diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..86a63dc
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,9 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
diff --git a/.travis.yml b/.travis.yml
index 21b998f..c46adf4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,5 @@
language: nix
script:
- - git clone --depth 1 https://github.com/NixOS/nixpkgs ../nixpkgs
- nix-build tests/intern.nix
- nix-build tests/extern.nix
diff --git a/README.md b/README.md
index c3b11a6..be26b02 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
# ![Simple Nixos MailServer][logo]
+
## Stable Releases
@@ -9,7 +10,8 @@ None so far.
[Latest Release Candidate](https://github.com/r-raymond/nixos-mailserver/releases/latest)
## Features
-### v1.1
+### v2.0
+ * [x] Multiple Domains
* Postfix MTA
- [x] smtp on port 25
- [x] submission port 587
@@ -21,6 +23,7 @@ None so far.
* Certificates
- [x] manual certificates
- [x] on the fly creation
+ - [x] Let's Encrypt
* Spam Filtering
- [x] via rspamd
- [x] hard coded sieve script to move spam into Junk folder
@@ -32,17 +35,13 @@ None so far.
- [x] declarative user management
- [x] declarative password management
-
-### v1.2
- * Certificates
- - [ ] Let's Encrypt
+### In the future
* Sieves
- [ ] Allow user defined sieve scripts
* User Aliases
- [ ] More complete alias support
-
-### v2.0
- * [ ] Multiple Domains
+ * DKIM Signing
+ - [ ] Allow a per domain selector
### Changelog
@@ -50,6 +49,45 @@ None so far.
* Changed structure to Nix Modules
* Adds Sieve support
+#### v1.1 -> v2.0
+ * rename domain to fqdn, seperate fqdn from domains
+ * multi domain support
+
+### How to Deploy
+
+```nix
+{ config, pkgs, ... }:
+{
+ imports = [
+ (builtins.fetchTarball "https://github.com/r-raymond/nixos-mailserver/releases/tag/v2.0-rc1")
+ ];
+
+ mailserver = {
+ enable = true;
+ fqdn = "mail.example.com";
+ domains = [ "example.com" "example2.com" ];
+ loginAccounts = {
+ "user1@example.com" = {
+ hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
+ };
+ };
+ virtualAliases = {
+ # address = forward address;
+ "info@example.com" = "user1@example.com";
+ "postmaster@example.com" = "user1@example.com";
+ "abuse@example.com" = "user1@example.com";
+ "user1@example2.com" = "user1@example.com";
+ "info@example2.com" = "user1@example.com";
+ "postmaster@example2.com" = "user1@example.com";
+ "abuse@example2.com" = "user1@example.com";
+ };
+ };
+}
+```
+
+For a complete list of options, see `default.nix`.
+
+
### How to Test
You can test the setup via `nixops`. After installation, do
@@ -73,6 +111,52 @@ openssl s_client -host mail.example.com -port 143 -starttls imap
```
+## How to Set Up a 10/10 Mail Server
+Mail servers can be a tricky thing to set up. This guide is supposed to run you
+through the most important steps to achieve a 10/10 score on `mail-tester.com`.
+
+### Fully Qualified Domain Name
+No matter how many domains you want to serve on your mail server, you need to
+settle on a _Fully Qualified Domain Name_ (FQDN) where your server is reachable,
+so that other servers can find yours. Common FQDN include `mx.example.com`
+(where `example.com` is a domain you own) or `mail.example.com`.
+
+After you settled on a FQDN (we will assume `mx.example.com` henceforth) you
+need to
+ * Set a DNS entry on your domain to point to the IP of the server. For this
+ add a DNS record such as
+
+ | Name (Subdomain) | TTL | Type | Priority | Value |
+ | ---------------- | ----- | ---- | -------- | ----------------- |
+ | mx.example.com | 10800 | A | | `xxx.xxx.xxx.xxx` |
+
+ to your domain, where `xxx.xxx.xxx.xxx` is the IP of your server.
+
+ * Set a `rDNS` (reverse DNS) entry for your FQDN. You need to do so wherever
+ you have rented your server. Make sure that `xxx.xxx.xxx.xxx` resolves to
+ `mx.example.com`.
