2017-08-29 22:58:44 +00:00
|
|
|
|
|
|
|
# nixos-mailserver: a simple mail server
|
2018-01-29 09:34:27 +00:00
|
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
2017-08-29 22:58:44 +00:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.mailserver;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.mailserver = {
|
|
|
|
enable = mkEnableOption "nixos-mailserver";
|
|
|
|
|
2017-11-11 09:44:45 +00:00
|
|
|
fqdn = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.str;
|
2017-11-20 06:13:43 +00:00
|
|
|
example = "mx.example.com";
|
2017-11-11 09:44:45 +00:00
|
|
|
description = "The fully qualified domain name of the mail server.";
|
2017-11-09 21:13:27 +00:00
|
|
|
};
|
|
|
|
|
2017-11-11 09:44:45 +00:00
|
|
|
domains = mkOption {
|
2017-11-09 21:13:27 +00:00
|
|
|
type = types.listOf types.str;
|
2017-11-12 01:59:53 +00:00
|
|
|
example = [ "example.com" ];
|
2017-11-09 22:17:03 +00:00
|
|
|
default = [];
|
2017-11-11 09:44:45 +00:00
|
|
|
description = "The domains that this mail server serves.";
|
2017-08-29 22:58:44 +00:00
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
loginAccounts = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.loaOf (types.submodule ({ name, ... }: {
|
|
|
|
options = {
|
|
|
|
name = mkOption {
|
|
|
|
type = types.str;
|
2017-11-20 06:13:43 +00:00
|
|
|
example = "user1@example.com";
|
2017-08-29 22:58:44 +00:00
|
|
|
description = "Username";
|
|
|
|
};
|
|
|
|
|
|
|
|
hashedPassword = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
|
|
|
description = ''
|
|
|
|
Hashed password. Use `mkpasswd` as follows
|
|
|
|
|
|
|
|
```
|
|
|
|
mkpasswd -m sha-512 "super secret password"
|
|
|
|
```
|
|
|
|
'';
|
|
|
|
};
|
2017-11-18 03:37:59 +00:00
|
|
|
|
2017-11-21 09:55:27 +00:00
|
|
|
aliases = mkOption {
|
2017-11-21 10:18:07 +00:00
|
|
|
type = with types; listOf types.str;
|
2017-11-21 09:55:27 +00:00
|
|
|
example = ["abuse@example.com" "postmaster@example.com"];
|
2017-11-21 10:18:07 +00:00
|
|
|
default = [];
|
2017-11-21 09:55:27 +00:00
|
|
|
description = ''
|
|
|
|
A list of aliases of this login account.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-12-18 11:26:54 +00:00
|
|
|
catchAll = mkOption {
|
|
|
|
type = with types; listOf (enum cfg.domains);
|
|
|
|
example = ["example.com" "example2.com"];
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
For which domains should this account act as a catch all?
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-11-18 03:37:59 +00:00
|
|
|
sieveScript = mkOption {
|
|
|
|
type = with types; nullOr lines;
|
|
|
|
default = null;
|
|
|
|
example = ''
|
|
|
|
require ["fileinto", "mailbox"];
|
|
|
|
|
|
|
|
if address :is "from" "notifications@github.com" {
|
|
|
|
fileinto :create "GitHub";
|
|
|
|
stop;
|
|
|
|
}
|
|
|
|
|
|
|
|
# This must be the last rule, it will check if list-id is set, and
|
|
|
|
# file the message into the Lists folder for further investigation
|
|
|
|
elsif header :matches "list-id" "<?*>" {
|
|
|
|
fileinto :create "Lists";
|
|
|
|
stop;
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
description = ''
|
|
|
|
Per-user sieve script.
|
|
|
|
'';
|
|
|
|
};
|
2017-08-29 22:58:44 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
config.name = mkDefault name;
|
|
|
|
}));
|
|
|
|
example = {
|
|
|
|
user1 = {
|
|
|
|
hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
|
|
|
};
|
|
|
|
user2 = {
|
|
|
|
hashedPassword = "$6$oE0ZNv2n7Vk9gOf$9xcZWCCLGdMflIfuA0vR1Q1Xblw6RZqPrP94mEit2/81/7AKj2bqUai5yPyWE.QYPyv6wLMHZvjw3Rlg7yTCD/";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
description = ''
|
|
|
|
The login account of the domain. Every account is mapped to a unix user,
|
|
|
|
e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as
|
|
|
|
follows
|
|
|
|
|
|
|
|
```
|
|
|
|
mkpasswd -m sha-512 "super secret password"
|
|
|
|
```
|
|
|
|
'';
|
2017-09-02 10:59:07 +00:00
|
|
|
default = {};
|
2017-08-29 22:58:44 +00:00
|
|
|
};
|
|
|
|
|
2017-11-21 10:47:15 +00:00
|
|
|
extraVirtualAliases = mkOption {
|
2017-09-02 11:23:37 +00:00
|
|
|
type = types.attrsOf (types.enum (builtins.attrNames cfg.loginAccounts));
|
2017-08-29 22:58:44 +00:00
|
|
|
example = {
|
2017-11-21 10:43:10 +00:00
|
|
|
"info@example.com" = "user1@example.com";
|
|
|
|
"postmaster@example.com" = "user1@example.com";
|
|
|
|
"abuse@example.com" = "user1@example.com";
|
2017-08-29 22:58:44 +00:00
|
|
|
};
|
|
|
|
description = ''
|
2017-11-21 10:43:10 +00:00
|
|
|
Virtual Aliases. A virtual alias `"info@example2.com" = "user1@example.com"` means that
|
|
|
|
all mail to `info@example2.com` is forwarded to `user1@example.com`. Note
|
2017-08-29 22:58:44 +00:00
|
|
|
that it is expected that `postmaster@example.com` and `abuse@example.com` is
|
|
|
|
forwarded to some valid email address. (Alternatively you can create login
|
2017-11-21 10:43:10 +00:00
|
|
|
accounts for `postmaster` and (or) `abuse`). Furthermore, it also allows
|
|
|
|
the user `user1@example.com` to send emails as `info@example2.com`.
