Merge branch 'cleanup' into 'master'
Format with nixfmt, drop redundant parentheses See merge request simple-nixos-mailserver/nixos-mailserver!415
This commit is contained in:
commit
b555b3e8dc
21 changed files with 2090 additions and 1681 deletions
|
@ -1,22 +1,21 @@
|
|||
{ nixpkgs, pulls, ... }:
|
||||
|
||||
let
|
||||
pkgs = import nixpkgs {};
|
||||
pkgs = import nixpkgs { };
|
||||
|
||||
prs = builtins.fromJSON (builtins.readFile pulls);
|
||||
prJobsets = pkgs.lib.mapAttrs (num: info:
|
||||
{ enabled = 1;
|
||||
hidden = false;
|
||||
description = "PR ${num}: ${info.title}";
|
||||
checkinterval = 300;
|
||||
schedulingshares = 20;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 1;
|
||||
type = 1;
|
||||
flake = "gitlab:simple-nixos-mailserver/nixos-mailserver/merge-requests/${info.iid}/head";
|
||||
}
|
||||
) prs;
|
||||
prJobsets = pkgs.lib.mapAttrs (num: info: {
|
||||
enabled = 1;
|
||||
hidden = false;
|
||||
description = "PR ${num}: ${info.title}";
|
||||
checkinterval = 300;
|
||||
schedulingshares = 20;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 1;
|
||||
type = 1;
|
||||
flake = "gitlab:simple-nixos-mailserver/nixos-mailserver/merge-requests/${info.iid}/head";
|
||||
}) prs;
|
||||
mkFlakeJobset = branch: {
|
||||
description = "Build ${branch} branch of Simple NixOS MailServer";
|
||||
checkinterval = 300;
|
||||
|
@ -41,8 +40,9 @@ let
|
|||
jobsets = desc;
|
||||
};
|
||||
|
||||
in {
|
||||
jobsets = pkgs.runCommand "spec-jobsets.json" {} ''
|
||||
in
|
||||
{
|
||||
jobsets = pkgs.runCommand "spec-jobsets.json" { } ''
|
||||
cat >$out <<EOF
|
||||
${builtins.toJSON desc}
|
||||
EOF
|
||||
|
|
434
default.nix
434
default.nix
|
@ -14,7 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
|
||||
|
@ -56,14 +61,17 @@ in
|
|||
domains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "example.com" ];
|
||||
default = [];
|
||||
default = [ ];
|
||||
description = "The domains that this mail server serves.";
|
||||
};
|
||||
|
||||
certificateDomains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "imap.example.com" "pop3.example.com" ];
|
||||
default = [];
|
||||
example = [
|
||||
"imap.example.com"
|
||||
"pop3.example.com"
|
||||
];
|
||||
default = [ ];
|
||||
description = ''
|
||||
({option}`mailserver.certificateScheme` == `acme-nginx`)
|
||||
|
||||
|
@ -79,130 +87,141 @@ in
|
|||
};
|
||||
|
||||
loginAccounts = mkOption {
|
||||
type = types.attrsOf (types.submodule ({ name, ... }: {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
example = "user1@example.com";
|
||||
description = "Username";
|
||||
};
|
||||
type = types.attrsOf (
|
||||
types.submodule (
|
||||
{ name, ... }:
|
||||
{
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
example = "user1@example.com";
|
||||
description = "Username";
|
||||
};
|
||||
|
||||
hashedPassword = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
||||
description = ''
|
||||
The user's hashed password. Use `mkpasswd` as follows
|
||||
hashedPassword = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
||||
description = ''
|
||||
The user's hashed password. Use `mkpasswd` as follows
|
||||
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
```
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
```
|
||||
|
||||
Warning: this is stored in plaintext in the Nix store!
|
||||
Use {option}`mailserver.loginAccounts.<name>.hashedPasswordFile` instead.
|
||||
'';
|
||||
};
|
||||
Warning: this is stored in plaintext in the Nix store!
|
||||
Use {option}`mailserver.loginAccounts.<name>.hashedPasswordFile` instead.
|
||||
'';
|
||||
};
|
||||
|
||||
hashedPasswordFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
example = "/run/keys/user1-passwordhash";
|
||||
description = ''
|
||||
A file containing the user's hashed password. Use `mkpasswd` as follows
|
||||
hashedPasswordFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
example = "/run/keys/user1-passwordhash";
|
||||
description = ''
|
||||
A file containing the user's hashed password. Use `mkpasswd` as follows
|
||||
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
```
|
||||
'';
|
||||
};
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
```
|
||||
'';
|
||||
};
|
||||
|
||||
aliases = mkOption {
|
||||
type = with types; listOf types.str;
|
||||
example = ["abuse@example.com" "postmaster@example.com"];
|
||||
default = [];
|
||||
description = ''
|
||||
A list of aliases of this login account.
|
||||
Note: Use list entries like "@example.com" to create a catchAll
|
||||
that allows sending from all email addresses in these domain.
|
||||
'';
|
||||
};
|
||||
aliases = mkOption {
|
||||
type = with types; listOf types.str;
|
||||
example = [
|
||||
"abuse@example.com"
|
||||
"postmaster@example.com"
|
||||
];
|
||||
default = [ ];
|
||||
description = ''
|
||||
A list of aliases of this login account.
|
||||
Note: Use list entries like "@example.com" to create a catchAll
|
||||
that allows sending from all email addresses in these domain.
|
||||
'';
|
||||
};
|
||||
|
||||
aliasesRegexp = mkOption {
|
||||
type = with types; listOf types.str;
|
||||
example = [''/^tom\..*@domain\.com$/''];
|
||||
default = [];
|
||||
description = ''
|
||||
Same as {option}`mailserver.aliases` but using PCRE (Perl compatible regex).
|
||||
'';
|
||||
};
|
||||
aliasesRegexp = mkOption {
|
||||
type = with types; listOf types.str;
|
||||
example = [ ''/^tom\..*@domain\.com$/'' ];
|
||||
default = [ ];
|
||||
description = ''
|
||||
Same as {option}`mailserver.aliases` but using PCRE (Perl compatible regex).
|
||||
'';
|
||||
};
|
||||
|
||||
catchAll = mkOption {
|
||||
type = with types; listOf (enum cfg.domains);
|
||||
example = ["example.com" "example2.com"];
|
||||
default = [];
|
||||
description = ''
|
||||
For which domains should this account act as a catch all?
|
||||
Note: Does not allow sending from all addresses of these domains.
|
||||
'';
|
||||
};
|
||||
catchAll = mkOption {
|
||||
type = with types; listOf (enum cfg.domains);
|
||||
example = [
|
||||
"example.com"
|
||||
"example2.com"
|
||||
];
|
||||
default = [ ];
|
||||
description = ''
|
||||
For which domains should this account act as a catch all?
|
||||
Note: Does not allow sending from all addresses of these domains.
|
||||
'';
|
||||
};
|
||||
|
||||
quota = mkOption {
|
||||
type = with types; nullOr types.str;
|
||||
default = null;
|
||||
example = "2G";
|
||||
description = ''
|
||||
Per user quota rules. Accepted sizes are `xx k/M/G/T` with the
|
||||
obvious meaning. Leave blank for the standard quota `100G`.
|
||||
'';
|
||||
};
|
||||
quota = mkOption {
|
||||
type = with types; nullOr types.str;
|
||||
default = null;
|
||||
example = "2G";
|
||||
description = ''
|
||||
Per user quota rules. Accepted sizes are `xx k/M/G/T` with the
|
||||
obvious meaning. Leave blank for the standard quota `100G`.
|
||||
'';
|
||||
};
|
||||
|
||||
sieveScript = mkOption {
|
||||
type = with types; nullOr lines;
|
||||
default = null;
|
||||
example = ''
|
||||
require ["fileinto", "mailbox"];
|
||||
sieveScript = mkOption {
|
||||
type = with types; nullOr lines;
|
||||
default = null;
|
||||
example = ''
|
||||
require ["fileinto", "mailbox"];
|
||||
|
||||
if address :is "from" "gitlab@mg.gitlab.com" {
|
||||
fileinto :create "GitLab";
|
||||
stop;
|
||||
}
|
||||
if address :is "from" "gitlab@mg.gitlab.com" {
|
||||
fileinto :create "GitLab";
|
||||
stop;
|
||||
}
|
||||
|
||||
# This must be the last rule, it will check if list-id is set, and
|
||||
# file the message into the Lists folder for further investigation
|
||||
elsif header :matches "list-id" "<?*>" {
|
||||
fileinto :create "Lists";
|
||||
stop;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Per-user sieve script.
|
||||
'';
|
||||
};
|
||||
# This must be the last rule, it will check if list-id is set, and
|
||||
# file the message into the Lists folder for further investigation
|
||||
elsif header :matches "list-id" "<?*>" {
|
||||
fileinto :create "Lists";
|
||||
stop;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Per-user sieve script.
|
||||
'';
|
||||
};
|
||||
|
||||
sendOnly = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Specifies if the account should be a send-only account.
|
||||
Emails sent to send-only accounts will be rejected from
|
||||
unauthorized senders with the `sendOnlyRejectMessage`
|
||||
stating the reason.
|
||||
'';
|
||||
};
|
||||
sendOnly = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Specifies if the account should be a send-only account.
|
||||
Emails sent to send-only accounts will be rejected from
|
||||
unauthorized senders with the `sendOnlyRejectMessage`
|
||||
stating the reason.
|
||||
'';
|
||||
};
|
||||
|
||||
sendOnlyRejectMessage = mkOption {
|
||||
type = types.str;
|
||||
default = "This account cannot receive emails.";
|
||||
description = ''
|
||||
The message that will be returned to the sender when an email is
|
||||
sent to a send-only account. Only used if the account is marked
|
||||
as send-only.
|
||||
'';
|
||||
};
|
||||
};
|
||||
sendOnlyRejectMessage = mkOption {
|
||||
type = types.str;
|
||||
default = "This account cannot receive emails.";
|
||||
description = ''
|
||||
The message that will be returned to the sender when an email is
|
||||
sent to a send-only account. Only used if the account is marked
|
||||
as send-only.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config.name = mkDefault name;
|
||||
}));
|
||||
config.name = mkDefault name;
|
||||
}
|
||||
)
|
||||
);
|
||||
example = {
|
||||
user1 = {
|
||||
hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
||||
|
@ -220,13 +239,13 @@ in
|
|||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
```
|
||||
'';
|
||||
default = {};
|
||||
default = { };
|
||||
};
|
||||
|
||||
ldap = {
|
||||
enable = mkEnableOption "LDAP support";
|
||||
|
||||
uris = mkOption {
|
||||
uris = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = literalExpression ''
|
||||
[
|
||||
|
@ -284,7 +303,11 @@ in
|
|||
};
|
||||
|
||||
searchScope = mkOption {
|
||||
type = types.enum [ "sub" "base" "one" ];
|
||||
type = types.enum [
|
||||
"sub"
|
||||
"base"
|
||||
"one"
|
||||
];
|
||||
default = "sub";
|
||||
description = ''
|
||||
Search scope below which users accounts are looked for.
|
||||
|
@ -419,14 +442,22 @@ in
|
|||
autoIndexExclude = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "\\Trash" "SomeFolder" "Other/*" ];
|
||||
example = [
|
||||
"\\Trash"
|
||||
"SomeFolder"
|
||||
"Other/*"
|
||||
];
|
||||
description = ''
|
||||
Mailboxes to exclude from automatic indexing.
|
||||
'';
|
||||
};
|
||||
|
||||
enforced = mkOption {
|
||||
type = types.enum [ "yes" "no" "body" ];
|
||||
type = types.enum [
|
||||
"yes"
|
||||
"no"
|
||||
"body"
|
||||
];
|
||||
default = "no";
|
||||
description = ''
|
||||
Fail searches when no index is available. If set to
|
||||
|
@ -439,7 +470,10 @@ in
|
|||
languages = mkOption {
|
||||
type = types.nonEmptyListOf types.str;
|
||||
default = [ "en" ];
|
||||
example = [ "en" "de" ];
|
||||
example = [
|
||||
"en"
|
||||
"de"
|
||||
];
|
||||
description = ''
|
||||
A list of languages that the full text search should detect.
|
||||
At least one language must be specified.
|
||||
|
@ -488,7 +522,10 @@ in
|
|||
};
|
||||
|
||||
lmtpSaveToDetailMailbox = mkOption {
|
||||
type = types.enum ["yes" "no"];
|
||||
type = types.enum [
|
||||
"yes"
|
||||
"no"
|
||||
];
|
||||
default = "yes";
|
||||
description = ''
|
||||
If an email address is delimited by a "+", should it be filed into a
|
||||
|
@ -514,17 +551,23 @@ in
|
|||
};
|
||||
|
||||
extraVirtualAliases = mkOption {
|
||||
type = let
|
||||
loginAccount = mkOptionType {
|
||||
name = "Login Account";
|
||||
check = (account: builtins.elem account (builtins.attrNames cfg.loginAccounts));
|
||||
};
|
||||
in with types; attrsOf (either loginAccount (nonEmptyListOf loginAccount));
|
||||
type =
|
||||
let
|
||||
loginAccount = mkOptionType {
|
||||
name = "Login Account";
|
||||
check = account: builtins.elem account (builtins.attrNames cfg.loginAccounts);
|
||||
};
|
||||
in
|
||||
with types;
|
||||
attrsOf (either loginAccount (nonEmptyListOf loginAccount));
|
||||
example = {
|
||||
"info@example.com" = "user1@example.com";
|
||||
"postmaster@example.com" = "user1@example.com";
|
||||
"abuse@example.com" = "user1@example.com";
|
||||
"multi@example.com" = [ "user1@example.com" "user2@example.com" ];
|
||||
"multi@example.com" = [
|
||||
"user1@example.com"
|
||||
"user2@example.com"
|
||||
];
|
||||
};
|
||||
description = ''
|
||||
Virtual Aliases. A virtual alias `"info@example.com" = "user1@example.com"` means that
|
||||
|
@ -537,7 +580,7 @@ in
|
|||
example all mails for `multi@example.com` will be forwarded to both
|
||||
`user1@example.com` and `user2@example.com`.
|
||||
'';
|
||||
default = {};
|
||||
default = { };
|
||||
};
|
||||
|
||||
forwards = mkOption {
|
||||
|
@ -554,28 +597,34 @@ in
|
|||
can't send mail as `user@example.com`. Also, this option
|
||||
allows to forward mails to external addresses.
|
||||
'';
|
||||
default = {};
|
||||
default = { };
|
||||
};
|
||||
|
||||
rejectSender = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "example.com" "spammer@example.net" ];
|
||||
example = [
|
||||
"example.com"
|
||||
"spammer@example.net"
|
||||
];
|
||||
description = ''
|
||||
Reject emails from these addresses from unauthorized senders.
|
||||
Use if a spammer is using the same domain or the same sender over and over.
|
||||
'';
|
||||
default = [];
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
rejectRecipients = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "sales@example.com" "info@example.com" ];
|
||||
example = [
|
||||
"sales@example.com"
|
||||
"info@example.com"
|
||||
];
|
||||
description = ''
|
||||
Reject emails addressed to these local addresses from unauthorized senders.
|
||||
Use if a spammer has found email addresses in a catchall domain but you do
|
||||
not want to disable the catchall.
|
||||
'';
|
||||
default = [];
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
vmailUID = mkOption {
|
||||
|
@ -673,28 +722,46 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
certificateScheme = let
|
||||
schemes = [ "manual" "selfsigned" "acme-nginx" "acme" ];
|
||||
translate = i: warn "Setting mailserver.certificateScheme by number is deprecated, please use names instead: 'mailserver.certificateScheme = ${builtins.toString i}' can be replaced by 'mailserver.certificateScheme = \"${(builtins.elemAt schemes (i - 1))}\"'."
|
||||
(builtins.elemAt schemes (i - 1));
|
||||
in mkOption {
|
||||
type = with types; coercedTo (enum [ 1 2 3 ]) translate (enum schemes);
|
||||
default = "selfsigned";
|
||||
description = ''
|
||||
The scheme to use for managing TLS certificates:
|
||||
certificateScheme =
|
||||
let
|
||||
schemes = [
|
||||
"manual"
|
||||
"selfsigned"
|
||||
"acme-nginx"
|
||||
"acme"
|
||||
];
|
||||
translate =
|
||||
i:
|
||||
warn
|
||||
"Setting mailserver.certificateScheme by number is deprecated, please use names instead: 'mailserver.certificateScheme = ${builtins.toString i}' can be replaced by 'mailserver.certificateScheme = \"${
|
||||
(builtins.elemAt schemes (i - 1))
|
||||
}\"'."
|
||||
(builtins.elemAt schemes (i - 1));
|
||||
in
|
||||
mkOption {
|
||||
type =
|
||||
with types;
|
||||
coercedTo (enum [
|
||||
1
|
||||
2
|
||||
3
|
||||
]) translate (enum schemes);
|
||||
default = "selfsigned";
|
||||
description = ''
|
||||
The scheme to use for managing TLS certificates:
|
||||
|
||||
1. `manual`: you specify locations via {option}`mailserver.certificateFile` and
|
||||
{option}`mailserver.keyFile` and manually copy certificates there.
|
||||
2. `selfsigned`: you let the server create new (self-signed) certificates on the fly.
|
||||
3. `acme-nginx`: you let the server request certificates from [Let's Encrypt](https://letsencrypt.org)
|
||||
via NixOS' ACME module. By default, this will set up a stripped-down Nginx server for
|
||||
{option}`mailserver.fqdn` and open port 80. For this to work, the FQDN must be properly
|
||||
configured to point to your server (see the [setup guide](setup-guide.rst) for more information).
|
||||
4. `acme`: you already have an ACME certificate set up (for example, you're already running a TLS-enabled
|
||||
Nginx server on the FQDN). This is better than `manual` because the appropriate services will be reloaded
|
||||
when the certificate is renewed.
|
||||
'';
|
||||
};
|
||||
1. `manual`: you specify locations via {option}`mailserver.certificateFile` and
|
||||
{option}`mailserver.keyFile` and manually copy certificates there.
|
||||
2. `selfsigned`: you let the server create new (self-signed) certificates on the fly.