+
+
+### MX Record
+
+| Name (Subdomain) | TTL | Type | Priority | Value |
+| ---------------- | ----- | ---- | -------- | ----------------- |
+| domain1.com | | MX | 10 | mx.exmaple.com |
+
+### Spf record
+
+| Name (Subdomain) | TTL | Type | Priority | Value |
+| ---------------- | ----- | ---- | -------- | ----------------- |
+| domain1.com | 10800 | TXT | | `v=spf1 ip4:xxx.xxx.xxx.xxx -all` |
+
+### DKIM signature
+
+| Name (Subdomain) | TTL | Type | Priority | Value |
+| ---------------- | ----- | ---- | -------- | ----------------- |
+| dkim._domainkey.domain1.com | 10800 | TXT | | `v=DKIM1; p=yyyyyyyyyyyy` |
+
+where `yyyyyyyyyyyy` is the `DKIM` signature
+
## A Complete Mail Server Without Moving Parts
### Used Technologies
@@ -87,7 +171,7 @@ openssl s_client -host mail.example.com -port 143 -starttls imap
* Pam
### Features
- * one domain
+ * unlimited domain
* unlimited mail accounts
* unlimited aliases for every mail account
* spam and virus checking
@@ -104,8 +188,10 @@ openssl s_client -host mail.example.com -port 143 -starttls imap
## Contributors
* Special thanks to @Infinisil for the module rewrite
+ * Special thanks to @jbboehr for multidomain implementation
* @danbst
* @phdoerfler
+ * @eqyiel
### Credits
diff --git a/default.nix b/default.nix
index 74c47c2..4de34f5 100644
--- a/default.nix
+++ b/default.nix
@@ -26,19 +26,17 @@ in
options.mailserver = {
enable = mkEnableOption "nixos-mailserver";
- domain = mkOption {
+ fqdn = mkOption {
type = types.str;
example = "example.com";
- description = "The domain that this mail server serves. So far only one domain is supported";
+ description = "The fully qualified domain name of the mail server.";
};
- hostPrefix = mkOption {
- type = types.str;
- default = "mail";
- description = ''
- The prefix of the FQDN of the server. In this example the FQDN of the server
- is given by 'mail.example.com'
- '';
+ domains = mkOption {
+ type = types.listOf types.str;
+ example = [ "example.com" ];
+ default = [];
+ description = "The domains that this mail server serves.";
};
loginAccounts = mkOption {
@@ -113,7 +111,7 @@ in
vmailUserName = mkOption {
type = types.str;
- default = "vmail";
+ default = "virtualMail";
description = ''
The user name and group name of the user that owns the directory where all
the mail is stored.
@@ -122,7 +120,7 @@ in
vmailGroupName = mkOption {
type = types.str;
- default = "vmail";
+ default = "virtualMail";
description = ''
The user name and group name of the user that owns the directory where all
the mail is stored.
@@ -138,7 +136,7 @@ in
};
certificateScheme = mkOption {
- type = types.enum [ 1 2 ];
+ type = types.enum [ 1 2 3 ];
default = 2;
description = ''
Certificate Files. There are three options for these.
@@ -149,8 +147,6 @@ in
this implies that a stripped down webserver has to be started. This also
implies that the FQDN must be set as an `A` record to point to the IP of
the server. TODO: Explain more details
-
- TODO: Only certificate scheme 1) and 2) work as of yet.
'';
};
@@ -188,7 +184,7 @@ in
default = true;
description = ''
Whether to enable imap / pop3. Both variants are only supported in the
- (sane) startTLS configuration. (TODO: Allow SSL ports). The ports are
+ (sane) startTLS configuration. The ports are
110 - Pop3
143 - IMAP
@@ -196,12 +192,21 @@ in
'';
};
+ enableImapSsl = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to enable IMAPS, setting this option to true will open port 993
+ in the firewall.
+ '';
+ };
+
enablePop3 = mkOption {
type = types.bool;
default = false;
description = ''
- Whether to enable POP3. Both variants are only supported in the
- (sane) startTLS configuration. (TODO: Allow SSL ports). The ports are
+ Whether to enable POP3. Both variants are only supported in the (sane)
+ startTLS configuration. The ports are
110 - Pop3
143 - IMAP
@@ -209,8 +214,14 @@ in
'';
};
- # imapSsl = mkOption {} #< TODO
- # pop3Ssl = mkOption {} #< TODO
+ enablePop3Ssl = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to enable POP3S, setting this option to true will open port 995
+ in the firewall.
