postfix: fix connectivity issues

2023-10-21 11:48:45 +00:00 · 2023-10-21 11:48:45 +00:00 · 2fa00b4c73
commit 2fa00b4c73
parent c1e17a0693
2 changed files with 26 additions and 16 deletions
--- a/hosts/by-name/servo/services/email/default.nix
+++ b/hosts/by-name/servo/services/email/default.nix
@ -22,6 +22,13 @@
 #     - but postfix delegates authorization of that outgoing mail to dovecot, on the server side
 #
 # - local clients (i.e. sendmail) interact only with postfix
+#
+# debugging: general connectivity issues
+# - test that inbound port 25 is unblocked:
+#   - `curl https://canyouseeme.org/ --data 'port=25&IP=185.157.162.178' | grep 'see your service'`
+#     - and retry with port 465, 587
+#     - i think this API requires the queried IP match the source IP
+#   - if necessary, `systemctl stop postfix` and `sudo nc -l 185.157.162.178 25`, then try https://canyouseeme.org

 { ... }:
 {
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@ -28,22 +28,25 @@ in
    # "/var/lib/dovecot"
  ];

-  sane.ports.ports."25" = {
-    protocol = [ "tcp" ];
-    # XXX visibleTo.lan effectively means "open firewall, but don't configure any NAT/forwarding"
-    visibleTo.lan = true;
-    description = "colin-smtp-mx.uninsane.org";
-  };
-  sane.ports.ports."465" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    description = "colin-smtps-mx.uninsane.org";
-  };
-  sane.ports.ports."587" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    description = "colin-smtps-submission-mx.uninsane.org";
-  };
+  # XXX(2023/10/20): opening these ports in the firewall has the OPPOSITE effect as intended.
+  # these ports are only routable so long as they AREN'T opened.
+  # probably some cursed interaction with network namespaces introduced after 2023/10/10.
+  # sane.ports.ports."25" = {
+  #   protocol = [ "tcp" ];
+  #   # XXX visibleTo.lan effectively means "open firewall, but don't configure any NAT/forwarding"
+  #   visibleTo.lan = true;
+  #   description = "colin-smtp-mx.uninsane.org";
+  # };
+  # sane.ports.ports."465" = {
+  #   protocol = [ "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = "colin-smtps-mx.uninsane.org";
+  # };
+  # sane.ports.ports."587" = {
+  #   protocol = [ "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = "colin-smtps-submission-mx.uninsane.org";
+  # };

  # exists only to manage certs for Postfix
  services.nginx.virtualHosts."mx.uninsane.org" = {