|
||||
3. `acme-nginx`: you let the server request certificates from [Let's Encrypt](https://letsencrypt.org)
|
||||
via NixOS' ACME module. By default, this will set up a stripped-down Nginx server for
|
||||
{option}`mailserver.fqdn` and open port 80. For this to work, the FQDN must be properly
|
||||
configured to point to your server (see the [setup guide](setup-guide.rst) for more information).
|
||||
4. `acme`: you already have an ACME certificate set up (for example, you're already running a TLS-enabled
|
||||
Nginx server on the FQDN). This is better than `manual` because the appropriate services will be reloaded
|
||||
when the certificate is renewed.
|
||||
'';
|
||||
};
|
||||
|
||||
certificateFile = mkOption {
|
||||
type = types.path;
|
||||
|
@ -851,7 +918,10 @@ in
|
|||
};
|
||||
|
||||
dkimKeyType = mkOption {
|
||||
type = types.enum [ "rsa" "ed25519" ];
|
||||
type = types.enum [
|
||||
"rsa"
|
||||
"ed25519"
|
||||
];
|
||||
default = "rsa";
|
||||
description = ''
|
||||
The key type used for generating DKIM keys. ED25519 was introduced in RFC6376 (2018).
|
||||
|
@ -864,16 +934,16 @@ in
|
|||
};
|
||||
|
||||
dkimKeyBits = mkOption {
|
||||
type = types.int;
|
||||
default = 1024;
|
||||
description = ''
|
||||
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
|
||||
type = types.int;
|
||||
default = 1024;
|
||||
description = ''
|
||||
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
|
||||
|
||||
If you have already deployed a key with a different number of bits than specified
|
||||
here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
|
||||
this package to generate a key with the new number of bits, you will either have to
|
||||
change the selector or delete the old key file.
|
||||
'';
|
||||
If you have already deployed a key with a different number of bits than specified
|
||||
here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
|
||||
this package to generate a key with the new number of bits, you will either have to
|
||||
change the selector or delete the old key file.
|
||||
'';
|
||||
};
|
||||
|
||||
dmarcReporting = {
|
||||
|
@ -901,7 +971,7 @@ in
|
|||
};
|
||||
|
||||
domain = mkOption {
|
||||
type = types.enum (cfg.domains);
|
||||
type = types.enum cfg.domains;
|
||||
example = "example.com";
|
||||
description = ''
|
||||
The domain from which outgoing DMARC reports are served.
|
||||
|
@ -938,7 +1008,7 @@ in
|
|||
|
||||
excludeDomains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of domains or eSLDs to be excluded from DMARC reports.
|
||||
'';
|
||||
|
@ -1150,7 +1220,15 @@ in
|
|||
|
||||
compression = {
|
||||
method = mkOption {
|
||||
type = types.nullOr (types.enum ["none" "lz4" "zstd" "zlib" "lzma"]);
|
||||
type = types.nullOr (
|
||||
types.enum [
|
||||
"none"
|
||||
"lz4"
|
||||
"zstd"
|
||||
"zlib"
|
||||
"lzma"
|
||||
]
|
||||
);
|
||||
default = null;
|
||||
description = "Leaving this unset allows borg to choose. The default for borg 1.1.4 is lz4.";
|
||||
};
|
||||
|
@ -1208,14 +1286,14 @@ in
|
|||
|
||||
locations = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [cfg.mailDirectory];
|
||||
default = [ cfg.mailDirectory ];
|
||||
defaultText = lib.literalExpression "[ config.mailserver.mailDirectory ]";
|
||||
description = "The locations that are to be backed up by borg.";
|
||||
};
|
||||
|
||||
extraArgumentsForInit = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = ["--critical"];
|
||||
default = [ "--critical" ];
|
||||
description = "Additional arguments to add to the borg init command line.";
|
||||
};
|
||||
|
||||
|
@ -1295,9 +1373,9 @@ in
|
|||
cronIntervals = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {
|
||||
# minute, hour, day-in-month, month, weekday (0 = sunday)
|
||||
# minute, hour, day-in-month, month, weekday (0 = sunday)
|
||||
hourly = " 0 * * * *"; # Every full hour
|
||||
daily = "30 3 * * *"; # Every day at 3:30
|
||||
daily = "30 3 * * *"; # Every day at 3:30
|
||||
weekly = " 0 5 * * 0"; # Every sunday at 5:00 AM
|
||||
};
|
||||
description = ''
|
||||
|
@ -1311,29 +1389,29 @@ in
|
|||
|
||||
imports = [
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "enable" ] ''
|
||||
This option is not needed for fts-flatcurve
|
||||
This option is not needed for fts-flatcurve
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "onCalendar" ] ''
|
||||
This option is not needed for fts-flatcurve
|
||||
This option is not needed for fts-flatcurve
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "randomizedDelaySec" ] ''
|
||||
This option is not needed for fts-flatcurve
|
||||
This option is not needed for fts-flatcurve
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "minSize" ] ''
|
||||
This option is not supported by fts-flatcurve
|
||||
This option is not supported by fts-flatcurve
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maxSize" ] ''
|
||||
This option is not needed since fts-xapian 1.8.3
|
||||
This option is not needed since fts-xapian 1.8.3
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "indexAttachments" ] ''
|
||||
Text attachments are always indexed since fts-xapian 1.4.8
|
||||
Text attachments are always indexed since fts-xapian 1.4.8
|
||||
'')
|
||||
(lib.mkRenamedOptionModule
|
||||
[ "mailserver" "rebootAfterKernelUpgrade" "enable" ]
|
||||
[ "system" "autoUpgrade" "allowReboot" ]
|
||||
)
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "rebootAfterKernelUpgrade" "method" ] ''
|
||||
Use `system.autoUpgrade` instead.
|
||||
Use `system.autoUpgrade` instead.
|
||||
'')
|
||||
./mail-server/assertions.nix
|
||||
./mail-server/borgbackup.nix
|
||||
|
|
345
flake.nix
345
flake.nix
|
@ -20,174 +20,205 @@
|
|||
};
|
||||
};
|
||||
|
||||
outputs = { self, blobs, git-hooks, nixpkgs, nixpkgs-25_05, ... }: let
|
||||
lib = nixpkgs.lib;
|
||||
system = "x86_64-linux";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
releases = [
|
||||
{
|
||||
name = "unstable";
|
||||
nixpkgs = nixpkgs;
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
}
|
||||
{
|
||||
name = "25.05";
|
||||
nixpkgs = nixpkgs-25_05;
|
||||
pkgs = nixpkgs-25_05.legacyPackages.${system};
|
||||
}
|
||||
];
|
||||
testNames = [
|
||||
"clamav"
|
||||
"external"
|
||||
"internal"
|
||||
"ldap"
|
||||
"multiple"
|
||||
];
|
||||
outputs =
|
||||
{
|
||||
self,
|
||||
blobs,
|
||||
git-hooks,
|
||||
nixpkgs,
|
||||
nixpkgs-25_05,
|
||||
...
|
||||
}:
|
||||
let
|
||||
lib = nixpkgs.lib;
|
||||
system = "x86_64-linux";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
releases = [
|
||||
{
|
||||
name = "unstable";
|
||||
nixpkgs = nixpkgs;
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
}
|
||||
{
|
||||
name = "25.05";
|
||||
nixpkgs = nixpkgs-25_05;
|
||||
pkgs = nixpkgs-25_05.legacyPackages.${system};
|
||||
}
|
||||
];
|
||||
testNames = [
|
||||
"clamav"
|
||||
"external"
|
||||
"internal"
|
||||
"ldap"
|
||||
"multiple"
|
||||
];
|
||||
|
||||
genTest = testName: release: let
|
||||
pkgs = release.pkgs;
|
||||
nixos-lib = import (release.nixpkgs + "/nixos/lib") {
|
||||
inherit (pkgs) lib;
|
||||
};
|
||||
in {
|
||||
name = "${testName}-${builtins.replaceStrings ["."] ["_"] release.name}";
|
||||
value = nixos-lib.runTest {
|
||||
hostPkgs = pkgs;
|
||||
imports = [ ./tests/${testName}.nix ];
|
||||
_module.args = { inherit blobs; };
|
||||
extraBaseModules.imports = [ ./default.nix ];
|
||||
};
|
||||
};
|
||||
|
||||
# Generate an attribute set such as
|
||||
# {
|
||||
# external-unstable = <derivation>;
|
||||
# external-21_05 = <derivation>;
|
||||
# ...
|
||||
# }
|
||||
allTests = lib.listToAttrs (
|
||||
lib.flatten (map (t: map (r: genTest t r) releases) testNames));
|
||||
|
||||
mailserverModule = import ./.;
|
||||
|
||||
# Generate a MarkDown file describing the options of the NixOS mailserver module
|
||||
optionsDoc = let
|
||||
eval = lib.evalModules {
|
||||
modules = [
|
||||
mailserverModule
|
||||
{
|
||||
_module.check = false;
|
||||
mailserver = {
|
||||
fqdn = "mx.example.com";
|
||||
domains = [
|
||||
"example.com"
|
||||
];
|
||||
dmarcReporting = {
|
||||
organizationName = "Example Corp";
|
||||
domain = "example.com";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
options = builtins.toFile "options.json" (builtins.toJSON
|
||||
(lib.filter (opt: opt.visible && !opt.internal && lib.head opt.loc == "mailserver")
|
||||
(lib.optionAttrSetToDocList eval.options)));
|
||||
in pkgs.runCommand "options.md" { buildInputs = [pkgs.python3Minimal]; } ''
|
||||
echo "Generating options.md from ${options}"
|
||||
python ${./scripts/generate-options.py} ${options} > $out
|
||||
echo $out
|
||||
'';
|
||||
|
||||
documentation = pkgs.stdenv.mkDerivation {
|
||||
name = "documentation";
|
||||
src = lib.sourceByRegex ./docs ["logo\\.png" "conf\\.py" "Makefile" ".*\\.rst"];
|
||||
buildInputs = [(
|
||||
pkgs.python3.withPackages (p: with p; [
|
||||
sphinx
|
||||
sphinx_rtd_theme
|
||||
myst-parser
|
||||
linkify-it-py
|
||||
])
|
||||
)];
|
||||
buildPhase = ''
|
||||
cp ${optionsDoc} options.md
|
||||
# Workaround for https://github.com/sphinx-doc/sphinx/issues/3451
|
||||
unset SOURCE_DATE_EPOCH
|
||||
make html
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -Tr _build/html $out
|
||||
'';
|
||||
};
|
||||
|
||||
in {
|
||||
nixosModules = rec {
|
||||
mailserver = mailserverModule;
|
||||
default = mailserver;
|
||||
};
|
||||
nixosModule = self.nixosModules.default; # compatibility
|
||||
hydraJobs.${system} = allTests // {
|
||||
inherit documentation;
|
||||
inherit (self.checks.${system}) pre-commit;
|
||||
};
|
||||
checks.${system} = allTests // {
|
||||
pre-commit = git-hooks.lib.${system}.run {
|
||||
src = ./.;
|
||||
hooks = {
|
||||
# docs
|
||||
markdownlint = {
|
||||
enable = true;
|
||||
settings.configuration = {
|
||||
# Max line length, doesn't seem to correclty account for lines containing links
|
||||
# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
|
||||
MD013 = false;
|
||||
};
|
||||
genTest =
|
||||
testName: release:
|
||||
let
|
||||
pkgs = release.pkgs;
|
||||
nixos-lib = import (release.nixpkgs + "/nixos/lib") {
|
||||
inherit (pkgs) lib;
|
||||
};
|
||||
rstcheck = {
|
||||
enable = true;
|
||||
package = pkgs.rstcheckWithSphinx;
|
||||
entry = lib.getExe pkgs.rstcheckWithSphinx;
|
||||
files = "\\.rst$";
|
||||
in
|
||||
{
|
||||
name = "${testName}-${builtins.replaceStrings [ "." ] [ "_" ] release.name}";
|
||||
value = nixos-lib.runTest {
|
||||
hostPkgs = pkgs;
|
||||
imports = [ ./tests/${testName}.nix ];
|
||||
_module.args = { inherit blobs; };
|
||||
extraBaseModules.imports = [ ./default.nix ];
|
||||
};
|
||||
};
|
||||
|
||||
# nix
|
||||
deadnix.enable = true;
|
||||
# Generate an attribute set such as
|
||||
# {
|
||||
# external-unstable = <derivation>;
|
||||
# external-21_05 = <derivation>;
|
||||
# ...
|
||||
# }
|
||||
allTests = lib.listToAttrs (lib.flatten (map (t: map (r: genTest t r) releases) testNames));
|
||||
|
||||
# python
|
||||
pyright.enable = true;
|
||||
ruff = {
|
||||
enable = true;
|
||||
args = [
|
||||
"--extend-select"
|
||||
"I"
|
||||
mailserverModule = import ./.;
|
||||
|
||||
# Generate a MarkDown file describing the options of the NixOS mailserver module
|
||||
optionsDoc =
|
||||
let
|
||||
eval = lib.evalModules {
|
||||
modules = [
|
||||
mailserverModule
|
||||
{
|
||||
_module.check = false;
|
||||
mailserver = {
|
||||
fqdn = "mx.example.com";
|
||||
domains = [
|
||||
"example.com"
|
||||
];
|
||||
dmarcReporting = {
|
||||
organizationName = "Example Corp";
|
||||
domain = "example.com";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
ruff-format.enable = true;
|
||||
options = builtins.toFile "options.json" (
|
||||
builtins.toJSON (
|
||||
lib.filter (opt: opt.visible && !opt.internal && lib.head opt.loc == "mailserver") (
|
||||
lib.optionAttrSetToDocList eval.options
|
||||
)
|
||||
)
|
||||
);
|
||||
in
|
||||
pkgs.runCommand "options.md" { buildInputs = [ pkgs.python3Minimal ]; } ''
|
||||
echo "Generating options.md from ${options}"
|
||||
python ${./scripts/generate-options.py} ${options} > $out
|
||||
echo $out
|
||||
'';
|
||||
|
||||
# scripts
|
||||
shellcheck.enable = true;
|
||||
documentation = pkgs.stdenv.mkDerivation {
|
||||
name = "documentation";
|
||||
src = lib.sourceByRegex ./docs [
|
||||
"logo\\.png"
|
||||
"conf\\.py"
|
||||
"Makefile"
|
||||
".*\\.rst"
|
||||
];
|
||||
buildInputs = [
|
||||
(pkgs.python3.withPackages (
|
||||
p: with p; [
|
||||
sphinx
|
||||
sphinx_rtd_theme
|
||||
myst-parser
|
||||
linkify-it-py
|
||||
]
|
||||
))
|
||||
];
|
||||
buildPhase = ''
|
||||
cp ${optionsDoc} options.md
|
||||
# Workaround for https://github.com/sphinx-doc/sphinx/issues/3451
|
||||
unset SOURCE_DATE_EPOCH
|
||||
make html
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -Tr _build/html $out
|
||||
'';
|
||||
};
|
||||
|
||||
# sieve
|
||||
check-sieve = {
|
||||
enable = true;
|
||||
package = pkgs.check-sieve;
|
||||
entry = lib.getExe pkgs.check-sieve;
|
||||
files = "\\.sieve$";
|
||||
in
|
||||
{
|
||||
nixosModules = rec {
|
||||
mailserver = mailserverModule;
|
||||
default = mailserver;
|
||||
};
|
||||
nixosModule = self.nixosModules.default; # compatibility
|
||||
hydraJobs.${system} = allTests // {
|
||||
inherit documentation;
|
||||
inherit (self.checks.${system}) pre-commit;
|
||||
};
|
||||
checks.${system} = allTests // {
|
||||
pre-commit = git-hooks.lib.${system}.run {
|
||||
src = ./.;
|
||||
hooks = {
|
||||
# docs
|
||||
markdownlint = {
|
||||
enable = true;
|
||||
settings.configuration = {
|
||||
# Max line length, doesn't seem to correclty account for lines containing links
|
||||
# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
|
||||
MD013 = false;
|
||||
};
|
||||
};
|
||||
rstcheck = {
|
||||
enable = true;
|
||||
package = pkgs.rstcheckWithSphinx;
|
||||
entry = lib.getExe pkgs.rstcheckWithSphinx;
|
||||
files = "\\.rst$";
|
||||
};
|
||||
|
||||
# nix
|
||||
deadnix.enable = true;
|
||||
nixfmt-rfc-style.enable = true;
|
||||
|
||||
# python
|
||||
pyright.enable = true;
|
||||
ruff = {
|
||||
enable = true;
|
||||
args = [
|
||||
"--extend-select"
|
||||
"I"
|
||||
];
|
||||
};
|
||||
ruff-format.enable = true;
|
||||
|
||||
# scripts
|
||||
shellcheck.enable = true;
|
||||
|
||||
# sieve
|
||||
check-sieve = {
|
||||
enable = true;
|
||||
package = pkgs.check-sieve;
|
||||
entry = lib.getExe pkgs.check-sieve;
|
||||
files = "\\.sieve$";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
packages.${system} = {
|
||||
inherit optionsDoc documentation;
|
||||
};
|
||||
devShells.${system}.default = pkgs.mkShellNoCC {
|
||||
inputsFrom = [ documentation ];
|
||||
packages =
|
||||
with pkgs;
|
||||
[
|
||||
glab
|
||||
]
|
||||
++ self.checks.${system}.pre-commit.enabledPackages;
|
||||
shellHook = self.checks.${system}.pre-commit.shellHook;
|
||||
};
|
||||
devShell.${system} = self.devShells.${system}.default; # compatibility
|
||||
|
||||
formatter.${system} = pkgs.nixfmt-tree;
|
||||
};
|
||||
packages.${system} = {
|
||||
inherit optionsDoc documentation;
|
||||
};
|
||||
devShells.${system}.default = pkgs.mkShellNoCC {
|
||||
inputsFrom = [ documentation ];
|
||||
packages = with pkgs; [
|
||||
glab
|
||||
] ++ self.checks.${system}.pre-commit.enabledPackages;
|
||||
shellHook = self.checks.${system}.pre-commit.shellHook;
|
||||
};
|
||||
devShell.${system} = self.devShells.${system}.default; # compatibility
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,28 +14,44 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.mailserver.borgbackup;
|
||||
|
||||
methodFragment = lib.optional (cfg.compression.method != null) cfg.compression.method;
|
||||
autoFragment =
|
||||
if cfg.compression.auto && cfg.compression.method == null
|
||||
then throw "compression.method must be set when using auto."