+ '';
+ };
virusScanning = mkOption {
type = types.bool;
@@ -256,5 +267,6 @@ in
./mail-server/dovecot.nix
./mail-server/postfix.nix
./mail-server/rmilter.nix
+ ./mail-server/nginx.nix
];
}
diff --git a/mail-server/common.nix b/mail-server/common.nix
index f32d898..910b5c2 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -24,13 +24,17 @@ in
certificatePath = if cfg.certificateScheme == 1
then cfg.certificateFile
else if cfg.certificateScheme == 2
- then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem"
- else "";
+ then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
+ else if cfg.certificateScheme == 3
+ then "/var/lib/acme/${cfg.fqdn}/fullchain.pem"
+ else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
# key :: PATH
keyPath = if cfg.certificateScheme == 1
then cfg.keyFile
else if cfg.certificateScheme == 2
- then "${cfg.certificateDirectory}/key-${cfg.domain}.pem"
- else "";
+ then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
+ else if cfg.certificateScheme == 3
+ then "/var/lib/acme/${cfg.fqdn}/key.pem"
+ else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
}
diff --git a/mail-server/networking.nix b/mail-server/networking.nix
index 4a685f5..f9b3336 100644
--- a/mail-server/networking.nix
+++ b/mail-server/networking.nix
@@ -24,8 +24,10 @@ in
networking.firewall = {
allowedTCPPorts = [ 25 587 ]
- ++ (if enableImap then [ 143 ] else [])
- ++ (if enablePop3 then [ 110 ] else []);
+ ++ lib.optional enableImap 143
+ ++ lib.optional enableImapSsl 993
+ ++ lib.optional enablePop3 110
+ ++ lib.optional enablePop3Ssl 995;
};
};
}
diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix
new file mode 100644
index 0000000..0ba4a54
--- /dev/null
+++ b/mail-server/nginx.nix
@@ -0,0 +1,48 @@
+# nixos-mailserver: a simple mail server
+# Copyright (C) 2016-2017 Robin Raymond
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
+
+
+{ config, pkgs, lib, ... }:
+
+with (import ./common.nix { inherit config; });
+
+let
+ cfg = config.mailserver;
+ acmeRoot = "/var/lib/acme/acme-challenge";
+in
+{
+ config = lib.mkIf (cfg.certificateScheme == 3) {
+ services.nginx = {
+ enable = true;
+ virtualHosts."${cfg.fqdn}" = {
+ serverName = cfg.fqdn;
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = acmeRoot;
+ };
+ };
+ security.acme.certs."${cfg.fqdn}".postRun = #{
+ # domain = "${cfg.fqdn}";
+# webroot = acmeRoot;
+# postRun =
+ ''
+ systemctl reload nginx
+ systemctl reload postfix
+ systemctl reload dovecot2
+ '';
+# };
+ };
+}
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index ebcfb0c..4b1cf45 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -19,17 +19,18 @@
with (import ./common.nix { inherit config; });
let
+ inherit (lib.strings) concatStringsSep;
cfg = config.mailserver;
# valiases_postfix :: [ String ]
valiases_postfix = map
(from:
let to = cfg.virtualAliases.${from};
- in "${from}@${cfg.domain} ${to}@${cfg.domain}")
+ in "${from} ${to}")
(builtins.attrNames cfg.virtualAliases);
# accountToIdentity :: User -> String
- accountToIdentity = account: "${account.name}@${cfg.domain} ${account.name}@${cfg.domain}";
+ accountToIdentity = account: "${account.name} ${account.name}";
# vaccounts_identity :: [ String ]
vaccounts_identity = map accountToIdentity (lib.attrValues cfg.loginAccounts);
@@ -38,7 +39,7 @@ let
valiases_file = builtins.toFile "valias" (lib.concatStringsSep "\n" valiases_postfix);
# vhosts_file :: Path
- vhosts_file = builtins.toFile "vhosts" cfg.domain;
+ vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains);
# vaccounts_file :: Path
# see
@@ -47,11 +48,11 @@ let
# every alias is owned (uniquely) by its user. We have to add the users own
# address though
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
-
+
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
- ### Removes sensitive headers from mails handed in via the submission port.
- ### See https://thomas-leister.de/mailserver-debian-stretch/
- ### Uses "pcre" style regex.
+ # Removes sensitive headers from mails handed in via the submission port.
+ # See https://thomas-leister.de/mailserver-debian-stretch/
+ # Uses "pcre" style regex.
