Nullmailer and systemd services

shishkin · March 11, 2024, 3:04pm

I’m trying to get vaultwarden to send mails though nullmailer relay on NixOS. I installed them both as services with added glue configuration but somehow they don’t play nicely together. Vaultwarden is able to call sendmail wrapper from nullmailer and a new email is created inside /var/spool/nullmailer/queue/. However, the email file is owned by vaultwarden user and group and has 600 permissions, so nullmailer is not able to read and deliver it.

If I understand it correctly, sendmail wrapper has setgid bit set and should run under nullmailer identity. Why does it then create files owned by vaultwarden? I even did chmod -R ug+s /var/spool/nullmailer to ensure new files are owned by nullmailer to no success.

I’ve tried searching GitHub for nullmailer examples across nix language repos, but couldn’t find anything that would actually try to make another systemd service to use nullmailer.

What am I missing (besides in depth understanding of systemd ?

Here is my config:

  services.nullmailer = {
    enable = true;
    setSendmail = true;
    remotesFile = "...";
    config = {
      me = domain;
      defaulthost = domain;
      defaultdomain = domain;
      allmailfrom = admin;
      adminaddr = admin;
    };
  };

  services.vaultwarden = {
    enable = true;
    environmentFile = "...";
    config = {
      DOMAIN = "https://...";
      USE_SENDMAIL = true;
      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
      SMTP_FROM = "...";
    };
  };

  users.users.vaultwarden.extraGroups = [ config.services.nullmailer.group ];

  systemd.services.vaultwarden = {
    serviceConfig = {
      # Not sure which of this or the users.users.vaultwarden.extraGroups is required
      SupplementaryGroups = [ config.services.nullmailer.group ];
      ReadWritePaths = [ "/var/spool/nullmailer/" ];
    };
  };

Roo · April 15, 2024, 4:41pm

Did you succeed? I’m hitting the same issue.

In my setup - there is a systemd timer that is triggering the run of a script. That script calls mail which in turn is nullmailer.

I see that the email is actually being queued - but the nullmailer-send never manages to pick it up and deliver it (possibly a permission problem?)

If I were to add to the script - a nullmailer-send … then the email is delivered… but then I end up with an orphaned nullmailler-send

shishkin · April 15, 2024, 5:09pm

Unfortunately, not. That’s still an issue. I had to use the real SMTP config in vaultwarden, which is not ideal

Roo · April 29, 2024, 4:19pm

FWIW - I can ‘force’ the queue to empty out and send… but doing

$ sudo nullmailer-send

Then I can CTRL-C to terminate this sender once it’s sent the emails in the queue.

Clearly not an ideal solution - but it shows that I can get email delivered that is created by a systemd timer task. This probably only confirms that there is some sort of permission issue here.

shishkin · February 23, 2025, 2:20pm

I’ve finally solved it. The problem was vaultwarden systemd service hardening in NixOS. In particular, these three parameters prevented vaultwarden from correctly calling nullmailer with SUID/SGID:

PrivateUsers = true;
NoNewPrivileges = true;
SystemCallFilter = [
  "@system-service"
  "~@privileged"
];

I had to remove all three to get mails going. Here is my final working NixOS config for vaultwarden and nullmailer:

  services.nullmailer = {
    enable = true;
    setSendmail = true;
    remotesFile = remotesFile;
    config = {
      me = domain;
      defaulthost = domain;
      defaultdomain = domain;
      allmailfrom = admin;
      adminaddr = admin;
    };
  };

  services.vaultwarden = {
    enable = true;
    environmentFile = "${internalDir}/secrets.env";
    config = {
      DOMAIN = "https://${fqdn}";
      SIGNUPS_ALLOWED = false;
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = port;
      SMTP_FROM = smtpFrom;
      USE_SENDMAIL = true;
      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
    };
  };

  users.users.vaultwarden.extraGroups = [ "nullmailer" ];

  systemd.services.vaultwarden = {
    path = [ "/run/wrappers" ];
    serviceConfig = {
      NoNewPrivileges = lib.mkForce false;
      PrivateUsers = lib.mkForce false;
      SystemCallFilter = lib.mkForce [ "@system-service" ];
      RestrictAddressFamilies = [
        "AF_LOCAL"
        "AF_NETLINK"
      ];
      ReadWritePaths = [ "/var/spool/nullmailer/" ];
    };
  };