|
||||
else lib.optional cfg.compression.auto "auto";
|
||||
if cfg.compression.auto && cfg.compression.method == null then
|
||||
throw "compression.method must be set when using auto."
|
||||
else
|
||||
lib.optional cfg.compression.auto "auto";
|
||||
levelFragment =
|
||||
if cfg.compression.level != null && cfg.compression.method == null
|
||||
then throw "compression.method must be set when using compression.level."
|
||||
else lib.optional (cfg.compression.level != null) (toString cfg.compression.level);
|
||||
compressionFragment = lib.concatStringsSep "," (lib.flatten [autoFragment methodFragment levelFragment]);
|
||||
if cfg.compression.level != null && cfg.compression.method == null then
|
||||
throw "compression.method must be set when using compression.level."
|
||||
else
|
||||
lib.optional (cfg.compression.level != null) (toString cfg.compression.level);
|
||||
compressionFragment = lib.concatStringsSep "," (
|
||||
lib.flatten [
|
||||
autoFragment
|
||||
methodFragment
|
||||
levelFragment
|
||||
]
|
||||
);
|
||||
compression = lib.optionalString (compressionFragment != "") "--compression ${compressionFragment}";
|
||||
|
||||
encryptionFragment = cfg.encryption.method;
|
||||
passphraseFile = lib.escapeShellArg cfg.encryption.passphraseFile;
|
||||
passphraseFragment = lib.optionalString (cfg.encryption.method != "none")
|
||||
(if cfg.encryption.passphraseFile != null then ''env BORG_PASSPHRASE="$(cat ${passphraseFile})"''
|
||||
else throw "passphraseFile must be set when using encryption.");
|
||||
passphraseFragment = lib.optionalString (cfg.encryption.method != "none") (
|
||||
if cfg.encryption.passphraseFile != null then
|
||||
''env BORG_PASSPHRASE="$(cat ${passphraseFile})"''
|
||||
else
|
||||
throw "passphraseFile must be set when using encryption."
|
||||
);
|
||||
|
||||
locations = lib.escapeShellArgs cfg.locations;
|
||||
name = lib.escapeShellArg cfg.name;
|
||||
|
@ -55,7 +71,8 @@ let
|
|||
${passphraseFragment} ${pkgs.borgbackup}/bin/borg create ${extraCreateArgs} ${compression} ::${name} ${locations}
|
||||
${cmdPostexec}
|
||||
'';
|
||||
in {
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.mailserver.enable && cfg.enable) {
|
||||
environment.systemPackages = with pkgs; [
|
||||
borgbackup
|
||||
|
|
|
@ -14,57 +14,76 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
in
|
||||
{
|
||||
# cert :: PATH
|
||||
certificatePath = if cfg.certificateScheme == "manual"
|
||||
then cfg.certificateFile
|
||||
else if cfg.certificateScheme == "selfsigned"
|
||||
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
|
||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
||||
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
|
||||
else throw "unknown certificate scheme";
|
||||
certificatePath =
|
||||
if cfg.certificateScheme == "manual" then
|
||||
cfg.certificateFile
|
||||
else if cfg.certificateScheme == "selfsigned" then
|
||||
"${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
|
||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx" then
|
||||
"${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
|
||||
else
|
||||
throw "unknown certificate scheme";
|
||||
|
||||
# key :: PATH
|
||||
keyPath = if cfg.certificateScheme == "manual"
|
||||
then cfg.keyFile
|
||||
else if cfg.certificateScheme == "selfsigned"
|
||||
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
|
||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
||||
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
|
||||
else throw "unknown certificate scheme";
|
||||
keyPath =
|
||||
if cfg.certificateScheme == "manual" then
|
||||
cfg.keyFile
|
||||
else if cfg.certificateScheme == "selfsigned" then
|
||||
"${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
|
||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx" then
|
||||
"${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
|
||||
else
|
||||
throw "unknown certificate scheme";
|
||||
|
||||
passwordFiles = let
|
||||
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
||||
in
|
||||
lib.mapAttrs (name: value:
|
||||
if value.hashedPasswordFile == null then
|
||||
builtins.toString (mkHashFile name value.hashedPassword)
|
||||
else value.hashedPasswordFile) cfg.loginAccounts;
|
||||
passwordFiles =
|
||||
let
|
||||
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
||||
in
|
||||
lib.mapAttrs (
|
||||
name: value:
|
||||
if value.hashedPasswordFile == null then
|
||||
builtins.toString (mkHashFile name value.hashedPassword)
|
||||
else
|
||||
value.hashedPasswordFile
|
||||
) cfg.loginAccounts;
|
||||
|
||||
# Appends the LDAP bind password to files to avoid writing this
|
||||
# password into the Nix store.
|
||||
appendLdapBindPwd = {
|
||||
name, file, prefix, suffix ? "", passwordFile, destination
|
||||
}: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
set -euo pipefail
|
||||
appendLdapBindPwd =
|
||||
{
|
||||
name,
|
||||
file,
|
||||
prefix,
|
||||
suffix ? "",
|
||||
passwordFile,
|
||||
destination,
|
||||
}:
|
||||
pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
set -euo pipefail
|
||||
|
||||
baseDir=$(dirname ${destination})
|
||||
if (! test -d "$baseDir"); then
|
||||
mkdir -p $baseDir
|
||||
chmod 755 $baseDir
|
||||
fi
|
||||
baseDir=$(dirname ${destination})
|
||||
if (! test -d "$baseDir"); then
|
||||
mkdir -p $baseDir
|
||||
chmod 755 $baseDir
|
||||
fi
|
||||
|
||||
cat ${file} > ${destination}
|
||||
echo -n '${prefix}' >> ${destination}
|
||||
cat ${passwordFile} | tr -d '\n' >> ${destination}
|
||||
echo -n '${suffix}' >> ${destination}
|
||||
chmod 600 ${destination}
|
||||
'';
|
||||
cat ${file} > ${destination}
|
||||
echo -n '${prefix}' >> ${destination}
|
||||
cat ${passwordFile} | tr -d '\n' >> ${destination}
|
||||
echo -n '${suffix}' >> ${destination}
|
||||
chmod 600 ${destination}
|
||||
'';
|
||||
|
||||
}
|
||||
|
|
|
@ -14,7 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
with (import ./common.nix { inherit config pkgs lib; });
|
||||
|
||||
|
@ -28,10 +33,14 @@ let
|
|||
ldapConfFile = "${passwdDir}/dovecot-ldap.conf.ext";
|
||||
boolToYesNo = x: if x then "yes" else "no";
|
||||
listToLine = lib.concatStringsSep " ";
|
||||
listToMultiAttrs = keyPrefix: attrs: lib.listToAttrs (lib.imap1 (n: x: {
|
||||
name = "${keyPrefix}${if n==1 then "" else toString n}";
|
||||
value = x;
|
||||
}) attrs);
|
||||
listToMultiAttrs =
|
||||
keyPrefix: attrs:
|
||||
lib.listToAttrs (
|
||||
lib.imap1 (n: x: {
|
||||
name = "${keyPrefix}${if n == 1 then "" else toString n}";
|
||||
value = x;
|
||||
}) attrs
|
||||
);
|
||||
|
||||
maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
|
||||
maildirUTF8FolderNames = lib.optionalString cfg.useUTF8FolderNames ":UTF-8";
|
||||
|
@ -39,9 +48,7 @@ let
|
|||
# maildir in format "/${domain}/${user}"
|
||||
dovecotMaildir =
|
||||
"maildir:${cfg.mailDirectory}/%{domain}/%{username}${maildirLayoutAppendix}${maildirUTF8FolderNames}"
|
||||
+ (lib.optionalString (cfg.indexDir != null)
|
||||
":INDEX=${cfg.indexDir}/%{domain}/%{username}"
|
||||
);
|
||||
+ (lib.optionalString (cfg.indexDir != null) ":INDEX=${cfg.indexDir}/%{domain}/%{username}");
|
||||
|
||||
postfixCfg = config.services.postfix;
|
||||
|
||||
|
@ -51,7 +58,7 @@ let
|
|||
ldap_version = 3
|
||||
uris = ${lib.concatStringsSep " " cfg.ldap.uris}
|
||||
${lib.optionalString cfg.ldap.startTls ''
|
||||
tls = yes
|
||||
tls = yes
|
||||
''}
|
||||
tls_require_cert = hard
|
||||
tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
|
||||
|
@ -61,11 +68,11 @@ let
|
|||
base = ${cfg.ldap.searchBase}
|
||||
scope = ${mkLdapSearchScope cfg.ldap.searchScope}
|
||||
${lib.optionalString (cfg.ldap.dovecot.userAttrs != null) ''
|
||||
user_attrs = ${cfg.ldap.dovecot.userAttrs}
|
||||
user_attrs = ${cfg.ldap.dovecot.userAttrs}
|
||||
''}
|
||||
user_filter = ${cfg.ldap.dovecot.userFilter}
|
||||
${lib.optionalString (cfg.ldap.dovecot.passAttrs != "") ''
|
||||
pass_attrs = ${cfg.ldap.dovecot.passAttrs}
|
||||
pass_attrs = ${cfg.ldap.dovecot.passAttrs}
|
||||
''}
|
||||
pass_filter = ${cfg.ldap.dovecot.passFilter}
|
||||
'';
|
||||
|
@ -93,7 +100,9 @@ let
|
|||
# Prevent world-readable password files, even temporarily.
|
||||
umask 077
|
||||
|
||||
for f in ${builtins.toString (lib.mapAttrsToList (name: _: passwordFiles."${name}") cfg.loginAccounts)}; do
|
||||
for f in ${
|
||||
builtins.toString (lib.mapAttrsToList (name: _: passwordFiles."${name}") cfg.loginAccounts)
|
||||
}; do
|
||||
if [ ! -f "$f" ]; then
|
||||
echo "Expected password hash file $f does not exist!"
|
||||
exit 1
|
||||
|
@ -101,34 +110,49 @@ let
|
|||
done
|
||||
|
||||
cat <<EOF > ${passwdFile}
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: _:
|
||||
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
|
||||
) cfg.loginAccounts)}
|
||||
${lib.concatStringsSep "\n" (
|
||||
lib.mapAttrsToList (
|
||||
name: _: "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
|
||||
) cfg.loginAccounts
|
||||
)}
|
||||
EOF
|
||||
|
||||
cat <<EOF > ${userdbFile}
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
||||
"${name}:::::::"
|
||||
${lib.concatStringsSep "\n" (
|
||||
lib.mapAttrsToList (
|
||||
name: value:
|
||||
"${name}:::::::"
|
||||
+ lib.optionalString (value.quota != null) "userdb_quota_rule=*:storage=${value.quota}"
|
||||
) cfg.loginAccounts)}
|
||||
) cfg.loginAccounts
|
||||
)}
|
||||
EOF
|
||||
'';
|
||||
|
||||
junkMailboxes = builtins.attrNames (lib.filterAttrs (_: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
|
||||
junkMailboxes = builtins.attrNames (
|
||||
lib.filterAttrs (_: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes
|
||||
);
|
||||
junkMailboxNumber = builtins.length junkMailboxes;
|
||||
# The assertion garantees there is exactly one Junk mailbox.
|
||||
junkMailboxName = if junkMailboxNumber == 1 then builtins.elemAt junkMailboxes 0 else "";
|
||||
|
||||
mkLdapSearchScope = scope: (
|
||||
if scope == "sub" then "subtree"
|
||||
else if scope == "one" then "onelevel"
|
||||
else scope
|
||||
);
|
||||
mkLdapSearchScope =
|
||||
scope:
|
||||
(
|
||||
if scope == "sub" then
|
||||
"subtree"
|
||||
else if scope == "one" then
|
||||
"onelevel"
|
||||
else
|
||||
scope
|
||||
);
|
||||
|
||||
ftsPluginSettings = {
|
||||
fts = "flatcurve";
|
||||
fts_languages = listToLine cfg.fullTextSearch.languages;
|
||||
fts_tokenizers = listToLine [ "generic" "email-address" ];
|
||||
fts_tokenizers = listToLine [
|
||||
"generic"
|
||||
"email-address"
|
||||
];
|
||||
fts_tokenizer_email_address = "maxlen=100"; # default 254 too large for Xapian
|
||||
fts_flatcurve_substring_search = boolToYesNo cfg.fullTextSearch.substringSearch;
|
||||
fts_filters = listToLine cfg.fullTextSearch.filters;
|
||||
|
@ -139,255 +163,283 @@ let
|
|||
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = junkMailboxNumber == 1;
|
||||
message = "nixos-mailserver requires exactly one dovecot mailbox with the 'special use' flag set to 'Junk' (${builtins.toString junkMailboxNumber} have been found)";
|
||||
}
|
||||
];
|
||||
|
||||
warnings =
|
||||
(lib.optional (
|
||||
(builtins.length cfg.fullTextSearch.languages > 1) &&
|
||||
(builtins.elem "stopwords" cfg.fullTextSearch.filters)
|
||||
) ''
|
||||
Using stopwords in `mailserver.fullTextSearch.filters` with multiple
|
||||
languages in `mailserver.fullTextSearch.languages` configured WILL
|
||||
cause some searches to fail.
|
||||
|
||||
The recommended solution is to NOT use the stopword filter when
|
||||
multiple languages are present in the configuration.
|
||||
'')
|
||||
;
|
||||
|
||||
# for sieve-test. Shelling it in on demand usually doesnt' work, as it reads
|
||||
# the global config and tries to open shared libraries configured in there,
|
||||
# which are usually not compatible.
|
||||
environment.systemPackages = [
|
||||
pkgs.dovecot_pigeonhole
|
||||
] ++ lib.optional cfg.fullTextSearch.enable pkgs.dovecot-fts-flatcurve;
|
||||
|
||||
# For compatibility with python imaplib
|
||||
environment.etc."dovecot/modules".source = "/run/current-system/sw/lib/dovecot/modules";
|
||||
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
enableImap = enableImap || enableImapSsl;
|
||||
enablePop3 = enablePop3 || enablePop3Ssl;
|
||||
enablePAM = false;
|
||||
enableQuota = true;
|
||||
mailGroup = vmailGroupName;
|
||||
mailUser = vmailUserName;
|
||||
mailLocation = dovecotMaildir;
|
||||
sslServerCert = certificatePath;
|
||||
sslServerKey = keyPath;
|
||||
enableDHE = lib.mkDefault false;
|
||||
enableLmtp = true;
|
||||
mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [
|
||||
"fts"
|
||||
"fts_flatcurve"
|
||||
config =
|
||||
with cfg;
|
||||
lib.mkIf enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = junkMailboxNumber == 1;
|
||||
message = "nixos-mailserver requires exactly one dovecot mailbox with the 'special use' flag set to 'Junk' (${builtins.toString junkMailboxNumber} have been found)";
|
||||
}
|
||||
];
|
||||
protocols = lib.optional cfg.enableManageSieve "sieve";
|
||||
|
||||
pluginSettings = {
|
||||
sieve = "file:${cfg.sieveDirectory}/%{user}/scripts;active=${cfg.sieveDirectory}/%{user}/active.sieve";
|
||||
sieve_default = "file:${cfg.sieveDirectory}/%{user}/default.sieve";
|
||||
sieve_default_name = "default";
|
||||
} // (lib.optionalAttrs cfg.fullTextSearch.enable ftsPluginSettings);
|
||||
warnings =
|
||||
lib.optional
|
||||
(
|
||||
(builtins.length cfg.fullTextSearch.languages > 1)
|
||||
&& (builtins.elem "stopwords" cfg.fullTextSearch.filters)
|
||||
)
|
||||
''
|
||||
Using stopwords in `mailserver.fullTextSearch.filters` with multiple
|
||||
languages in `mailserver.fullTextSearch.languages` configured WILL
|
||||
cause some searches to fail.
|
||||
|
||||
sieve = {
|
||||
extensions = [
|
||||
"fileinto"
|
||||
The recommended solution is to NOT use the stopword filter when
|
||||
multiple languages are present in the configuration.