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
@@ -67,16 +68,16 @@ in
enable = true;
networksStyle = "host";
mapFiles."valias" = valiases_file;
- mapFiles."vaccounts" = vaccounts_file;
+ mapFiles."vaccounts" = vaccounts_file;
sslCert = certificatePath;
sslKey = keyPath;
enableSubmission = true;
- extraConfig =
+ extraConfig =
''
# Extra Config
- smtpd_banner = $myhostname ESMTP NO UCE
+ smtpd_banner = ${fqdn} ESMTP NO UCE
disable_vrfy_command = yes
message_size_limit = 20971520
@@ -116,7 +117,7 @@ in
'';
submissionOptions =
- {
+ {
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
diff --git a/mail-server/rmilter.nix b/mail-server/rmilter.nix
index da3df2c..91a49fa 100644
--- a/mail-server/rmilter.nix
+++ b/mail-server/rmilter.nix
@@ -28,6 +28,8 @@ let
''
else "";
dkim = if cfg.dkimSigning
+ # Note: domain = "*"; causes Rmilter to try to search key in the key path
+ # as keypath/domain.selector.key for any domain.
then
''
dkim {
diff --git a/mail-server/services.nix b/mail-server/services.nix
index 2cebdaf..41d2bb3 100644
--- a/mail-server/services.nix
+++ b/mail-server/services.nix
@@ -24,14 +24,14 @@ let
cert = if cfg.certificateScheme == 1
then cfg.certificateFile
else if cfg.certificateScheme == 2
- then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem"
+ then "${cfg.certificateDirectory}/cert-${cfg.fqdn.pem"
else "";
# key :: PATH
key = if cfg.certificateScheme == 1
then cfg.keyFile
else if cfg.certificateScheme == 2
- then "${cfg.certificateDirectory}/key-${cfg.domain}.pem"
+ then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
else "";
in
{
diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix
index 0c82b16..0f98b7d 100644
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@@ -23,10 +23,10 @@ let
''
# Create certificates if they do not exist yet
dir="${cfg.certificateDirectory}"
- fqdn="${cfg.hostPrefix}.${cfg.domain}"
+ fqdn="${cfg.fqdn}"
case $fqdn in /*) fqdn=$(cat "$fqdn");; esac
- key="''${dir}/key-${cfg.domain}.pem";
- cert="''${dir}/cert-${cfg.domain}.pem";
+ key="''${dir}/key-${cfg.fqdn}.pem";
+ cert="''${dir}/cert-${cfg.fqdn}.pem";
if [ ! -f "''${key}" ] || [ ! -f "''${cert}" ]
then
@@ -38,22 +38,31 @@ let
''
else "";
- dkim_key = "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private";
- dkim_txt = "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt";
+ createDomainDkimCert = dom:
+ let
+ dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
+ dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt";
+ in
+ ''
+ if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
+ then
+ ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
+ -d "${dom}" \
+ --directory="${cfg.dkimKeyDirectory}"
+ mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
+ mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
+ fi
+ '';
+ createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
create_dkim_cert =
''
# Create dkim dir
mkdir -p "${cfg.dkimKeyDirectory}"
chown rmilter:rmilter "${cfg.dkimKeyDirectory}"
- if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
- then
+ ${createAllCerts}
- ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
- -d ${cfg.domain} \
- --directory="${cfg.dkimKeyDirectory}"
- chown rmilter:rmilter "${dkim_key}"
- fi
+ chown -R rmilter:rmilter "${cfg.dkimKeyDirectory}"
'';
in
{
@@ -63,7 +72,8 @@ in
# Create certificates and maildir folder
systemd.services.postfix = {
- preStart =
+ after = (if (certificateScheme == 3) then [ "nginx.service" ] else []);
+ preStart =
''
# Create mail directory and set permissions. See
# .
diff --git a/mail-server/users.nix b/mail-server/users.nix
index 873059e..f49be1f 100644
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@@ -19,25 +19,26 @@
with config.mailserver;
let
- vmail_user = [{
- #name = vmailUserName;
+ vmail_user = {
+ name = vmailUserName;
isNormalUser = false;
uid = vmailUIDStart;
home = mailDirectory;
createHome = true;
- #group = vmailGroupName;
- }];
+ group = vmailGroupName;
+ };
# accountsToUser :: String -> UserRecord
accountsToUser = account: {
- name = account.name + "@" + domain;
+ name = account.name;
isNormalUser = false;
group = vmailGroupName;
inherit (account) hashedPassword;
};
- # mail_user :: [ UserRecord ]
- mail_user = map accountsToUser (lib.attrValues loginAccounts);
+ # mail_users :: { [String]: UserRecord }
+ mail_users = lib.foldl (prev: next: prev // { "${next.name}" = next; }) {}
