nixos/vaultwarden: systemd hardening breaks sendmail integration

[shishkin]

Nixpkgs version

• Unstable (25.05)

Describe the bug

Vaultwarden systemd hardening prevents the service to properly call security-wrapped sendmail.

Steps to reproduce

Install local MTA like nullmailer with sendmail:

  services.nullmailer = {
    enable = true;
    setSendmail = true;
    remotesFile = remotesFile;
    config = {
      me = domain;
      defaulthost = domain;
      defaultdomain = domain;
      allmailfrom = admin;
      adminaddr = admin;
    };
  };

Install vaultwarden with sendmail support:

  services.vaultwarden = {
    enable = true;
    environmentFile = environmentFile;
    config = {
      DOMAIN = domain;
      SIGNUPS_ALLOWED = false;
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = port;
      SMTP_FROM = smtpFrom;
      USE_SENDMAIL = true;
      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
    };
  };

  users.users.vaultwarden.extraGroups = [ "nullmailer" ];


  systemd.services.vaultwarden = {
    serviceConfig = {
      RestrictAddressFamilies = [
        "AF_LOCAL"
        "AF_NETLINK"
      ];
      ReadWritePaths = [ "/var/spool/nullmailer/" ];
    };
  };

Vaultwarden reports mail sending a success but emails are stuck in /var/spool/nullmailer/queue/ with vaultwarden's ownership and nullmailer is not able to read them.

Expected behaviour

Emails should "just work" or at least user should see instructions how to configure vaultwarden properly.

Screenshots

No response

Relevant log output

Additional context

Overriding these three systemd hardening parameters fixes the issue:

  systemd.services.vaultwarden = {
    serviceConfig = {
      NoNewPrivileges = lib.mkForce false;
      PrivateUsers = lib.mkForce false;
      SystemCallFilter = lib.mkForce [ "@system-service" ]; # remove ~@privileged
    };
  };

I suggest to make these three parameters conditional on vaultwarden's USE_SENDMAIL config option.

System metadata

• system: "aarch64-linux"
• host os: Linux 6.6.51, NixOS, 25.05 (Warbler), 25.05.20250213.1128e89
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.24.12
• channels(root): "nixos-23.11, nixos-hardware"
• nixpkgs: /nix/store/56m82shl5xdjl0s54licn6davvpj12as-source

Notify maintainers

@dotlambda, @SuperSandro2000

Note for maintainers: Please tag this issue in your pull request description. (i.e. Resolves #ISSUE.)

I assert that this issue is relevant for Nixpkgs

• I assert that this is a bug and not a support request.
• I assert that this is not a duplicate of an existing issue.
• I assert that I have read the NixOS Code of Conduct and agree to abide by it.

Is this issue important to you?

Add a 👍 reaction to issues you find important.

[shishkin]

I've also found similar issues in other modules that got impacted after hardening systemd units: #255691, #156480, #103446, #90248

[SuperSandro2000]

It would be so much easier if nullmailer would just have a local daemon that accepts the mails and wouldn't be using setuid bit at all.....

[shishkin]

It would be so much easier if nullmailer would just have a local daemon that accepts the mails and wouldn't be using setuid bit at all.....

Well, from the linked issues it seems like a problem common to other mailers too.

Can you recommend any other sendmail-compatible lightweight mail relayer? I just want to keep my SMTP credentials in one place and not put them in each service.

[SuperSandro2000]

Well, from the linked issues it seems like a problem common to other mailers too.

Anything that uses setuid sendmail. Many use them but I have one setup where the mails are forwarded to a relay server which works better.

Can you recommend any other sendmail-compatible lightweight mail relayer? I just want to keep my SMTP credentials in one place and not put them in each service.

nope

[SuperSandro2000]

#384580