|
||||
'';
|
||||
|
||||
# for sieve-test. Shelling it in on demand usually doesnt' work, as it reads
|
||||
# the global config and tries to open shared libraries configured in there,
|
||||
# which are usually not compatible.
|
||||
environment.systemPackages = [
|
||||
pkgs.dovecot_pigeonhole
|
||||
] ++ lib.optional cfg.fullTextSearch.enable pkgs.dovecot-fts-flatcurve;
|
||||
|
||||
# For compatibility with python imaplib
|
||||
environment.etc."dovecot/modules".source = "/run/current-system/sw/lib/dovecot/modules";
|
||||
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
enableImap = enableImap || enableImapSsl;
|
||||
enablePop3 = enablePop3 || enablePop3Ssl;
|
||||
enablePAM = false;
|
||||
enableQuota = true;
|
||||
mailGroup = vmailGroupName;
|
||||
mailUser = vmailUserName;
|
||||
mailLocation = dovecotMaildir;
|
||||
sslServerCert = certificatePath;
|
||||
sslServerKey = keyPath;
|
||||
enableDHE = lib.mkDefault false;
|
||||
enableLmtp = true;
|
||||
mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [
|
||||
"fts"
|
||||
"fts_flatcurve"
|
||||
];
|
||||
protocols = lib.optional cfg.enableManageSieve "sieve";
|
||||
|
||||
scripts.after = builtins.toFile "spam.sieve" ''
|
||||
require "fileinto";
|
||||
pluginSettings = {
|
||||
sieve = "file:${cfg.sieveDirectory}/%{user}/scripts;active=${cfg.sieveDirectory}/%{user}/active.sieve";
|
||||
sieve_default = "file:${cfg.sieveDirectory}/%{user}/default.sieve";
|
||||
sieve_default_name = "default";
|
||||
} // (lib.optionalAttrs cfg.fullTextSearch.enable ftsPluginSettings);
|
||||
|
||||
if header :is "X-Spam" "Yes" {
|
||||
fileinto "${junkMailboxName}";
|
||||
stop;
|
||||
sieve = {
|
||||
extensions = [
|
||||
"fileinto"
|
||||
];
|
||||
|
||||
scripts.after = builtins.toFile "spam.sieve" ''
|
||||
require "fileinto";
|
||||
|
||||
if header :is "X-Spam" "Yes" {
|
||||
fileinto "${junkMailboxName}";
|
||||
stop;
|
||||
}
|
||||
'';
|
||||
|
||||
pipeBins = map lib.getExe [
|
||||
(pkgs.writeShellScriptBin "rspamd-learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
|
||||
(pkgs.writeShellScriptBin "rspamd-learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
|
||||
];
|
||||
};
|
||||
|
||||
imapsieve.mailbox = [
|
||||
{
|
||||
name = junkMailboxName;
|
||||
causes = [
|
||||
"COPY"
|
||||
"APPEND"
|
||||
];
|
||||
before = ./dovecot/imap_sieve/report-spam.sieve;
|
||||
}
|
||||
{
|
||||
name = "*";
|
||||
from = junkMailboxName;
|
||||
causes = [ "COPY" ];
|
||||
before = ./dovecot/imap_sieve/report-ham.sieve;
|
||||
}
|
||||
'';
|
||||
|
||||
pipeBins = map lib.getExe [
|
||||
(pkgs.writeShellScriptBin "rspamd-learn-ham.sh"
|
||||
"exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
|
||||
(pkgs.writeShellScriptBin "rspamd-learn-spam.sh"
|
||||
"exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
|
||||
];
|
||||
|
||||
mailboxes = cfg.mailboxes;
|
||||
|
||||
extraConfig = ''
|
||||
#Extra Config
|
||||
${lib.optionalString debug ''
|
||||
mail_debug = yes
|
||||
auth_debug = yes
|
||||
verbose_ssl = yes
|
||||
''}
|
||||
|
||||
${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
${
|
||||
if cfg.enableImap then
|
||||
''
|
||||
port = 143
|
||||
''
|
||||
else
|
||||
''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''
|
||||
}
|
||||
}
|
||||
inet_listener imaps {
|
||||
${
|
||||
if cfg.enableImapSsl then
|
||||
''
|
||||
port = 993
|
||||
ssl = yes
|
||||
''
|
||||
else
|
||||
''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''
|
||||
}
|
||||
}
|
||||
}
|
||||
''}
|
||||
${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
|
||||
service pop3-login {
|
||||
inet_listener pop3 {
|
||||
${
|
||||
if cfg.enablePop3 then
|
||||
''
|
||||
port = 110
|
||||
''
|
||||
else
|
||||
''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''
|
||||
}
|
||||
}
|
||||
inet_listener pop3s {
|
||||
${
|
||||
if cfg.enablePop3Ssl then
|
||||
''
|
||||
port = 995
|
||||
ssl = yes
|
||||
''
|
||||
else
|
||||
''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''
|
||||
}
|
||||
}
|
||||
}
|
||||
''}
|
||||
|
||||
protocol imap {
|
||||
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
||||
mail_plugins = $mail_plugins imap_sieve
|
||||
}
|
||||
|
||||
service imap {
|
||||
vsz_limit = ${builtins.toString cfg.imapMemoryLimit} MB
|
||||
}
|
||||
|
||||
protocol pop3 {
|
||||
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
||||
}
|
||||
|
||||
mail_access_groups = ${vmailGroupName}
|
||||
|
||||
# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7
|
||||
ssl = required
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_prefer_server_ciphers = no
|
||||
ssl_curve_list = X25519:prime256v1:secp384r1
|
||||
|
||||
service lmtp {
|
||||
unix_listener dovecot-lmtp {
|
||||
group = ${postfixCfg.group}
|
||||
mode = 0600
|
||||
user = ${postfixCfg.user}
|
||||
}
|
||||
vsz_limit = ${builtins.toString cfg.lmtpMemoryLimit} MB
|
||||
}
|
||||
|
||||
service quota-status {
|
||||
inet_listener {
|
||||
port = 0
|
||||
}
|
||||
unix_listener quota-status {
|
||||
user = postfix
|
||||
}
|
||||
vsz_limit = ${builtins.toString cfg.quotaStatusMemoryLimit} MB
|
||||
}
|
||||
|
||||
recipient_delimiter = ${cfg.recipientDelimiter}
|
||||
lmtp_save_to_detail_mailbox = ${cfg.lmtpSaveToDetailMailbox}
|
||||
|
||||
protocol lmtp {
|
||||
mail_plugins = $mail_plugins sieve
|
||||
}
|
||||
|
||||
passdb {
|
||||
driver = passwd-file
|
||||
args = ${passwdFile}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = passwd-file
|
||||
args = ${userdbFile}
|
||||
default_fields = uid=${builtins.toString cfg.vmailUID} gid=${builtins.toString cfg.vmailUID} home=${cfg.mailDirectory}
|
||||
}
|
||||
|
||||
${lib.optionalString cfg.ldap.enable ''
|
||||
passdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
default_fields = home=${cfg.mailDirectory}/ldap/%{user} uid=${toString cfg.vmailUID} gid=${toString cfg.vmailUID}
|
||||
}
|
||||
''}
|
||||
|
||||
service auth {
|
||||
unix_listener auth {
|
||||
mode = 0660
|
||||
user = ${postfixCfg.user}
|
||||
group = ${postfixCfg.group}
|
||||
}
|
||||
}
|
||||
|
||||
auth_mechanisms = plain login
|
||||
|
||||
namespace inbox {
|
||||
separator = ${cfg.hierarchySeparator}
|
||||
inbox = yes
|
||||
}
|
||||
|
||||
service indexer-worker {
|
||||
${lib.optionalString (cfg.fullTextSearch.memoryLimit != null) ''
|
||||
vsz_limit = ${toString (cfg.fullTextSearch.memoryLimit * 1024 * 1024)}
|
||||
''}
|
||||
}
|
||||
|
||||
lda_mailbox_autosubscribe = yes
|
||||
lda_mailbox_autocreate = yes
|
||||
'';
|
||||
};
|
||||
|
||||
imapsieve.mailbox = [
|
||||
{
|
||||
name = junkMailboxName;
|
||||
causes = [ "COPY" "APPEND" ];
|
||||
before = ./dovecot/imap_sieve/report-spam.sieve;
|
||||
}
|
||||
{
|
||||
name = "*";
|
||||
from = junkMailboxName;
|
||||
causes = [ "COPY" ];
|
||||
before = ./dovecot/imap_sieve/report-ham.sieve;
|
||||
}
|
||||
];
|
||||
systemd.services.dovecot2 = {
|
||||
preStart =
|
||||
''
|
||||
${genPasswdScript}
|
||||
''
|
||||
+ (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
|
||||
};
|
||||
|
||||
mailboxes = cfg.mailboxes;
|
||||
|
||||
extraConfig = ''
|
||||
#Extra Config
|
||||
${lib.optionalString debug ''
|
||||
mail_debug = yes
|
||||
auth_debug = yes
|
||||
verbose_ssl = yes
|
||||
''}
|
||||
|
||||
${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
${if cfg.enableImap then ''
|
||||
port = 143
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
inet_listener imaps {
|
||||
${if cfg.enableImapSsl then ''
|
||||
port = 993
|
||||
ssl = yes
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
}
|
||||
''}
|
||||
${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
|
||||
service pop3-login {
|
||||
inet_listener pop3 {
|
||||
${if cfg.enablePop3 then ''
|
||||
port = 110
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
inet_listener pop3s {
|
||||
${if cfg.enablePop3Ssl then ''
|
||||
port = 995
|
||||
ssl = yes
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
}
|
||||
''}
|
||||
|
||||
protocol imap {
|
||||
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
||||
mail_plugins = $mail_plugins imap_sieve
|
||||
}
|
||||
|
||||
service imap {
|
||||
vsz_limit = ${builtins.toString cfg.imapMemoryLimit} MB
|
||||
}
|
||||
|
||||
protocol pop3 {
|
||||
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
||||
}
|
||||
|
||||
mail_access_groups = ${vmailGroupName}
|
||||
|
||||
# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7
|
||||
ssl = required
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_prefer_server_ciphers = no
|
||||
ssl_curve_list = X25519:prime256v1:secp384r1
|
||||
|
||||
service lmtp {
|
||||
unix_listener dovecot-lmtp {
|
||||
group = ${postfixCfg.group}
|
||||
mode = 0600
|
||||
user = ${postfixCfg.user}
|
||||
}
|
||||
vsz_limit = ${builtins.toString cfg.lmtpMemoryLimit} MB
|
||||
}
|
||||
|
||||
service quota-status {
|
||||
inet_listener {
|
||||
port = 0
|
||||
}
|
||||
unix_listener quota-status {
|
||||
user = postfix
|
||||
}
|
||||
vsz_limit = ${builtins.toString cfg.quotaStatusMemoryLimit} MB
|
||||
}
|
||||
|
||||
recipient_delimiter = ${cfg.recipientDelimiter}
|
||||
lmtp_save_to_detail_mailbox = ${cfg.lmtpSaveToDetailMailbox}
|
||||
|
||||
protocol lmtp {
|
||||
mail_plugins = $mail_plugins sieve
|
||||
}
|
||||
|
||||
passdb {
|
||||
driver = passwd-file
|
||||
args = ${passwdFile}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = passwd-file
|
||||
args = ${userdbFile}
|
||||
default_fields = uid=${builtins.toString cfg.vmailUID} gid=${builtins.toString cfg.vmailUID} home=${cfg.mailDirectory}
|
||||
}
|
||||
|
||||
${lib.optionalString cfg.ldap.enable ''
|
||||
passdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
default_fields = home=${cfg.mailDirectory}/ldap/%{user} uid=${toString cfg.vmailUID} gid=${toString cfg.vmailUID}
|
||||
}
|
||||
''}
|
||||
|
||||
service auth {
|
||||
unix_listener auth {
|
||||
mode = 0660
|
||||
user = ${postfixCfg.user}
|
||||
group = ${postfixCfg.group}
|
||||
}
|
||||
}
|
||||
|
||||
auth_mechanisms = plain login
|
||||
|
||||
namespace inbox {
|
||||
separator = ${cfg.hierarchySeparator}
|
||||
inbox = yes
|
||||
}
|
||||
|
||||
service indexer-worker {
|
||||
${lib.optionalString (cfg.fullTextSearch.memoryLimit != null) ''
|
||||
vsz_limit = ${toString (cfg.fullTextSearch.memoryLimit*1024*1024)}
|
||||
''}
|
||||
}
|
||||
|
||||
lda_mailbox_autosubscribe = yes
|
||||
lda_mailbox_autocreate = yes
|
||||
'';
|
||||
systemd.services.postfix.restartTriggers = [
|
||||
genPasswdScript
|
||||
] ++ (lib.optional cfg.ldap.enable [ setPwdInLdapConfFile ]);
|
||||
};
|
||||
|
||||
systemd.services.dovecot2 = {
|
||||
preStart = ''
|
||||
${genPasswdScript}
|
||||
'' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
|
||||
};
|
||||
|
||||
systemd.services.postfix.restartTriggers = [ genPasswdScript ] ++ (lib.optional cfg.ldap.enable [setPwdInLdapConfFile]);
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,15 +14,28 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
dovecot openssh postfix rspamd
|
||||
] ++ (if certificateScheme == "selfsigned" then [ openssl ] else []);
|
||||
};
|
||||
config =
|
||||
with cfg;
|
||||
lib.mkIf enable {
|
||||
environment.systemPackages =
|
||||
with pkgs;
|
||||
[
|
||||
dovecot
|
||||
openssh
|
||||
postfix
|
||||
rspamd
|
||||
]
|
||||
++ (if certificateScheme == "selfsigned" then [ openssl ] else [ ]);
|
||||
};
|
||||
}
|
||||
|
|
|
@ -24,4 +24,3 @@ in
|
|||
services.kresd.enable = true;
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -20,18 +20,21 @@ let
|
|||
cfg = config.mailserver;
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf (enable && openFirewall) {
|
||||
config =
|
||||
with cfg;
|
||||
lib.mkIf (enable && openFirewall) {
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 25 ]
|
||||
++ lib.optional enableSubmission 587
|
||||
++ lib.optional enableSubmissionSsl 465
|
||||
++ lib.optional enableImap 143
|
||||
++ lib.optional enableImapSsl 993
|
||||
++ lib.optional enablePop3 110
|
||||
++ lib.optional enablePop3Ssl 995
|
||||
++ lib.optional enableManageSieve 4190
|
||||
++ lib.optional (certificateScheme == "acme-nginx") 80;
|
||||
networking.firewall = {
|
||||
allowedTCPPorts =
|
||||
[ 25 ]
|
||||
++ lib.optional enableSubmission 587
|
||||
++ lib.optional enableSubmissionSsl 465
|
||||
++ lib.optional enableImap 143
|
||||
++ lib.optional enableImapSsl 993
|
||||
++ lib.optional enablePop3 110
|
||||
++ lib.optional enablePop3Ssl 995
|
||||
++ lib.optional enableManageSieve 4190
|
||||
++ lib.optional (certificateScheme == "acme-nginx") 80;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,8 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
with (import ./common.nix { inherit config lib pkgs; });
|
||||
|
||||
|
@ -23,20 +27,22 @@ let
|
|||
cfg = config.mailserver;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
|
||||
services.nginx = lib.mkIf (cfg.certificateScheme == "acme-nginx") {
|
||||
enable = true;
|
||||
virtualHosts."${cfg.fqdn}" = {
|
||||
serverName = cfg.fqdn;
|
||||
serverAliases = cfg.certificateDomains;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
};
|
||||
config =
|
||||
lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"))
|
||||
{
|
||||
services.nginx = lib.mkIf (cfg.certificateScheme == "acme-nginx") {
|
||||
enable = true;
|
||||
virtualHosts."${cfg.fqdn}" = {
|
||||
serverName = cfg.fqdn;
|
||||
serverAliases = cfg.certificateDomains;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
|
||||
"postfix.service"
|
||||
"dovecot2.service"
|
||||
];
|
||||
};
|
||||
security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
|
||||
"postfix.service"
|
||||
"dovecot2.service"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,7 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
with (import ./common.nix { inherit config pkgs lib; });
|
||||
|
||||
|
@ -28,31 +33,55 @@ let
|
|||
mergeLookupTables = tables: lib.zipAttrsWith (_: v: lib.flatten v) tables;
|
||||
|
||||
# valiases_postfix :: Map String [String]
|
||||
valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
|
||||
(name: value:
|
||||
let to = name;
|
||||
in map (from: {"${from}" = to;}) (value.aliases ++ lib.singleton name))
|
||||
cfg.loginAccounts));
|
||||
regex_valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
|
||||
(name: value:
|
||||
let to = name;
|
||||
in map (from: {"${from}" = to;}) value.aliasesRegexp)
|
||||
cfg.loginAccounts));
|
||||
valiases_postfix = mergeLookupTables (
|
||||
lib.flatten (
|
||||
lib.mapAttrsToList (
|
||||
name: value:
|
||||
let
|
||||
to = name;
|
||||
in
|
||||
map (from: { "${from}" = to; }) (value.aliases ++ lib.singleton name)
|
||||
) cfg.loginAccounts
|
||||
)
|
||||
);
|
||||
regex_valiases_postfix = mergeLookupTables (
|
||||
lib.flatten (
|
||||
lib.mapAttrsToList (
|
||||
name: value:
|
||||
let
|
||||
to = name;
|
||||
in
|
||||
map (from: { "${from}" = to; }) value.aliasesRegexp
|
||||
) cfg.loginAccounts
|
||||
)
|
||||
);
|
||||
|
||||
# catchAllPostfix :: Map String [String]
|
||||
catchAllPostfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
|
||||
(name: value:
|
||||
let to = name;
|
||||
in map (from: {"@${from}" = to;}) value.catchAll)
|
||||
cfg.loginAccounts));
|
||||
catchAllPostfix = mergeLookupTables (
|
||||
lib.flatten (
|
||||
lib.mapAttrsToList (
|
||||
name: value:
|
||||
let
|
||||
to = name;
|
||||
in
|
||||
map (from: { "@${from}" = to; }) value.catchAll
|
||||
) cfg.loginAccounts
|
||||
)
|
||||
);
|
||||
|
||||
# all_valiases_postfix :: Map String [String]
|
||||
all_valiases_postfix = mergeLookupTables [valiases_postfix extra_valiases_postfix];
|
||||
all_valiases_postfix = mergeLookupTables [
|
||||
valiases_postfix
|
||||
extra_valiases_postfix
|
||||
];
|
||||
|
||||
# attrsToLookupTable :: Map String (Either String [ String ]) -> Map String [String]
|
||||
attrsToLookupTable = aliases: let
|
||||
lookupTables = lib.mapAttrsToList (from: to: {"${from}" = to;}) aliases;
|
||||
in mergeLookupTables lookupTables;
|
||||
attrsToLookupTable =
|
||||
aliases:
|
||||
let
|
||||
lookupTables = lib.mapAttrsToList (from: to: { "${from}" = to; }) aliases;
|
||||
in
|
||||
mergeLookupTables lookupTables;
|
||||
|
||||
# extra_valiases_postfix :: Map String [String]
|
||||
extra_valiases_postfix = attrsToLookupTable cfg.extraVirtualAliases;
|
||||
|
@ -61,37 +90,49 @@ let
|
|||
forwards = attrsToLookupTable cfg.forwards;
|
||||
|
||||
# lookupTableToString :: Map String [String] -> String
|
||||
lookupTableToString = attrs: let
|
||||
valueToString = value: lib.concatStringsSep ", " value;
|
||||
in lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
|
||||
lookupTableToString =
|
||||
attrs:
|
||||
let
|
||||
valueToString = value: lib.concatStringsSep ", " value;
|
||||
in
|
||||
lib.concatStringsSep "\n" (
|
||||
lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs
|
||||
);
|
||||
|
||||
# valiases_file :: Path
|
||||
valiases_file = let
|
||||
content = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix]);
|
||||
in builtins.toFile "valias" content;
|
||||
valiases_file =
|
||||
let
|
||||
content = lookupTableToString (mergeLookupTables [
|
||||
all_valiases_postfix
|
||||
catchAllPostfix
|
||||
]);
|
||||
in
|
||||
builtins.toFile "valias" content;
|
||||
|
||||
regex_valiases_file = let
|
||||
content = lookupTableToString regex_valiases_postfix;
|
||||
in builtins.toFile "regex_valias" content;
|
||||
regex_valiases_file =
|
||||
let
|
||||
content = lookupTableToString regex_valiases_postfix;
|
||||
in
|
||||
builtins.toFile "regex_valias" content;
|
||||
|
||||
# denied_recipients_postfix :: [ String ]
|
||||
denied_recipients_postfix = (map
|
||||
(acct: "${acct.name} REJECT ${acct.sendOnlyRejectMessage}")
|
||||
(lib.filter (acct: acct.sendOnly) (lib.attrValues cfg.loginAccounts)));
|
||||
denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients_postfix);
|
||||
denied_recipients_postfix = map (acct: "${acct.name} REJECT ${acct.sendOnlyRejectMessage}") (
|
||||
lib.filter (acct: acct.sendOnly) (lib.attrValues cfg.loginAccounts)
|
||||
);
|
||||
denied_recipients_file = builtins.toFile "denied_recipients" (
|
||||
lib.concatStringsSep "\n" denied_recipients_postfix
|
||||
);
|
||||
|
||||
reject_senders_postfix = (map
|
||||
(sender:
|
||||
"${sender} REJECT")
|
||||
(cfg.rejectSender));
|
||||
reject_senders_file = builtins.toFile "reject_senders" (lib.concatStringsSep "\n" (reject_senders_postfix)) ;
|
||||
reject_senders_postfix = map (sender: "${sender} REJECT") cfg.rejectSender;
|
||||
reject_senders_file = builtins.toFile "reject_senders" (
|
||||
lib.concatStringsSep "\n" reject_senders_postfix
|
||||
);
|
||||
|
||||
reject_recipients_postfix = (map
|
||||
(recipient:
|
||||
"${recipient} REJECT")
|
||||
(cfg.rejectRecipients));
|
||||
reject_recipients_postfix = map (recipient: "${recipient} REJECT") cfg.rejectRecipients;
|
||||
# rejectRecipients :: [ Path ]
|
||||
reject_recipients_file = builtins.toFile "reject_recipients" (lib.concatStringsSep "\n" (reject_recipients_postfix)) ;
|
||||
reject_recipients_file = builtins.toFile "reject_recipients" (
|
||||
lib.concatStringsSep "\n" reject_recipients_postfix
|
||||
);
|
||||
|
||||
# vhosts_file :: Path
|
||||
vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains);