+ (map accountsToUser (lib.attrValues loginAccounts));
in
{
@@ -45,10 +46,12 @@ in
config = lib.mkIf enable {
# set the vmail gid to a specific value
users.groups = {
- vmail = { gid = vmailUIDStart; };
+ "${vmailGroupName}" = { gid = vmailUIDStart; };
};
# define all users
- users.extraUsers = vmail_user ++ mail_user;
+ users.users = mail_users // {
+ "${vmail_user.name}" = lib.mkForce vmail_user;
+ };
};
}
diff --git a/nixops/single-server.nix b/nixops/single-server.nix
index 15e9e5e..1976809 100644
--- a/nixops/single-server.nix
+++ b/nixops/single-server.nix
@@ -10,18 +10,21 @@
mailserver = {
enable = true;
- domain = "example.com";
-
- hostPrefix = "mail";
+ fqdn = "mail.example.com";
+ domains = [ "example.com" "example2.com" ];
loginAccounts = {
- user1 = {
+ "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
};
};
virtualAliases = {
- info = "user1";
- postmaster = "user1";
- abuse = "user1";
+ "info@example.com" = "user1@example.com";
+ "postmaster@example.com" = "user1@example.com";
+ "abuse@example.com" = "user1@example.com";
+ "user1@example2.com" = "user1@example.com";
+ "info@example2.com" = "user1@example.com";
+ "postmaster@example2.com" = "user1@example.com";
+ "abuse@example2.com" = "user1@example.com";
};
};
};
diff --git a/tests/extern.nix b/tests/extern.nix
index 147d218..0b928d7 100644
--- a/tests/extern.nix
+++ b/tests/extern.nix
@@ -14,7 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see
-import ./../../nixpkgs/nixos/tests/make-test.nix {
+import {
nodes =
{ server = { config, pkgs, ... }:
@@ -25,14 +25,17 @@ import ./../../nixpkgs/nixos/tests/make-test.nix {
mailserver = {
enable = true;
- domain = "example.com";
+ fqdn = "mail.example.com";
+ domains = [ "example.com" "example2.com" ];
- hostPrefix = "mail";
loginAccounts = {
- user1 = {
+ "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
};
- user2 = {
+ "user2@example.com" = {
+ hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
+ };
+ "user@example2.com" = {
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
};
};
@@ -68,6 +71,13 @@ import ./../../nixpkgs/nixos/tests/make-test.nix {
from user2\@example.com
user user2\@example.com
password user2
+
+ account test2
+ host SERVER
+ port 587
+ from user\@example2.com
+ user user\@example2.com
+ password user2
'';
email1 =
''
@@ -82,6 +92,21 @@ import ./../../nixpkgs/nixos/tests/make-test.nix {
how are you doing today?
'';
+ email2 =
+ ''
+ From: User
+ To: User1
+ Cc:
+ Bcc:
+ Subject: This is a test Email from user\@example2.com to user1
+ Reply-To:
+
+ Hello User1,
+
+ how are you doing today?
+
+ XOXO User1
+ '';
in
''
startAll;
@@ -121,5 +146,19 @@ import ./../../nixpkgs/nixos/tests/make-test.nix {
# make sure our IP is _not_ in the email header
$client->fail("grep `ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print \$2}' | cut -f1 -d'/'` ~/mail/*");
};
+
+ subtest "dkim singing, multiple domains", sub {
+ $client->succeed("rm ~/mail/*");
+ $client->succeed("rm mail.txt");
+ $client->succeed("echo '${email2}' > mail.txt");
+ # send email from user2 to user1
+ $client->succeed("msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1\@example.com < mail.txt >&2");
+ $client->succeed("sleep 5");
+ # fetchmail returns EXIT_CODE 0 when it retrieves mail
+ $client->succeed("fetchmail -v");
+ $client->succeed("cat ~/mail/* >&2");
+ # make sure it is dkim signed
+ $client->succeed("grep DKIM ~/mail/*");
+ };
'';
}
diff --git a/tests/intern.nix b/tests/intern.nix
index 5002e24..bcfce2a 100644
--- a/tests/intern.nix
+++ b/tests/intern.nix
@@ -14,7 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see
-import ./../../nixpkgs/nixos/tests/make-test.nix {
+import {
machine =
{ config, pkgs, ... }:
@@ -25,14 +25,17 @@ import ./../../nixpkgs/nixos/tests/make-test.nix {
mailserver = {
enable = true;
- domain = "example.com";
+ fqdn = "mail.example.com";
+ domains = [ "example.com" ];
- hostPrefix = "mail";
loginAccounts = {
- user1 = {
+ "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
};
};
+
+ vmailGroupName = "vmail";
+ vmailUIDStart = 5000;
};
};
@@ -49,5 +52,9 @@ import ./../../nixpkgs/nixos/tests/make-test.nix {
$machine->succeed("cat /etc/shadow | grep 'user1\@example.com:\$6\$/z4n8AQl6K\$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/:1::::::'");
};
+ subtest "vmail gid is set correctly", sub {
+ $machine->succeed("getent group vmail | grep 5000");
+ };
+
'';
}