|
2017-08-29 22:58:44 +00:00
|
|
|
'';
|
2017-09-02 10:59:07 +00:00
|
|
|
default = {};
|
2017-08-29 22:58:44 +00:00
|
|
|
};
|
|
|
|
|
2017-11-21 10:47:15 +00:00
|
|
|
virtualAliases = mkOption {
|
|
|
|
type = types.attrsOf (types.enum (builtins.attrNames cfg.loginAccounts));
|
|
|
|
example = {
|
|
|
|
"info@example.com" = "user1@example.com";
|
|
|
|
"postmaster@example.com" = "user1@example.com";
|
|
|
|
"abuse@example.com" = "user1@example.com";
|
|
|
|
};
|
|
|
|
description = ''
|
2017-12-18 11:26:54 +00:00
|
|
|
Alias for extraVirtualAliases. Deprecated.
|
2017-11-21 10:47:15 +00:00
|
|
|
'';
|
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
|
2017-11-18 20:38:26 +00:00
|
|
|
vmailUID = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.int;
|
|
|
|
default = 5000;
|
|
|
|
description = ''
|
2017-11-18 20:38:26 +00:00
|
|
|
The unix UID of the virtual mail user. Be mindful that if this is
|
|
|
|
changed, you will need to manually adjust the permissions of
|
|
|
|
mailDirectory.
|
2017-08-29 22:58:44 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
vmailUserName = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.str;
|
2017-10-18 07:20:44 +00:00
|
|
|
default = "virtualMail";
|
2017-08-29 22:58:44 +00:00
|
|
|
description = ''
|
|
|
|
The user name and group name of the user that owns the directory where all
|
|
|
|
the mail is stored.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
vmailGroupName = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.str;
|
2017-10-18 07:20:44 +00:00
|
|
|
default = "virtualMail";
|
2017-08-29 22:58:44 +00:00
|
|
|
description = ''
|
|
|
|
The user name and group name of the user that owns the directory where all
|
|
|
|
the mail is stored.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
mailDirectory = mkOption {
|
2017-09-03 13:57:49 +00:00
|
|
|
type = types.path;
|
2017-08-29 22:58:44 +00:00
|
|
|
default = "/var/vmail";
|
|
|
|
description = ''
|
|
|
|
Where to store the mail.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
certificateScheme = mkOption {
|
2017-09-23 07:56:09 +00:00
|
|
|
type = types.enum [ 1 2 3 ];
|
2017-08-29 22:58:44 +00:00
|
|
|
default = 2;
|
|
|
|
description = ''
|
|
|
|
Certificate Files. There are three options for these.
|
|
|
|
|
|
|
|
1) You specify locations and manually copy certificates there.
|
|
|
|
2) You let the server create new (self signed) certificates on the fly.
|
|
|
|
3) You let the server create a certificate via `Let's Encrypt`. Note that
|
|
|
|
this implies that a stripped down webserver has to be started. This also
|
|
|
|
implies that the FQDN must be set as an `A` record to point to the IP of
|
2017-11-26 06:59:31 +00:00
|
|
|
the server. In particular port 80 on the server will be opened. For details
|
|
|
|
on how to set up the domain records, see the guide in the readme.