|
||||
|
@ -103,45 +144,51 @@ let
|
|||
# every alias is owned (uniquely) by its user.
|
||||
# The user's own address is already in all_valiases_postfix.
|
||||
vaccounts_file = builtins.toFile "vaccounts" (lookupTableToString all_valiases_postfix);
|
||||
regex_vaccounts_file = builtins.toFile "regex_vaccounts" (lookupTableToString regex_valiases_postfix);
|
||||
regex_vaccounts_file = builtins.toFile "regex_vaccounts" (
|
||||
lookupTableToString regex_valiases_postfix
|
||||
);
|
||||
|
||||
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" (''
|
||||
# Removes sensitive headers from mails handed in via the submission port.
|
||||
# See https://thomas-leister.de/mailserver-debian-stretch/
|
||||
# Uses "pcre" style regex.
|
||||
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" (
|
||||
''
|
||||
# Removes sensitive headers from mails handed in via the submission port.
|
||||
# See https://thomas-leister.de/mailserver-debian-stretch/
|
||||
# Uses "pcre" style regex.
|
||||
|
||||
/^Received:/ IGNORE
|
||||
/^X-Originating-IP:/ IGNORE
|
||||
/^X-Mailer:/ IGNORE
|
||||
/^User-Agent:/ IGNORE
|
||||
/^X-Enigmail:/ IGNORE
|
||||
'' + lib.optionalString cfg.rewriteMessageId ''
|
||||
/^Received:/ IGNORE
|
||||
/^X-Originating-IP:/ IGNORE
|
||||
/^X-Mailer:/ IGNORE
|
||||
/^User-Agent:/ IGNORE
|
||||
/^X-Enigmail:/ IGNORE
|
||||
''
|
||||
+ lib.optionalString cfg.rewriteMessageId ''
|
||||
|
||||
# Replaces the user submitted hostname with the server's FQDN to hide the
|
||||
# user's host or network.
|
||||
# Replaces the user submitted hostname with the server's FQDN to hide the
|
||||
# user's host or network.
|
||||
|
||||
/^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}>
|
||||
'');
|
||||
/^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}>
|
||||
''
|
||||
);
|
||||
|
||||
smtpdMilters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||
|
||||
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
|
||||
mappedRegexFile = name: "pcre:/var/lib/postfix/conf/${name}";
|
||||
|
||||
submissionOptions =
|
||||
{
|
||||
smtpd_tls_security_level = "encrypt";
|
||||
smtpd_sasl_auth_enable = "yes";
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
smtpd_sasl_security_options = "noanonymous";
|
||||
smtpd_sasl_local_domain = "$myhostname";
|
||||
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
||||
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts${lib.optionalString cfg.ldap.enable ",ldap:${ldapSenderLoginMapFile}"}${lib.optionalString (regex_valiases_postfix != {}) ",pcre:/etc/postfix/regex_vaccounts"}";
|
||||
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||
cleanup_service_name = "submission-header-cleanup";
|
||||
};
|
||||
submissionOptions = {
|
||||
smtpd_tls_security_level = "encrypt";
|
||||
smtpd_sasl_auth_enable = "yes";
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
smtpd_sasl_security_options = "noanonymous";
|
||||
smtpd_sasl_local_domain = "$myhostname";
|
||||
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
||||
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts${lib.optionalString cfg.ldap.enable ",ldap:${ldapSenderLoginMapFile}"}${
|
||||
lib.optionalString (regex_valiases_postfix != { }) ",pcre:/etc/postfix/regex_vaccounts"
|
||||
}";
|
||||
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||
cleanup_service_name = "submission-header-cleanup";
|
||||
};
|
||||
|
||||
commonLdapConfig = ''
|
||||
server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
|
||||
|
@ -186,164 +233,183 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
config =
|
||||
with cfg;
|
||||
lib.mkIf enable {
|
||||
|
||||
systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
|
||||
preStart = ''
|
||||
${appendPwdInVirtualMailboxMap}
|
||||
${appendPwdInSenderLoginMap}
|
||||
'';
|
||||
restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
hostname = "${sendingFqdn}";
|
||||
networksStyle = "host";
|
||||
mapFiles."valias" = valiases_file;
|
||||
mapFiles."regex_valias" = regex_valiases_file;
|
||||
mapFiles."vaccounts" = vaccounts_file;
|
||||
mapFiles."regex_vaccounts" = regex_vaccounts_file;
|
||||
mapFiles."denied_recipients" = denied_recipients_file;
|
||||
mapFiles."reject_senders" = reject_senders_file;
|
||||
mapFiles."reject_recipients" = reject_recipients_file;
|
||||
enableSubmission = cfg.enableSubmission;
|
||||
enableSubmissions = cfg.enableSubmissionSsl;
|
||||
virtual = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix forwards]);
|
||||
|
||||
config = {
|
||||
smtpd_tls_chain_files = [
|
||||
"${keyPath}"
|
||||
"${certificatePath}"
|
||||
systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
|
||||
preStart = ''
|
||||
${appendPwdInVirtualMailboxMap}
|
||||
${appendPwdInSenderLoginMap}
|
||||
'';
|
||||
restartTriggers = [
|
||||
appendPwdInVirtualMailboxMap
|
||||
appendPwdInSenderLoginMap
|
||||
];
|
||||
};
|
||||
|
||||
# Extra Config
|
||||
mydestination = "";
|
||||
recipient_delimiter = cfg.recipientDelimiter;
|
||||
smtpd_banner = "${fqdn} ESMTP NO UCE";
|
||||
disable_vrfy_command = true;
|
||||
message_size_limit = toString cfg.messageSizeLimit;
|
||||
|
||||
# virtual mail system
|
||||
virtual_uid_maps = "static:5000";
|
||||
virtual_gid_maps = "static:5000";
|
||||
virtual_mailbox_base = mailDirectory;
|
||||
virtual_mailbox_domains = vhosts_file;
|
||||
virtual_mailbox_maps = [
|
||||
(mappedFile "valias")
|
||||
] ++ lib.optionals (cfg.ldap.enable) [
|
||||
"ldap:${ldapVirtualMailboxMapFile}"
|
||||
] ++ lib.optionals (regex_valiases_postfix != {}) [
|
||||
(mappedRegexFile "regex_valias")
|
||||
];
|
||||
virtual_alias_maps = lib.mkAfter (lib.optionals (regex_valiases_postfix != {}) [
|
||||
(mappedRegexFile "regex_valias")
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
hostname = "${sendingFqdn}";
|
||||
networksStyle = "host";
|
||||
mapFiles."valias" = valiases_file;
|
||||
mapFiles."regex_valias" = regex_valiases_file;
|
||||
mapFiles."vaccounts" = vaccounts_file;
|
||||
mapFiles."regex_vaccounts" = regex_vaccounts_file;
|
||||
mapFiles."denied_recipients" = denied_recipients_file;
|
||||
mapFiles."reject_senders" = reject_senders_file;
|
||||
mapFiles."reject_recipients" = reject_recipients_file;
|
||||
enableSubmission = cfg.enableSubmission;
|
||||
enableSubmissions = cfg.enableSubmissionSsl;
|
||||
virtual = lookupTableToString (mergeLookupTables [
|
||||
all_valiases_postfix
|
||||
catchAllPostfix
|
||||
forwards
|
||||
]);
|
||||
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||
# Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
|
||||
lmtp_destination_recipient_limit = "1";
|
||||
|
||||
# sasl with dovecot
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
smtpd_sasl_auth_enable = true;
|
||||
smtpd_relay_restrictions = [
|
||||
"permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
|
||||
];
|
||||
config = {
|
||||
smtpd_tls_chain_files = [
|
||||
"${keyPath}"
|
||||
"${certificatePath}"
|
||||
];
|
||||
|
||||
# reject selected senders
|
||||
smtpd_sender_restrictions = [
|
||||
"check_sender_access ${mappedFile "reject_senders"}"
|
||||
];
|
||||
# Extra Config
|
||||
mydestination = "";
|
||||
recipient_delimiter = cfg.recipientDelimiter;
|
||||
smtpd_banner = "${fqdn} ESMTP NO UCE";
|
||||
disable_vrfy_command = true;
|
||||
message_size_limit = toString cfg.messageSizeLimit;
|
||||
|
||||
smtpd_recipient_restrictions = [
|
||||
# reject selected recipients
|
||||
"check_recipient_access ${mappedFile "denied_recipients"}"
|
||||
"check_recipient_access ${mappedFile "reject_recipients"}"
|
||||
# quota checking
|
||||
"check_policy_service unix:/run/dovecot2/quota-status"
|
||||
];
|
||||
# virtual mail system
|
||||
virtual_uid_maps = "static:5000";
|
||||
virtual_gid_maps = "static:5000";
|
||||
virtual_mailbox_base = mailDirectory;
|
||||
virtual_mailbox_domains = vhosts_file;
|
||||
virtual_mailbox_maps =
|
||||
[
|
||||
(mappedFile "valias")
|
||||
]
|
||||
++ lib.optionals cfg.ldap.enable [
|
||||
"ldap:${ldapVirtualMailboxMapFile}"
|
||||
]
|
||||
++ lib.optionals (regex_valiases_postfix != { }) [
|
||||
(mappedRegexFile "regex_valias")
|
||||
];
|
||||
virtual_alias_maps = lib.mkAfter (
|
||||
lib.optionals (regex_valiases_postfix != { }) [
|
||||
(mappedRegexFile "regex_valias")
|
||||
]
|
||||
);
|
||||
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||
# Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
|
||||
lmtp_destination_recipient_limit = "1";
|
||||
|
||||
# TLS for incoming mail is optional
|
||||
smtpd_tls_security_level = "may";
|
||||
# sasl with dovecot
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
smtpd_sasl_auth_enable = true;
|
||||
smtpd_relay_restrictions = [
|
||||
"permit_mynetworks"
|
||||
"permit_sasl_authenticated"
|
||||
"reject_unauth_destination"
|
||||
];
|
||||
|
||||
# But required for authentication attempts
|
||||
smtpd_tls_auth_only = true;
|
||||
# reject selected senders
|
||||
smtpd_sender_restrictions = [
|
||||
"check_sender_access ${mappedFile "reject_senders"}"
|
||||
];
|
||||
|
||||
# TLS versions supported for the SMTP server
|
||||
smtpd_tls_protocols = ">=TLSv1.2";
|
||||
smtpd_tls_mandatory_protocols = ">=TLSv1.2";
|
||||
smtpd_recipient_restrictions = [
|
||||
# reject selected recipients
|
||||
"check_recipient_access ${mappedFile "denied_recipients"}"
|
||||
"check_recipient_access ${mappedFile "reject_recipients"}"
|
||||
# quota checking
|
||||
"check_policy_service unix:/run/dovecot2/quota-status"
|
||||
];
|
||||
|
||||
# Require ciphersuites that OpenSSL classifies as "High"
|
||||
smtpd_tls_ciphers = "high";
|
||||
smtpd_tls_mandatory_ciphers = "high";
|
||||
# TLS for incoming mail is optional
|
||||
smtpd_tls_security_level = "may";
|
||||
|
||||
# Exclude cipher suites with undesirable properties
|
||||
smtpd_tls_exclude_ciphers = "eNULL, aNULL";
|
||||
smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
|
||||
# But required for authentication attempts
|
||||
smtpd_tls_auth_only = true;
|
||||
|
||||
# Opportunistic DANE support when delivering mail to other servers
|
||||
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level
|
||||
smtp_dns_support_level = "dnssec";
|
||||
smtp_tls_security_level = "dane";
|
||||
# TLS versions supported for the SMTP server
|
||||
smtpd_tls_protocols = ">=TLSv1.2";
|
||||
smtpd_tls_mandatory_protocols = ">=TLSv1.2";
|
||||
|
||||
# TLS versions supported for the SMTP client
|
||||
smtp_tls_protocols = ">=TLSv1.2";
|
||||
smtp_tls_mandatory_protocols = ">=TLSv1.2";
|
||||
# Require ciphersuites that OpenSSL classifies as "High"
|
||||
smtpd_tls_ciphers = "high";
|
||||
smtpd_tls_mandatory_ciphers = "high";
|
||||
|
||||
# Require ciphersuites that OpenSSL classifies as "High"
|
||||
smtp_tls_ciphers = "high";
|
||||
smtp_tls_mandatory_ciphers = "high";
|
||||
# Exclude cipher suites with undesirable properties
|
||||
smtpd_tls_exclude_ciphers = "eNULL, aNULL";
|
||||
smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
|
||||
|
||||
# Exclude ciphersuites with undesirable properties
|
||||
smtp_tls_exclude_ciphers = "eNULL, aNULL";
|
||||
smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
|
||||
# Opportunistic DANE support when delivering mail to other servers
|
||||
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level
|
||||
smtp_dns_support_level = "dnssec";
|
||||
smtp_tls_security_level = "dane";
|
||||
|
||||
# Restrict and prioritize the following curves in the given order
|
||||
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
|
||||
# https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
|
||||
# https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7
|
||||
tls_eecdh_auto_curves = [
|
||||
"X25519"
|
||||
"prime256v1"
|
||||
"secp384r1"
|
||||
];
|
||||
# TLS versions supported for the SMTP client
|
||||
smtp_tls_protocols = ">=TLSv1.2";
|
||||
smtp_tls_mandatory_protocols = ">=TLSv1.2";
|
||||
|
||||
# Disable FFDHE on TLSv1.3 because it is slower than elliptic curves
|
||||
# https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups
|
||||
tls_ffdhe_auto_groups = [ ];
|
||||
# Require ciphersuites that OpenSSL classifies as "High"
|
||||
smtp_tls_ciphers = "high";
|
||||
smtp_tls_mandatory_ciphers = "high";
|
||||
|
||||
# As long as all cipher suites are considered safe, let the client use its preferred cipher
|
||||
tls_preempt_cipherlist = false;
|
||||
# Exclude ciphersuites with undesirable properties
|
||||
smtp_tls_exclude_ciphers = "eNULL, aNULL";
|
||||
smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
|
||||
|
||||
# Log only a summary message on TLS handshake completion
|
||||
smtp_tls_loglevel = "1";
|
||||
smtpd_tls_loglevel = "1";
|
||||
# Restrict and prioritize the following curves in the given order
|
||||
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
|
||||
# https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
|
||||
# https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7
|
||||
tls_eecdh_auto_curves = [
|
||||
"X25519"
|
||||
"prime256v1"
|
||||
"secp384r1"
|
||||
];
|
||||
|
||||
smtpd_milters = smtpdMilters;
|
||||
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||
milter_protocol = "6";
|
||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
|
||||
};
|
||||
# Disable FFDHE on TLSv1.3 because it is slower than elliptic curves
|
||||
# https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups
|
||||
tls_ffdhe_auto_groups = [ ];
|
||||
|
||||
submissionOptions = submissionOptions;
|
||||
submissionsOptions = submissionOptions;
|
||||
# As long as all cipher suites are considered safe, let the client use its preferred cipher
|
||||
tls_preempt_cipherlist = false;
|
||||
|
||||
masterConfig = {
|
||||
"lmtp" = {
|
||||
# Add headers when delivering, see http://www.postfix.org/smtp.8.html
|
||||
# D => Delivered-To, O => X-Original-To, R => Return-Path
|
||||
args = [ "flags=O" ];
|
||||
# Log only a summary message on TLS handshake completion
|
||||
smtp_tls_loglevel = "1";
|
||||
smtpd_tls_loglevel = "1";
|
||||
|
||||
smtpd_milters = smtpdMilters;
|
||||
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||
milter_protocol = "6";
|
||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
|
||||
};
|
||||
"submission-header-cleanup" = {
|
||||
type = "unix";
|
||||
private = false;
|
||||
chroot = false;
|
||||
maxproc = 0;
|
||||
command = "cleanup";
|
||||
args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"];
|
||||
|
||||
submissionOptions = submissionOptions;
|
||||
submissionsOptions = submissionOptions;
|
||||
|
||||
masterConfig = {
|
||||
"lmtp" = {
|
||||
# Add headers when delivering, see http://www.postfix.org/smtp.8.html
|
||||
# D => Delivered-To, O => X-Original-To, R => Return-Path
|
||||
args = [ "flags=O" ];
|
||||
};
|
||||
"submission-header-cleanup" = {
|
||||
type = "unix";
|
||||
private = false;
|
||||
chroot = false;
|
||||
maxproc = 0;
|
||||
command = "cleanup";
|
||||
args = [
|
||||
"-o"
|
||||
"header_checks=pcre:${submissionHeaderCleanupRules}"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,7 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
