe
[...]
<~* 235 2.7.0 Authentication succesful
[...]
<~* 556 5.1.10 <test@example.com>: Recipient address rejected: Domain example.com does not accept mail! (nullMX)
[...]

This works as well. Great! So I expect this to work in Gitea as well. Hence I navigate my browser to http://localhost:3000/admin/config and login with the credentials user=test and password=totallysafe. Then I scroll down to the section “ SMTP Mailer Configuration” and try sending a test email to test@example.com

But instead of the anticipated 5.1.10 error due to using test@example.com, I get an authentication error.

This is where I am having trouble. The logs of Gitea do not contain anything useful in that regard, but my manual experiments using swaks showed that the mail setup should work. What am I doing wrong?

Turns out that Gitea connects to postfix via IPv6 and therefore ::1 has to be added to the allow_nets in the auxiliary config like so:

root@localhost:{plain}totallysafe::::::allow_nets=local,127.0.0.0/8,::1