|
2017-08-29 22:58:44 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
certificateFile = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.path;
|
|
|
|
example = "/root/mail-server.crt";
|
|
|
|
description = ''
|
|
|
|
Scheme 1)
|
|
|
|
Location of the certificate
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
keyFile = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.path;
|
|
|
|
example = "/root/mail-server.key";
|
|
|
|
description = ''
|
|
|
|
Scheme 1)
|
|
|
|
Location of the key file
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:29:49 +00:00
|
|
|
certificateDirectory = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.path;
|
|
|
|
default = "/var/certs";
|
|
|
|
description = ''
|
|
|
|
Sceme 2)
|
|
|
|
This is the folder where the certificate will be created. The name is
|
|
|
|
hardcoded to "cert-<domain>.pem" and "key-<domain>.pem" and the
|
|
|
|
certificate is valid for 10 years.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:29:49 +00:00
|
|
|
enableImap = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to enable imap / pop3. Both variants are only supported in the
|
2017-11-12 22:59:29 +00:00
|
|
|
(sane) startTLS configuration. The ports are
|
2017-08-29 22:58:44 +00:00
|
|
|
|
|
|
|
110 - Pop3
|
|
|
|
143 - IMAP
|
|
|
|
587 - SMTP with login
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-11-12 22:59:29 +00:00
|
|
|
enableImapSsl = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to enable IMAPS, setting this option to true will open port 993
|
|
|
|
in the firewall.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:29:49 +00:00
|
|
|
enablePop3 = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
2017-11-12 22:59:29 +00:00
|
|
|
Whether to enable POP3. Both variants are only supported in the (sane)
|
|
|
|
startTLS configuration. The ports are
|
2017-08-29 22:58:44 +00:00
|
|
|
|
|
|
|
110 - Pop3
|
|
|
|
143 - IMAP
|
|
|
|
587 - SMTP with login
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-11-12 22:59:29 +00:00
|
|
|
enablePop3Ssl = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to enable POP3S, setting this option to true will open port 995
|
|
|
|
in the firewall.
|
|
|
|
'';
|
|
|
|
};
|
2017-08-29 22:58:44 +00:00
|
|
|
|
2018-01-07 11:32:05 +00:00
|
|
|
enableManageSieve = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to enable ManageSieve, setting this option to true will open
|
|
|
|
port 4190 in the firewall.
|
|
|
|
|
|
|
|
The ManageSieve protocol allows users to manage their Sieve scripts on
|
|
|
|
a remote server with a supported client, including Thunderbird.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:23:37 +00:00
|
|
|
virusScanning = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to activate virus scanning. Note that virus scanning is _very_
|
|
|
|
expensive memory wise.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:29:49 +00:00
|
|
|
dkimSigning = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to activate dkim signing.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:29:49 +00:00
|
|
|
dkimSelector = mkOption {
|
2017-09-03 13:57:49 +00:00
|
|
|
type = types.str;
|
2017-08-29 22:58:44 +00:00
|
|
|
default = "mail";
|
|
|
|
description = ''
|
|
|
|
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-09-02 11:29:49 +00:00
|
|
|
dkimKeyDirectory = mkOption {
|
2017-08-29 22:58:44 +00:00
|
|
|
type = types.path;
|
|
|
|
default = "/var/dkim";
|
|
|
|
description = ''
|
|
|
|
|
|
|
|
'';
|
|
|
|
};
|
2017-11-13 21:46:59 +00:00
|
|
|
|
|
|
|
debug = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to enable verbose logging for mailserver related services. This
|
|
|
|
intended be used for development purposes only, you probably don't want
|
|
|
|
to enable this unless you're hacking on nixos-mailserver.
|
|
|
|
'';
|
|
|
|
};
|
2018-01-12 22:07:27 +00:00
|
|
|
|
|
|
|
localDnsResolver = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Runs a local DNS resolver (kresd) as recommended when running rspamd. This prevents your log file from filling up with rspamd_monitored_dns_mon entries.
|
|
|
|
'';
|
|
|
|
};
|
2017-08-29 22:58:44 +00:00
|
|
|
};
|
|
|
|
|
2017-09-02 10:59:07 +00:00
|
|
|
imports = [
|
|
|
|
./mail-server/clamav.nix
|
2017-09-02 11:58:42 +00:00
|
|
|
./mail-server/users.nix
|
2017-09-02 12:04:07 +00:00
|
|
|
./mail-server/environment.nix
|
2017-09-02 12:58:33 +00:00
|
|
|
./mail-server/networking.nix
|
2017-09-02 13:08:50 +00:00
|
|
|
./mail-server/systemd.nix
|
2017-09-03 09:13:34 +00:00
|
|
|
./mail-server/dovecot.nix
|
|
|
|
./mail-server/postfix.nix
|
|
|
|
./mail-server/rmilter.nix
|
2017-09-23 07:56:09 +00:00
|
|
|
./mail-server/nginx.nix
|
2018-01-12 22:07:27 +00:00
|
|
|
./mail-server/kresd.nix
|
2017-09-02 10:59:07 +00:00
|
|
|
];
|
2017-11-21 11:04:10 +00:00
|
|
|
|
|
|
|
config = lib.mkIf config.mailserver.enable {
|
|
|
|
warnings = if (config.mailserver.virtualAliases != {}) then [ ''
|
|
|
|
virtualAliases had been derprecated. Use extraVirtualAliases instead or
|
|
|
|
use the `aliases` field of the loginAccount attribute set
|
|
|
|
'']
|
|
|
|
else [];
|
|
|
|
};
|
2017-08-29 22:58:44 +00:00
|
|
|
}
|