|
||||
|
@ -38,7 +43,8 @@ let
|
|||
${cfg.backup.cmdPostexec}
|
||||
'';
|
||||
postexecString = optionalString postexecDefined "cmd_postexec ${postexecWrapped}";
|
||||
in {
|
||||
in
|
||||
{
|
||||
config = mkIf (cfg.enable && cfg.backup.enable) {
|
||||
services.rsnapshot = {
|
||||
enable = true;
|
||||
|
|
|
@ -14,7 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
|
@ -26,56 +31,74 @@ let
|
|||
rspamdUser = config.services.rspamd.user;
|
||||
rspamdGroup = config.services.rspamd.group;
|
||||
|
||||
createDkimKeypair = domain: let
|
||||
privateKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.key";
|
||||
publicKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.txt";
|
||||
in pkgs.writeShellScript "dkim-keygen-${domain}" ''
|
||||
if [ ! -f "${privateKey}" ]
|
||||
then
|
||||
${lib.getExe' pkgs.rspamd "rspamadm"} dkim_keygen \
|
||||
--domain "${domain}" \
|
||||
--selector "${cfg.dkimSelector}" \
|
||||
--type "${cfg.dkimKeyType}" \
|
||||
--bits ${toString cfg.dkimKeyBits} \
|
||||
--privkey "${privateKey}" > "${publicKey}"
|
||||
chmod 0644 "${publicKey}"
|
||||
echo "Generated key for domain ${domain} and selector ${cfg.dkimSelector}"
|
||||
fi
|
||||
'';
|
||||
createDkimKeypair =
|
||||
domain:
|
||||
let
|
||||
privateKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.key";
|
||||
publicKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.txt";
|
||||
in
|
||||
pkgs.writeShellScript "dkim-keygen-${domain}" ''
|
||||
if [ ! -f "${privateKey}" ]
|
||||
then
|
||||
${lib.getExe' pkgs.rspamd "rspamadm"} dkim_keygen \
|
||||
--domain "${domain}" \
|
||||
--selector "${cfg.dkimSelector}" \
|
||||
--type "${cfg.dkimKeyType}" \
|
||||
--bits ${toString cfg.dkimKeyBits} \
|
||||
--privkey "${privateKey}" > "${publicKey}"
|
||||
chmod 0644 "${publicKey}"
|
||||
echo "Generated key for domain ${domain} and selector ${cfg.dkimSelector}"
|
||||
fi
|
||||
'';
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
environment.systemPackages = lib.mkBefore [
|
||||
(pkgs.runCommand "rspamc-wrapped" {
|
||||
nativeBuildInputs = with pkgs; [ makeWrapper ];
|
||||
}''
|
||||
makeWrapper ${pkgs.rspamd}/bin/rspamc $out/bin/rspamc \
|
||||
--add-flags "-h /run/rspamd/worker-controller.sock"
|
||||
'')
|
||||
];
|
||||
config =
|
||||
with cfg;
|
||||
lib.mkIf enable {
|
||||
environment.systemPackages = lib.mkBefore [
|
||||
(pkgs.runCommand "rspamc-wrapped"
|
||||
{
|
||||
nativeBuildInputs = with pkgs; [ makeWrapper ];
|
||||
}
|
||||
''
|
||||
makeWrapper ${pkgs.rspamd}/bin/rspamc $out/bin/rspamc \
|
||||
--add-flags "-h /run/rspamd/worker-controller.sock"
|
||||
''
|
||||
)
|
||||
];
|
||||
|
||||
services.rspamd = {
|
||||
enable = true;
|
||||
inherit debug;
|
||||
locals = {
|
||||
"milter_headers.conf" = { text = ''
|
||||
services.rspamd = {
|
||||
enable = true;
|
||||
inherit debug;
|
||||
locals = {
|
||||
"milter_headers.conf" = {
|
||||
text = ''
|
||||
extended_spam_headers = true;
|
||||
''; };
|
||||
"redis.conf" = { text = ''
|
||||
servers = "${if cfg.redis.port == null
|
||||
then
|
||||
cfg.redis.address
|
||||
else
|
||||
"${cfg.redis.address}:${toString cfg.redis.port}"}";
|
||||
'' + (lib.optionalString (cfg.redis.password != null) ''
|
||||
password = "${cfg.redis.password}";
|
||||
''); };
|
||||
"classifier-bayes.conf" = { text = ''
|
||||
'';
|
||||
};
|
||||
"redis.conf" = {
|
||||
text =
|
||||
''
|
||||
servers = "${
|
||||
if cfg.redis.port == null then
|
||||
cfg.redis.address
|
||||
else
|
||||
"${cfg.redis.address}:${toString cfg.redis.port}"
|
||||
}";
|
||||
''
|
||||
+ (lib.optionalString (cfg.redis.password != null) ''
|
||||
password = "${cfg.redis.password}";
|
||||
'');
|
||||
};
|
||||
"classifier-bayes.conf" = {
|
||||
text = ''
|
||||
cache {
|
||||
backend = "redis";
|
||||
}
|
||||
''; };
|
||||
"antivirus.conf" = lib.mkIf cfg.virusScanning { text = ''
|
||||
'';
|
||||
};
|
||||
"antivirus.conf" = lib.mkIf cfg.virusScanning {
|
||||
text = ''
|
||||
clamav {
|
||||
action = "reject";
|
||||
symbol = "CLAM_VIRUS";
|
||||
|
@ -84,157 +107,168 @@ in
|
|||
servers = "/run/clamav/clamd.ctl";
|
||||
scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all
|
||||
}
|
||||
''; };
|
||||
"dkim_signing.conf" = { text = ''
|
||||
enabled = ${lib.boolToString cfg.dkimSigning};
|
||||
path = "${cfg.dkimKeyDirectory}/$domain.$selector.key";
|
||||
selector = "${cfg.dkimSelector}";
|
||||
# Allow for usernames w/o domain part
|
||||
allow_username_mismatch = true
|
||||
''; };
|
||||
"dmarc.conf" = { text = ''
|
||||
'';
|
||||
};
|
||||
"dkim_signing.conf" = {
|
||||
text = ''
|
||||
enabled = ${lib.boolToString cfg.dkimSigning};
|
||||
path = "${cfg.dkimKeyDirectory}/$domain.$selector.key";
|
||||
selector = "${cfg.dkimSelector}";
|
||||
# Allow for usernames w/o domain part
|
||||
allow_username_mismatch = true
|
||||
'';
|
||||
};
|
||||
"dmarc.conf" = {
|
||||
text = ''
|
||||
${lib.optionalString cfg.dmarcReporting.enable ''
|
||||
reporting {
|
||||
enabled = true;
|
||||
email = "${cfg.dmarcReporting.email}";
|
||||
domain = "${cfg.dmarcReporting.domain}";
|
||||
org_name = "${cfg.dmarcReporting.organizationName}";
|
||||
from_name = "${cfg.dmarcReporting.fromName}";
|
||||
msgid_from = "${cfg.dmarcReporting.domain}";
|
||||
${lib.optionalString (cfg.dmarcReporting.excludeDomains != []) ''
|
||||
exclude_domains = ${builtins.toJSON cfg.dmarcReporting.excludeDomains};
|
||||
''}
|
||||
}''}
|
||||
''; };
|
||||
reporting {
|
||||
enabled = true;
|
||||
email = "${cfg.dmarcReporting.email}";
|
||||
domain = "${cfg.dmarcReporting.domain}";
|
||||
org_name = "${cfg.dmarcReporting.organizationName}";
|
||||
from_name = "${cfg.dmarcReporting.fromName}";
|
||||
msgid_from = "${cfg.dmarcReporting.domain}";
|
||||
${lib.optionalString (cfg.dmarcReporting.excludeDomains != [ ]) ''
|
||||
exclude_domains = ${builtins.toJSON cfg.dmarcReporting.excludeDomains};
|
||||
''}
|
||||
}''}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
workers.rspamd_proxy = {
|
||||
type = "rspamd_proxy";
|
||||
bindSockets = [
|
||||
{
|
||||
socket = "/run/rspamd/rspamd-milter.sock";
|
||||
mode = "0664";
|
||||
}
|
||||
];
|
||||
count = 1; # Do not spawn too many processes of this type
|
||||
extraConfig = ''
|
||||
milter = yes; # Enable milter mode
|
||||
timeout = 120s; # Needed for Milter usually
|
||||
|
||||
upstream "local" {
|
||||
default = yes; # Self-scan upstreams are always default
|
||||
self_scan = yes; # Enable self-scan
|
||||
}
|
||||
'';
|
||||
};
|
||||
workers.controller = {
|
||||
type = "controller";
|
||||
count = 1;
|
||||
bindSockets = [
|
||||
{
|
||||
socket = "/run/rspamd/worker-controller.sock";
|
||||
mode = "0666";
|
||||
}
|
||||
];
|
||||
includes = [ ];
|
||||
extraConfig = ''
|
||||
static_dir = "''${WWWDIR}"; # Serve the web UI static assets
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
workers.rspamd_proxy = {
|
||||
type = "rspamd_proxy";
|
||||
bindSockets = [{
|
||||
socket = "/run/rspamd/rspamd-milter.sock";
|
||||
mode = "0664";
|
||||
}];
|
||||
count = 1; # Do not spawn too many processes of this type
|
||||
extraConfig = ''
|
||||
milter = yes; # Enable milter mode
|
||||
timeout = 120s; # Needed for Milter usually
|
||||
services.redis.servers.rspamd.enable = lib.mkDefault true;
|
||||
|
||||
upstream "local" {
|
||||
default = yes; # Self-scan upstreams are always default
|
||||
self_scan = yes; # Enable self-scan
|
||||
systemd.tmpfiles.settings."10-rspamd.conf" = {
|
||||
"${cfg.dkimKeyDirectory}" = {
|
||||
d = {
|
||||
# Create /var/dkim owned by rspamd user/group
|
||||
user = rspamdUser;
|
||||
group = rspamdGroup;
|
||||
};
|
||||
Z = {
|
||||
# Recursively adjust permissions in /var/dkim
|
||||
user = rspamdUser;
|
||||
group = rspamdGroup;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.rspamd = {
|
||||
requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
serviceConfig = lib.mkMerge [
|
||||
{
|
||||
SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
|
||||
}
|
||||
'';
|
||||
};
|
||||
workers.controller = {
|
||||
type = "controller";
|
||||
count = 1;
|
||||
bindSockets = [{
|
||||
socket = "/run/rspamd/worker-controller.sock";
|
||||
mode = "0666";
|
||||
}];
|
||||
includes = [];
|
||||
extraConfig = ''
|
||||
static_dir = "''${WWWDIR}"; # Serve the web UI static assets
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
services.redis.servers.rspamd.enable = lib.mkDefault true;
|
||||
|
||||
systemd.tmpfiles.settings."10-rspamd.conf" = {
|
||||
"${cfg.dkimKeyDirectory}" = {
|
||||
d = {
|
||||
# Create /var/dkim owned by rspamd user/group
|
||||
user = rspamdUser;
|
||||
group = rspamdGroup;
|
||||
};
|
||||
Z = {
|
||||
# Recursively adjust permissions in /var/dkim
|
||||
user = rspamdUser;
|
||||
group = rspamdGroup;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.rspamd = {
|
||||
requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
serviceConfig = lib.mkMerge [
|
||||
{
|
||||
SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
|
||||
}
|
||||
(lib.optionalAttrs cfg.dkimSigning {
|
||||
ExecStartPre = map createDkimKeypair cfg.domains;
|
||||
ReadWritePaths = [ cfg.dkimKeyDirectory ];
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
|
||||
# Explicitly select yesterday's date to work around broken
|
||||
# default behaviour when called without a date.
|
||||
# https://github.com/rspamd/rspamd/issues/4062
|
||||
script = ''
|
||||
${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "${config.services.rspamd.user}";
|
||||
Group = "${config.services.rspamd.group}";
|
||||
|
||||
AmbientCapabilities = [];
|
||||
CapabilityBoundingSet = "";
|
||||
DevicePolicy = "closed";
|
||||
IPAddressAllow = "localhost";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
(lib.optionalAttrs cfg.dkimSigning {
|
||||
ExecStartPre = map createDkimKeypair cfg.domains;
|
||||
ReadWritePaths = [ cfg.dkimKeyDirectory ];
|
||||
})
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
|
||||
description = "Daily delivery of aggregated DMARC reports";
|
||||
wantedBy = [
|
||||
"timers.target"
|
||||
];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
RandomizedDelaySec = 86400;
|
||||
FixedRandomDelay = true;
|
||||
systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs cfg.dmarcReporting.enable {
|
||||
# Explicitly select yesterday's date to work around broken
|
||||
# default behaviour when called without a date.
|
||||
# https://github.com/rspamd/rspamd/issues/4062
|
||||
script = ''
|
||||
${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "${config.services.rspamd.user}";
|
||||
Group = "${config.services.rspamd.group}";
|
||||
|
||||
AmbientCapabilities = [ ];
|
||||
CapabilityBoundingSet = "";
|
||||
DevicePolicy = "closed";
|
||||
IPAddressAllow = "localhost";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.postfix = {
|
||||
after = [ rspamdSocket ];
|
||||
requires = [ rspamdSocket ];
|
||||
};
|
||||
systemd.timers.rspamd-dmarc-reporter = lib.optionalAttrs cfg.dmarcReporting.enable {
|
||||
description = "Daily delivery of aggregated DMARC reports";
|
||||
wantedBy = [
|
||||
"timers.target"
|
||||
];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
RandomizedDelaySec = 86400;
|
||||
FixedRandomDelay = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ];
|
||||
};
|
||||
systemd.services.postfix = {
|
||||
after = [ rspamdSocket ];
|
||||
requires = [ rspamdSocket ];
|
||||
};
|
||||
|
||||
users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ];
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -14,72 +14,79 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
certificatesDeps =
|
||||
if cfg.certificateScheme == "manual" then
|
||||
[]
|
||||
[ ]
|
||||
else if cfg.certificateScheme == "selfsigned" then
|
||||
[ "mailserver-selfsigned-certificate.service" ]
|
||||
else
|
||||
[ "acme-finished-${cfg.fqdn}.target" ];
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
# Create self signed certificate
|
||||
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == "selfsigned") {
|
||||
after = [ "local-fs.target" ];
|
||||
script = ''
|
||||
# Create certificates if they do not exist yet
|
||||
dir="${cfg.certificateDirectory}"
|
||||
fqdn="${cfg.fqdn}"
|
||||
[[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
|
||||
key="$dir/key-${cfg.fqdn}.pem";
|
||||
cert="$dir/cert-${cfg.fqdn}.pem";
|
||||
config =
|
||||
with cfg;
|
||||
lib.mkIf enable {
|
||||
# Create self signed certificate
|
||||
systemd.services.mailserver-selfsigned-certificate =
|
||||
lib.mkIf (cfg.certificateScheme == "selfsigned")
|
||||
{
|
||||
after = [ "local-fs.target" ];
|
||||
script = ''
|
||||
# Create certificates if they do not exist yet
|
||||
dir="${cfg.certificateDirectory}"
|
||||
fqdn="${cfg.fqdn}"
|
||||
[[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
|
||||
key="$dir/key-${cfg.fqdn}.pem";
|
||||
cert="$dir/cert-${cfg.fqdn}.pem";
|
||||
|
||||
if [[ ! -f $key || ! -f $cert ]]; then
|
||||
mkdir -p "${cfg.certificateDirectory}"
|
||||
(umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 2048) &&
|
||||
"${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" \
|
||||
-days 3650 -out "$cert"
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
PrivateTmp = true;
|
||||
if [[ ! -f $key || ! -f $cert ]]; then
|
||||
mkdir -p "${cfg.certificateDirectory}"
|
||||
(umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 2048) &&
|
||||
"${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" \
|
||||
-days 3650 -out "$cert"
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
PrivateTmp = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Create maildir folder before dovecot startup
|
||||
systemd.services.dovecot2 = {
|
||||
wants = certificatesDeps;
|
||||
after = certificatesDeps;
|
||||
preStart =
|
||||
let
|
||||
directories = lib.strings.escapeShellArgs (
|
||||
[ mailDirectory ] ++ lib.optional (cfg.indexDir != null) cfg.indexDir
|
||||
);
|
||||
in
|
||||
''
|
||||
# Create mail directory and set permissions. See
|
||||
# <https://doc.dovecot.org/main/core/config/shared_mailboxes.html#filesystem-permissions-1>.
|
||||
# Prevent world-readable paths, even temporarily.
|
||||
umask 007
|
||||
mkdir -p ${directories}
|
||||
chgrp "${vmailGroupName}" ${directories}
|
||||
chmod 02770 ${directories}
|
||||
'';
|
||||
};
|
||||
|
||||
# Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
|
||||
systemd.services.postfix = {
|
||||
wants = certificatesDeps;
|
||||
after = [ "dovecot2.service" ] ++ lib.optional cfg.dkimSigning "rspamd.service" ++ certificatesDeps;
|
||||
requires = [ "dovecot2.service" ] ++ lib.optional cfg.dkimSigning "rspamd.service";
|
||||
};
|
||||
};
|
||||
|
||||
# Create maildir folder before dovecot startup
|
||||
systemd.services.dovecot2 = {
|
||||
wants = certificatesDeps;
|
||||
after = certificatesDeps;
|
||||
preStart = let
|
||||
directories = lib.strings.escapeShellArgs (
|
||||
[ mailDirectory ]
|
||||
++ lib.optional (cfg.indexDir != null) cfg.indexDir
|
||||
);
|
||||
in ''
|
||||
# Create mail directory and set permissions. See
|
||||
# <https://doc.dovecot.org/main/core/config/shared_mailboxes.html#filesystem-permissions-1>.
|
||||
# Prevent world-readable paths, even temporarily.
|
||||
umask 007
|
||||
mkdir -p ${directories}
|
||||
chgrp "${vmailGroupName}" ${directories}
|
||||
chmod 02770 ${directories}
|
||||
'';
|
||||
};
|
||||
|
||||
# Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
|
||||
systemd.services.postfix = {
|
||||
wants = certificatesDeps;
|
||||
after = [ "dovecot2.service" ]
|
||||
++ lib.optional cfg.dkimSigning "rspamd.service"
|
||||
++ certificatesDeps;
|
||||
requires = [ "dovecot2.service" ]
|
||||
++ lib.optional cfg.dkimSigning "rspamd.service";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,7 +14,12 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
with config.mailserver;
|
||||
|
||||
|
@ -28,7 +33,6 @@ let
|
|||
group = vmailGroupName;
|
||||
};
|
||||
|
||||
|
||||
virtualMailUsersActivationScript = pkgs.writeScript "activate-virtual-mail-users" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
|
||||
|
@ -46,45 +50,54 @@ let
|
|||
|
||||
# Copy user's sieve script to the correct location (if it exists). If it
|
||||
# is null, remove the file.
|
||||
${lib.concatMapStringsSep "\n" ({ name, sieveScript }:
|
||||
if lib.isString sieveScript then ''
|
||||
if (! test -d "${sieveDirectory}/${name}"); then
|
||||
mkdir -p "${sieveDirectory}/${name}"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}/${name}"
|
||||
chmod 770 "${sieveDirectory}/${name}"
|
||||
fi
|
||||
cat << 'EOF' > "${sieveDirectory}/${name}/default.sieve"
|
||||
${sieveScript}
|
||||
EOF
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}/${name}/default.sieve"
|
||||
'' else ''
|
||||
if (test -f "${sieveDirectory}/${name}/default.sieve"); then
|
||||
rm "${sieveDirectory}/${name}/default.sieve"
|
||||
fi
|
||||
if (test -f "${sieveDirectory}/${name}.svbin"); then
|
||||
rm "${sieveDirectory}/${name}/default.svbin"
|
||||
fi
|
||||
'') (map (user: { inherit (user) name sieveScript; })
|
||||
(lib.attrValues loginAccounts))}
|
||||
${lib.concatMapStringsSep "\n" (
|
||||
{ name, sieveScript }:
|
||||
if lib.isString sieveScript then
|
||||
''
|
||||
if (! test -d "${sieveDirectory}/${name}"); then
|
||||
mkdir -p "${sieveDirectory}/${name}"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}/${name}"
|
||||
chmod 770 "${sieveDirectory}/${name}"
|
||||
fi
|
||||
cat << 'EOF' > "${sieveDirectory}/${name}/default.sieve"
|
||||
${sieveScript}
|
||||
EOF
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}/${name}/default.sieve"
|
||||
''
|
||||
else
|
||||
''
|
||||
if (test -f "${sieveDirectory}/${name}/default.sieve"); then
|
||||
rm "${sieveDirectory}/${name}/default.sieve"
|
||||
fi
|
||||
if (test -f "${sieveDirectory}/${name}.svbin"); then
|
||||
rm "${sieveDirectory}/${name}/default.svbin"
|
||||
fi
|
||||
''
|
||||
) (map (user: { inherit (user) name sieveScript; }) (lib.attrValues loginAccounts))}
|
||||
'';
|
||||
in {
|
||||
in
|
||||
{
|
||||
config = lib.mkIf enable {
|
||||
# assert that all accounts provide a password
|
||||
assertions = (map (acct: {
|
||||
assertion = (acct.hashedPassword != null || acct.hashedPasswordFile != null);
|
||||
assertions = map (acct: {
|
||||
assertion = acct.hashedPassword != null || acct.hashedPasswordFile != null;
|
||||
message = "${acct.name} must provide either a hashed password or a password hash file";
|
||||
}) (lib.attrValues loginAccounts));
|
||||
}) (lib.attrValues loginAccounts);
|
||||
|
||||
# warn for accounts that specify both password and file
|
||||
warnings = (map
|
||||
(acct: "${acct.name} specifies both a password hash and hash file; hash file will be used")
|
||||
(lib.filter
|
||||
(acct: (acct.hashedPassword != null && acct.hashedPasswordFile != null))
|
||||
(lib.attrValues loginAccounts)));
|
||||
warnings =
|
||||
map (acct: "${acct.name} specifies both a password hash and hash file; hash file will be used")
|
||||
(
|
||||
lib.filter (acct: (acct.hashedPassword != null && acct.hashedPasswordFile != null)) (
|
||||
lib.attrValues loginAccounts
|
||||
)
|
||||
);
|
||||
|
||||
# set the vmail gid to a specific value
|
||||
users.groups = {
|
||||
"${vmailGroupName}" = { gid = vmailUID; };
|
||||
"${vmailGroupName}" = {
|
||||
gid = vmailUID;
|
||||
};
|
||||
};
|
||||
|
||||
# define all users
|
||||
|
|
19
shell.nix
19
shell.nix
|
@ -1,10 +1,9 @@
|
|||
(import
|
||||
(
|
||||
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
|
||||
fetchTarball {
|
||||
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
|
||||
sha256 = lock.nodes.flake-compat.locked.narHash;
|
||||
}
|
||||
)
|
||||
{ src = ./.; }
|
||||
).shellNix
|
||||
(import (
|
||||
let
|
||||
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
|
||||
in
|
||||
fetchTarball {
|
||||
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
|
||||
sha256 = lock.nodes.flake-compat.locked.narHash;
|
||||
}
|
||||
) { src = ./.; }).shellNix
|
||||
|
|
239
tests/clamav.nix
239
tests/clamav.nix
|
@ -24,73 +24,79 @@
|
|||
name = "clamav";
|
||||
|
||||
nodes = {
|
||||
server = { pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
server =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
virtualisation.memorySize = 1500;
|
||||
virtualisation.memorySize = 1500;
|
||||
|
||||
environment.systemPackages = with pkgs; [ netcat ];
|
||||
environment.systemPackages = with pkgs; [ netcat ];
|
||||
|
||||
services.rsyslogd = {
|
||||
enable = true;
|
||||
defaultConfig = ''
|
||||
*.* /dev/console
|
||||
'';
|
||||
};
|
||||
|
||||
services.clamav.updater.enable = lib.mkForce false;
|
||||
systemd.services.old-clam = {
|
||||
before = [ "clamav-daemon.service" ];
|
||||
requiredBy = [ "clamav-daemon.service" ];
|
||||
description = "ClamAV virus database";
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p /var/lib/clamav
|
||||
chown clamav:clamav /var/lib/clamav
|
||||
'';
|
||||
|
||||
script = ''
|
||||
cp ${blobs}/clamav/main.cvd /var/lib/clamav/
|
||||
cp ${blobs}/clamav/daily.cvd /var/lib/clamav/
|
||||
cp ${blobs}/clamav/bytecode.cvd /var/lib/clamav/
|
||||
chown clamav:clamav /var/lib/clamav/*
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
PrivateTmp = "yes";
|
||||
PrivateDevices = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" "example2.com" ];
|
||||
virusScanning = true;
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||
aliases = [ "postmaster@example.com" ];
|
||||
catchAll = [ "example.com" ];
|
||||
};
|
||||
"user@example2.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
};
|
||||
};
|
||||
enableImap = true;
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
"root/eicar.com.txt".text = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
|
||||
};
|
||||
services.rsyslogd = {
|
||||
enable = true;
|
||||
defaultConfig = ''
|
||||
*.* /dev/console
|
||||
'';
|
||||
};
|
||||
client = { nodes, pkgs, ... }: let
|
||||
|
||||
services.clamav.updater.enable = lib.mkForce false;
|
||||
systemd.services.old-clam = {
|
||||
before = [ "clamav-daemon.service" ];
|
||||
requiredBy = [ "clamav-daemon.service" ];
|
||||
description = "ClamAV virus database";
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p /var/lib/clamav
|
||||
chown clamav:clamav /var/lib/clamav
|
||||
'';
|
||||
|
||||
script = ''
|
||||
cp ${blobs}/clamav/main.cvd /var/lib/clamav/
|
||||
cp ${blobs}/clamav/daily.cvd /var/lib/clamav/
|
||||
cp ${blobs}/clamav/bytecode.cvd /var/lib/clamav/
|
||||
chown clamav:clamav /var/lib/clamav/*
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
PrivateTmp = "yes";
|
||||
PrivateDevices = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [
|
||||
"example.com"
|
||||
"example2.com"
|
||||
];
|
||||
virusScanning = true;
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||
aliases = [ "postmaster@example.com" ];
|
||||
catchAll = [ "example.com" ];
|
||||
};
|
||||
"user@example2.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
};
|
||||
};
|
||||
enableImap = true;
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
"root/eicar.com.txt".text = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
|
||||
};
|
||||
};
|
||||
client =
|
||||
{ nodes, pkgs, ... }:
|
||||
let
|
||||
serverIP = nodes.server.networking.primaryIPAddress;
|
||||
clientIP = nodes.client.networking.primaryIPAddress;
|
||||
grep-ip = pkgs.writeScriptBin "grep-ip" ''
|
||||
|
@ -98,20 +104,25 @@
|
|||
echo grep '${clientIP}' "$@" >&2
|
||||
exec grep '${clientIP}' "$@"
|
||||
'';
|
||||
in {
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./lib/config.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
fetchmail msmtp procmail findutils grep-ip
|
||||
fetchmail
|
||||
msmtp
|
||||
procmail
|
||||
findutils
|
||||
grep-ip
|
||||
];
|
||||
environment.etc = {
|
||||
"root/.fetchmailrc" = {
|
||||
text = ''
|
||||
poll ${serverIP} with proto IMAP
|
||||
user 'user1@example.com' there with password 'user1' is 'root' here
|
||||
mda procmail
|
||||
poll ${serverIP} with proto IMAP
|
||||
user 'user1@example.com' there with password 'user1' is 'root' here
|
||||
mda procmail
|
||||
'';
|
||||
mode = "0700";
|
||||
};
|
||||
|
@ -185,59 +196,59 @@
|
|||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
start_all()
|
||||
|
||||
server.wait_for_unit("multi-user.target")
|
||||
client.wait_for_unit("multi-user.target")
|
||||
server.wait_for_unit("multi-user.target")
|
||||
client.wait_for_unit("multi-user.target")
|
||||
|
||||
# TODO put this blocking into the systemd units? I am not sure if rspamd already waits for the clamd socket.
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
# TODO put this blocking into the systemd units? I am not sure if rspamd already waits for the clamd socket.
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
|
||||
client.execute("cp -p /etc/root/.* ~/")
|
||||
client.succeed("mkdir -p ~/mail")
|
||||
client.succeed("ls -la ~/ >&2")
|
||||
client.succeed("cat ~/.fetchmailrc >&2")
|
||||
client.succeed("cat ~/.procmailrc >&2")
|
||||
client.succeed("cat ~/.msmtprc >&2")
|
||||
client.execute("cp -p /etc/root/.* ~/")
|
||||
client.succeed("mkdir -p ~/mail")
|
||||
client.succeed("ls -la ~/ >&2")
|
||||
client.succeed("cat ~/.fetchmailrc >&2")
|
||||
client.succeed("cat ~/.procmailrc >&2")
|
||||
client.succeed("cat ~/.msmtprc >&2")
|
||||
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
client.succeed("fetchmail --nosslcertck -v || [ $? -eq 1 ] >&2")
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
client.succeed("fetchmail --nosslcertck -v || [ $? -eq 1 ] >&2")
|
||||
|
||||
# Verify that mail can be sent and received before testing virus scanner
|
||||
client.execute("rm ~/mail/*")
|
||||
client.succeed("msmtp -a user2 user1@example.com < /etc/root/safe-email >&2")
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
client.execute("rm ~/mail/*")
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v >&2")
|
||||
client.execute("rm ~/mail/*")
|
||||
# Verify that mail can be sent and received before testing virus scanner
|
||||
client.execute("rm ~/mail/*")
|
||||
client.succeed("msmtp -a user2 user1@example.com < /etc/root/safe-email >&2")
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
client.execute("rm ~/mail/*")
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v >&2")
|
||||
client.execute("rm ~/mail/*")
|
||||
|
||||
with subtest("virus scan file"):
|
||||
server.succeed(
|
||||
'set +o pipefail; clamdscan $(readlink -f /etc/root/eicar.com.txt) | grep "Txt\\.Malware\\.Agent-1787597 FOUND" >&2'
|
||||
)
|
||||
with subtest("virus scan file"):
|
||||
server.succeed(
|
||||
'set +o pipefail; clamdscan $(readlink -f /etc/root/eicar.com.txt) | grep "Txt\\.Malware\\.Agent-1787597 FOUND" >&2'
|
||||
)
|
||||
|
||||
with subtest("virus scan email"):
|
||||
client.succeed(
|
||||
'set +o pipefail; msmtp -a user2 user1@example.com < /etc/root/virus-email 2>&1 | tee /dev/stderr | grep "server message: 554 5\\.7\\.1" >&2'
|
||||
)
|
||||
server.succeed("journalctl -u rspamd | grep -i eicar")
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
with subtest("virus scan email"):
|
||||
client.succeed(
|
||||
'set +o pipefail; msmtp -a user2 user1@example.com < /etc/root/virus-email 2>&1 | tee /dev/stderr | grep "server message: 554 5\\.7\\.1" >&2'
|
||||
)
|
||||
server.succeed("journalctl -u rspamd | grep -i eicar")
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
|
||||
with subtest("no warnings or errors"):
|
||||
server.fail("journalctl -u postfix | grep -i error >&2")
|
||||
server.fail("journalctl -u postfix | grep -i warning >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i error >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i warning >&2")
|
||||
'';
|
||||
with subtest("no warnings or errors"):
|
||||
server.fail("journalctl -u postfix | grep -i error >&2")
|
||||
server.fail("journalctl -u postfix | grep -i warning >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i error >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i warning >&2")
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -18,74 +18,84 @@
|
|||
name = "external";
|
||||
|
||||
nodes = {
|
||||
server = { pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
server =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [ netcat ];
|
||||
environment.systemPackages = with pkgs; [ netcat ];
|
||||
|
||||
virtualisation.memorySize = 1024;
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
services.rsyslogd = {
|
||||
enable = true;
|
||||
defaultConfig = ''
|
||||
*.* /dev/console
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
debug = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" "example2.com" ];
|
||||
rewriteMessageId = true;
|
||||
dkimKeyBits = 1535;
|
||||
dmarcReporting = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
organizationName = "ACME Corp";
|
||||
};
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||
aliases = [ "postmaster@example.com" ];
|
||||
catchAll = [ "example.com" ];
|
||||
};
|
||||
"user2@example.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
aliases = [ "chuck@example.com" ];
|
||||
};
|
||||
"user@example2.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
};
|
||||
"lowquota@example.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
quota = "1B";
|
||||
};
|
||||
};
|
||||
|
||||
extraVirtualAliases = {
|
||||
"single-alias@example.com" = "user1@example.com";
|
||||
"multi-alias@example.com" = [ "user1@example.com" "user2@example.com" ];
|
||||
};
|
||||
|
||||
enableImap = true;
|
||||
enableImapSsl = true;
|
||||
fullTextSearch = {
|
||||
enable = true;
|
||||
autoIndex = true;
|
||||
# special use depends on https://github.com/NixOS/nixpkgs/pull/93201
|
||||
autoIndexExclude = [ (if (pkgs.lib.versionAtLeast pkgs.lib.version "21") then "\\Junk" else "Junk") ];
|
||||
enforced = "yes";
|
||||
};
|
||||
};
|
||||
services.rsyslogd = {
|
||||
enable = true;
|
||||
defaultConfig = ''
|
||||
*.* /dev/console
|
||||
'';
|
||||
};
|
||||
client = { nodes, pkgs, ... }: let
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
debug = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [
|
||||
"example.com"
|
||||
"example2.com"
|
||||
];
|
||||
rewriteMessageId = true;
|
||||
dkimKeyBits = 1535;
|
||||
dmarcReporting = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
organizationName = "ACME Corp";
|
||||
};
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||
aliases = [ "postmaster@example.com" ];
|
||||
catchAll = [ "example.com" ];
|
||||
};
|
||||
"user2@example.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
aliases = [ "chuck@example.com" ];
|
||||
};
|
||||
"user@example2.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
};
|
||||
"lowquota@example.com" = {
|
||||
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
|
||||
quota = "1B";
|
||||
};
|
||||
};
|
||||
|
||||
extraVirtualAliases = {
|
||||
"single-alias@example.com" = "user1@example.com";
|
||||
"multi-alias@example.com" = [
|
||||
"user1@example.com"
|
||||
"user2@example.com"
|
||||
];
|
||||
};
|
||||
|
||||
enableImap = true;
|
||||
enableImapSsl = true;
|
||||
fullTextSearch = {
|
||||
enable = true;
|
||||
autoIndex = true;
|
||||
# special use depends on https://github.com/NixOS/nixpkgs/pull/93201
|
||||
autoIndexExclude = [
|
||||
(if (pkgs.lib.versionAtLeast pkgs.lib.version "21") then "\\Junk" else "Junk")
|
||||
];
|
||||
enforced = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
client =
|
||||
{ nodes, pkgs, ... }:
|
||||
let
|
||||
serverIP = nodes.server.networking.primaryIPAddress;
|
||||
clientIP = nodes.client.networking.primaryIPAddress;
|
||||
grep-ip = pkgs.writeScriptBin "grep-ip" ''
|
||||
|
@ -172,27 +182,36 @@
|
|||
assert needle in repr(response)
|
||||
imap.close()
|
||||
'';
|
||||
in {
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./lib/config.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
fetchmail msmtp procmail findutils grep-ip check-mail-id test-imap-spam test-imap-ham search
|
||||
fetchmail
|
||||
msmtp
|
||||
procmail
|
||||
findutils
|
||||
grep-ip
|
||||
check-mail-id
|
||||
test-imap-spam
|
||||
test-imap-ham
|
||||
search
|
||||
];
|
||||
environment.etc = {
|
||||
"root/.fetchmailrc" = {
|
||||
text = ''
|
||||
poll ${serverIP} with proto IMAP
|
||||
user 'user1@example.com' there with password 'user1' is 'root' here
|
||||
mda procmail
|
||||
poll ${serverIP} with proto IMAP
|
||||
user 'user1@example.com' there with password 'user1' is 'root' here
|
||||
mda procmail
|
||||
'';
|
||||
mode = "0700";
|
||||
};
|
||||
"root/.fetchmailRcLowQuota" = {
|
||||
text = ''
|
||||
poll ${serverIP} with proto IMAP
|
||||
user 'lowquota@example.com' there with password 'user2' is 'root' here
|
||||
mda procmail
|
||||
poll ${serverIP} with proto IMAP
|
||||
user 'lowquota@example.com' there with password 'user2' is 'root' here
|
||||
mda procmail
|
||||
'';
|
||||
mode = "0700";
|
||||
};
|
||||
|
@ -338,176 +357,176 @@
|
|||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
start_all()
|
||||
|
||||
server.wait_for_unit("multi-user.target")
|
||||
client.wait_for_unit("multi-user.target")
|
||||
server.wait_for_unit("multi-user.target")
|
||||
client.wait_for_unit("multi-user.target")
|
||||
|
||||
# TODO put this blocking into the systemd units?
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
# TODO put this blocking into the systemd units?
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
|
||||
client.execute("cp -p /etc/root/.* ~/")
|
||||
client.succeed("mkdir -p ~/mail")
|
||||
client.succeed("ls -la ~/ >&2")
|
||||
client.succeed("cat ~/.fetchmailrc >&2")
|
||||
client.succeed("cat ~/.procmailrc >&2")
|
||||
client.succeed("cat ~/.msmtprc >&2")
|
||||
client.execute("cp -p /etc/root/.* ~/")
|
||||
client.succeed("mkdir -p ~/mail")
|
||||
client.succeed("ls -la ~/ >&2")
|
||||
client.succeed("cat ~/.fetchmailrc >&2")
|
||||
client.succeed("cat ~/.procmailrc >&2")
|
||||
client.succeed("cat ~/.msmtprc >&2")
|
||||
|
||||
with subtest("imap retrieving mail"):
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
client.succeed("fetchmail --nosslcertck -v || [ $? -eq 1 ] >&2")
|
||||
with subtest("imap retrieving mail"):
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
client.succeed("fetchmail --nosslcertck -v || [ $? -eq 1 ] >&2")
|
||||
|
||||
with subtest("submission port send mail"):
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email1 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
with subtest("submission port send mail"):
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email1 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
|
||||
with subtest("imap retrieving mail 2"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v >&2")
|
||||
with subtest("imap retrieving mail 2"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v >&2")
|
||||
|
||||
with subtest("remove sensitive information on submission port"):
|
||||
client.succeed("cat ~/mail/* >&2")
|
||||
## make sure our IP is _not_ in the email header
|
||||
client.fail("grep-ip ~/mail/*")
|
||||
client.succeed("check-mail-id ~/mail/*")
|
||||
with subtest("remove sensitive information on submission port"):
|
||||
client.succeed("cat ~/mail/* >&2")
|
||||
## make sure our IP is _not_ in the email header
|
||||
client.fail("grep-ip ~/mail/*")
|
||||
client.succeed("check-mail-id ~/mail/*")
|
||||
|
||||
with subtest("have correct fqdn as sender"):
|
||||
client.succeed("grep 'Received: from mail.example.com' ~/mail/*")
|
||||
with subtest("have correct fqdn as sender"):
|
||||
client.succeed("grep 'Received: from mail.example.com' ~/mail/*")
|
||||
|
||||
with subtest("dkim has user-specified size"):
|
||||
server.succeed(
|
||||
"openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit'"
|
||||
)
|
||||
with subtest("dkim has user-specified size"):
|
||||
server.succeed(
|
||||
"openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit'"
|
||||
)
|
||||
|
||||
with subtest("dkim singing, multiple domains"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
client.succeed("cat ~/mail/* >&2")
|
||||
# make sure it is dkim signed
|
||||
client.succeed("grep DKIM-Signature: ~/mail/*")
|
||||
with subtest("dkim singing, multiple domains"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
client.succeed("cat ~/mail/* >&2")
|
||||
# make sure it is dkim signed
|
||||
client.succeed("grep DKIM-Signature: ~/mail/*")
|
||||
|
||||
with subtest("aliases"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from chuck to postmaster
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on postmaster@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
with subtest("aliases"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from chuck to postmaster
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on postmaster@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
|
||||
with subtest("catchAlls"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from chuck to non exsitent account
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lol@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
with subtest("catchAlls"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from chuck to non exsitent account
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lol@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from user1 to chuck
|
||||
client.succeed(
|
||||
"msmtp -a test4 --tls=on --tls-certcheck=off --auth=on chuck@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
# if this succeeds, it means that user1 recieved the mail that was intended for chuck.
|
||||
client.fail("fetchmail --nosslcertck -v")
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from user1 to chuck
|
||||
client.succeed(
|
||||
"msmtp -a test4 --tls=on --tls-certcheck=off --auth=on chuck@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
# if this succeeds, it means that user1 recieved the mail that was intended for chuck.
|
||||
client.fail("fetchmail --nosslcertck -v")
|
||||
|
||||
with subtest("extraVirtualAliases"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from single-alias to user1
|
||||
client.succeed(
|
||||
"msmtp -a test5 --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email4 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
with subtest("extraVirtualAliases"):
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from single-alias to user1
|
||||
client.succeed(
|
||||
"msmtp -a test5 --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email4 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from user1 to multi-alias (user{1,2}@example.com)
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on multi-alias@example.com < /etc/root/email5 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
client.execute("rm ~/mail/*")
|
||||
# send email from user1 to multi-alias (user{1,2}@example.com)
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on multi-alias@example.com < /etc/root/email5 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
|
||||
with subtest("quota"):
|
||||
client.execute("rm ~/mail/*")
|
||||
client.execute("mv ~/.fetchmailRcLowQuota ~/.fetchmailrc")
|
||||
with subtest("quota"):
|
||||
client.execute("rm ~/mail/*")
|
||||
client.execute("mv ~/.fetchmailRcLowQuota ~/.fetchmailrc")
|
||||
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.fail("fetchmail --nosslcertck -v")
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.fail("fetchmail --nosslcertck -v")
|
||||
|
||||
with subtest("imap sieve junk trainer"):
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email1 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
with subtest("imap sieve junk trainer"):
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email1 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
|
||||
client.succeed("imap-mark-spam >&2")
|
||||
server.wait_until_succeeds("journalctl -u dovecot2 | grep -i rspamd-learn-spam.sh >&2")
|
||||
client.succeed("imap-mark-ham >&2")
|
||||
server.wait_until_succeeds("journalctl -u dovecot2 | grep -i rspamd-learn-ham.sh >&2")
|
||||
client.succeed("imap-mark-spam >&2")
|
||||
server.wait_until_succeeds("journalctl -u dovecot2 | grep -i rspamd-learn-spam.sh >&2")
|
||||
client.succeed("imap-mark-ham >&2")
|
||||
server.wait_until_succeeds("journalctl -u dovecot2 | grep -i rspamd-learn-ham.sh >&2")
|
||||
|
||||
with subtest("full text search and indexation"):
|
||||
# send 2 email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email6 >&2"
|
||||
)
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email7 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
with subtest("full text search and indexation"):
|
||||
# send 2 email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email6 >&2"
|
||||
)
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email7 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
|
||||
# should find exactly one email containing this
|
||||
client.succeed("search INBOX 576a4565b70f5a4c1a0925cabdb587a6 >&2")
|
||||
# should fail because this folder is not indexed
|
||||
client.fail("search Junk a >&2")
|
||||
# check that search really goes through the indexer
|
||||
server.succeed("journalctl -u dovecot2 | grep 'fts-flatcurve(INBOX): Query ' >&2")
|
||||
# check that Junk is not indexed
|
||||
server.fail("journalctl -u dovecot2 | grep 'fts-flatcurve(JUNK): Indexing ' >&2")
|
||||
# should find exactly one email containing this
|
||||
client.succeed("search INBOX 576a4565b70f5a4c1a0925cabdb587a6 >&2")
|
||||
# should fail because this folder is not indexed
|
||||
client.fail("search Junk a >&2")
|
||||
# check that search really goes through the indexer
|
||||
server.succeed("journalctl -u dovecot2 | grep 'fts-flatcurve(INBOX): Query ' >&2")
|
||||
# check that Junk is not indexed
|
||||
server.fail("journalctl -u dovecot2 | grep 'fts-flatcurve(JUNK): Indexing ' >&2")
|
||||
|
||||
with subtest("dmarc reporting"):
|
||||
server.systemctl("start rspamd-dmarc-reporter.service")
|
||||
with subtest("dmarc reporting"):
|
||||
server.systemctl("start rspamd-dmarc-reporter.service")
|
||||
|
||||
with subtest("no warnings or errors"):
|
||||
server.fail("journalctl -u postfix | grep -i error >&2")
|
||||
server.fail("journalctl -u postfix | grep -i warning >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -v 'imap-login: Debug: SSL error: Connection closed' | grep -i error >&2")
|
||||
# harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
|
||||
server.fail(
|
||||
"journalctl -u dovecot2 | \
|
||||
grep -v 'Expunged message reappeared, giving a new UID' | \
|
||||
grep -v 'Time moved forwards' | \
|
||||
grep -i warning >&2"
|
||||
)
|
||||
'';
|
||||
with subtest("no warnings or errors"):
|
||||
server.fail("journalctl -u postfix | grep -i error >&2")
|
||||
server.fail("journalctl -u postfix | grep -i warning >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -v 'imap-login: Debug: SSL error: Connection closed' | grep -i error >&2")
|
||||
# harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
|
||||
server.fail(
|
||||
"journalctl -u dovecot2 | \
|
||||
grep -v 'Expunged message reappeared, giving a new UID' | \
|
||||
grep -v 'Time moved forwards' | \
|
||||
grep -i warning >&2"
|
||||
)
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -30,11 +30,16 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
hashPassword = password: pkgs.runCommand
|
||||
"password-${password}-hashed"
|
||||
{ buildInputs = [ pkgs.mkpasswd ]; inherit password; } ''
|
||||
mkpasswd -sm bcrypt <<<"$password" > $out
|
||||
'';
|
||||
hashPassword =
|
||||
password:
|
||||
pkgs.runCommand "password-${password}-hashed"
|
||||
{
|
||||
buildInputs = [ pkgs.mkpasswd ];
|
||||
inherit password;
|
||||
}
|
||||
''
|
||||
mkpasswd -sm bcrypt <<<"$password" > $out
|
||||
'';
|
||||
|
||||
hashedPasswordFile = hashPassword "my-password";
|
||||
passwordFile = pkgs.writeText "password" "my-password";
|
||||
|
@ -43,55 +48,62 @@ in
|
|||
name = "internal";
|
||||
|
||||
nodes = {
|
||||
machine = { pkgs, ... }: {
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
virtualisation.memorySize = 1024;
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')
|
||||
] ++ (with pkgs; [
|
||||
curl
|
||||
openssl
|
||||
netcat
|
||||
]);
|
||||
environment.systemPackages =
|
||||
[
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')
|
||||
]
|
||||
++ (with pkgs; [
|
||||
curl
|
||||
openssl
|
||||
netcat
|
||||
]);
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" "domain.com" ];
|
||||
localDnsResolver = false;
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [
|
||||
"example.com"
|
||||
"domain.com"
|
||||
];
|
||||
localDnsResolver = false;
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPasswordFile = hashedPasswordFile;
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPasswordFile = hashedPasswordFile;
|
||||
};
|
||||
"user2@example.com" = {
|
||||
hashedPasswordFile = hashedPasswordFile;
|
||||
aliasesRegexp = [ ''/^user2.*@domain\.com$/'' ];
|
||||
};
|
||||
"send-only@example.com" = {
|
||||
hashedPasswordFile = hashPassword "send-only";
|
||||
sendOnly = true;
|
||||
};
|
||||
};
|
||||
"user2@example.com" = {
|
||||
hashedPasswordFile = hashedPasswordFile;
|
||||
aliasesRegexp = [''/^user2.*@domain\.com$/''];
|
||||
};
|
||||
"send-only@example.com" = {
|
||||
hashedPasswordFile = hashPassword "send-only";
|
||||
sendOnly = true;
|
||||
forwards = {
|
||||
# user2@example.com is a local account and its mails are
|
||||
# also forwarded to user1@example.com
|
||||
"user2@example.com" = "user1@example.com";
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
|
||||
enableImap = false;
|
||||
};
|
||||
forwards = {
|
||||
# user2@example.com is a local account and its mails are
|
||||
# also forwarded to user1@example.com
|
||||
"user2@example.com" = "user1@example.com";
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
|
||||
enableImap = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
machine.start()
|
||||
|
|
183
tests/ldap.nix
183
tests/ldap.nix
|
@ -7,110 +7,113 @@ in
|
|||
name = "ldap";
|
||||
|
||||
nodes = {
|
||||
machine = { pkgs, ... }: {
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
virtualisation.memorySize = 1024;
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
};
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')];
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')
|
||||
];
|
||||
|
||||
environment.etc.bind-password.text = bindPassword;
|
||||
environment.etc.bind-password.text = bindPassword;
|
||||
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
settings = {
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||
];
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [
|
||||
"olcDatabaseConfig"
|
||||
"olcMdbConfig"
|
||||
];
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/example";
|
||||
olcSuffix = "dc=example";
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
settings = {
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||
];
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [
|
||||
"olcDatabaseConfig"
|
||||
"olcMdbConfig"
|
||||
];
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/example";
|
||||
olcSuffix = "dc=example";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
declarativeContents."dc=example" = ''
|
||||
dn: dc=example
|
||||
objectClass: domain
|
||||
dc: example
|
||||
|
||||
dn: cn=mail,dc=example
|
||||
objectClass: organizationalRole
|
||||
objectClass: simpleSecurityObject
|
||||
objectClass: top
|
||||
cn: mail
|
||||
userPassword: ${bindPassword}
|
||||
|
||||
dn: ou=users,dc=example
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
||||
|
||||
dn: cn=alice,ou=users,dc=example
|
||||
objectClass: inetOrgPerson
|
||||
cn: alice
|
||||
sn: Foo
|
||||
mail: alice@example.com
|
||||
userPassword: ${alicePassword}
|
||||
|
||||
dn: cn=bob,ou=users,dc=example
|
||||
objectClass: inetOrgPerson
|
||||
cn: bob
|
||||
sn: Bar
|
||||
mail: bob@example.com
|
||||
userPassword: ${bobPassword}
|
||||
'';
|
||||
};
|
||||
declarativeContents."dc=example" = ''
|
||||
dn: dc=example
|
||||
objectClass: domain
|
||||
dc: example
|
||||
|
||||
dn: cn=mail,dc=example
|
||||
objectClass: organizationalRole
|
||||
objectClass: simpleSecurityObject
|
||||
objectClass: top
|
||||
cn: mail
|
||||
userPassword: ${bindPassword}
|
||||
|
||||
dn: ou=users,dc=example
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
||||
|
||||
dn: cn=alice,ou=users,dc=example
|
||||
objectClass: inetOrgPerson
|
||||
cn: alice
|
||||
sn: Foo
|
||||
mail: alice@example.com
|
||||
userPassword: ${alicePassword}
|
||||
|
||||
dn: cn=bob,ou=users,dc=example
|
||||
objectClass: inetOrgPerson
|
||||
cn: bob
|
||||
sn: Bar
|
||||
mail: bob@example.com
|
||||
userPassword: ${bobPassword}
|
||||
'';
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" ];
|
||||
localDnsResolver = false;
|
||||
|
||||
ldap = {
|
||||
mailserver = {
|
||||
enable = true;
|
||||
uris = [
|
||||
"ldap://"
|
||||
];
|
||||
bind = {
|
||||
dn = "cn=mail,dc=example";
|
||||
passwordFile = "/etc/bind-password";
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" ];
|
||||
localDnsResolver = false;
|
||||
|
||||
ldap = {
|
||||
enable = true;
|
||||
uris = [
|
||||
"ldap://"
|
||||
];
|
||||
bind = {
|
||||
dn = "cn=mail,dc=example";
|
||||
passwordFile = "/etc/bind-password";
|
||||
};
|
||||
searchBase = "ou=users,dc=example";
|
||||
searchScope = "sub";
|
||||
};
|
||||
searchBase = "ou=users,dc=example";
|
||||
searchScope = "sub";
|
||||
|
||||
forwards = {
|
||||
"bob_fw@example.com" = "bob@example.com";
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
|
||||
enableImap = false;
|
||||
};
|
||||
|
||||
forwards = {
|
||||
"bob_fw@example.com" = "bob@example.com";
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
|
||||
enableImap = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
import sys
|
||||
|
|
|
@ -6,16 +6,23 @@
|
|||
}:
|
||||
|
||||
let
|
||||
hashPassword = password: pkgs.runCommand
|
||||
"password-${password}-hashed"
|
||||
{ buildInputs = [ pkgs.mkpasswd ]; inherit password; }
|
||||
hashPassword =
|
||||
password:
|
||||
pkgs.runCommand "password-${password}-hashed"
|
||||
{
|
||||
buildInputs = [ pkgs.mkpasswd ];
|
||||
inherit password;
|
||||
}
|
||||
''
|
||||
mkpasswd -sm bcrypt <<<"$password" > $out
|
||||
'';
|
||||
|
||||
password = pkgs.writeText "password" "password";
|
||||
password = pkgs.writeText "password" "password";
|
||||
|
||||
domainGenerator = domain: { pkgs, ... }: {
|
||||
domainGenerator =
|
||||
domain:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
./lib/config.nix
|
||||
|
@ -37,7 +44,10 @@ let
|
|||
};
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
|
||||
settings.mx-host = [
|
||||
"domain1.com,domain1,10"
|
||||
"domain2.com,domain2,10"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -47,23 +57,34 @@ in
|
|||
name = "multiple";
|
||||
|
||||
nodes = {
|
||||
domain1 = {...}: {
|
||||
imports = [
|
||||
../default.nix
|
||||
(domainGenerator "domain1.com")
|
||||
];
|
||||
mailserver.forwards = {
|
||||
"non-local@domain1.com" = ["user@domain2.com" "user@domain1.com"];
|
||||
"non@domain1.com" = ["user@domain2.com" "user@domain1.com"];
|
||||
domain1 =
|
||||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
(domainGenerator "domain1.com")
|
||||
];
|
||||
mailserver.forwards = {
|
||||
"non-local@domain1.com" = [
|
||||
"user@domain2.com"
|
||||
"user@domain1.com"
|
||||
];
|
||||
"non@domain1.com" = [
|
||||
"user@domain2.com"
|
||||
"user@domain1.com"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
domain2 = domainGenerator "domain2.com";
|
||||
client = { pkgs, ... }: {
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')];
|
||||
};
|
||||
client =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')
|
||||
];
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue