40 changed files with 359 additions and 1411 deletions
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -1,17 +0,0 @@
 name: Build
 on:
  push:
    branches:
      - 'master'
 jobs:
  # deploy it upstream
  deploy:
    runs-on: docker
    steps:
      - name: "Deploy to Skynet"
        uses: https://forgejo.skynet.ie/Skynet/actions-deploy-to-skynet@v2
        with:
          input: 'simple-nixos-mailserver'
          token: ${{ secrets.API_TOKEN_FORGEJO }}
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -3,11 +3,11 @@ hydra-pr:
    - merge_requests
  image: nixos/nix
  script:
-    - nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID}'
+    - nix run -f channel:nixos-unstable hydra-cli -c hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID}
 hydra-master:
  only:
    - master
  image: nixos/nix
  script:
-    - nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master'
+    - nix run -f channel:nixos-unstable hydra-cli -c hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master
--- a/.hydra/declarative-jobsets.nix
+++ b/.hydra/declarative-jobsets.nix
@ -17,6 +17,35 @@ let
      flake = "gitlab:simple-nixos-mailserver/nixos-mailserver/merge-requests/${info.iid}/head";
    }
  ) prs;
  # This could be removed once branch 20.09 and 21.05 would have been
  # removed.
  mkJobset = branch: {
    description = "Build ${branch} branch of Simple NixOS MailServer";
    checkinterval = "60";
    enabled = "1";
    schedulingshares = 100;
    enableemail = false;
    emailoverride = "";
    nixexprinput = "snm";
    nixexprpath = ".hydra/default.nix";
    type = 0;
    inputs = {
      # This is only used to allow Niv to use pkgs.fetchzip which is
      # required because of Hydra restricted evaluation mode.
      nixpkgs = {
        value = "https://github.com/NixOS/nixpkgs b6eefa48d8e10491e43c0c6155ac12b463f6fed3";
        type = "git";
        emailresponsible = false;
      };
      snm = {
        value = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver ${branch}";
        type = "git";
        emailresponsible = false;
      };
    };
    keepnr = 3;
    hidden = false;
  };
  mkFlakeJobset = branch: {
    description = "Build ${branch} branch of Simple NixOS MailServer";
    checkinterval = "60";
@ -28,12 +57,12 @@ let
    hidden = false;
    type = 1;
    flake = "gitlab:simple-nixos-mailserver/nixos-mailserver/${branch}";
-  };
+  }; 
  desc = prJobsets // {
    "master" = mkFlakeJobset "master";
-    "nixos-23.11" = mkFlakeJobset "nixos-23.11";
+    "nixos-20.09" = mkJobset "nixos-20.09";
-    "nixos-24.05" = mkFlakeJobset "nixos-24.05";
+    "nixos-21.05" = mkJobset "nixos-21.05";
  };
  log = {
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@ -1,29 +0,0 @@
 # Read the Docs configuration file
 # See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
 # Required
 version: 2
 build:
  os: ubuntu-22.04
  tools:
    python: "3"
  apt_packages:
    - nix
    - proot
  jobs:
    pre_install:
      - mkdir -p ~/.nix ~/.config/nix
      - echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
      - proot -b ~/.nix:/nix /bin/sh -c "nix build -L .#optionsDoc && cp -v result docs/options.md"
 sphinx:
   configuration: docs/conf.py
 formats:
  - pdf
  - epub
 python:
   install:
   - requirements: docs/requirements.txt
--- a/README.md
+++ b/README.md
@ -8,21 +8,29 @@
 For each NixOS release, we publish a branch. You then have to use the
 SNM branch corresponding to your NixOS version.
-* For NixOS 24.05
+* For NixOS 21.05
-   - Use the [SNM branch `nixos-24.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-24.05)
+   - Use the [SNM branch `nixos-21.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-21.05)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-21.05/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/release-notes.html#nixos-24-05)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-21.05/release-notes.html#nixos-21-05)
-* For NixOS 23.11
+* For NixOS 20.09
-   - Use the [SNM branch `nixos-23.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.11)
+   - Use the [SNM branch `nixos-20.09`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-20.09)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-20.09/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/release-notes.html#nixos-23-11)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-20.09/release-notes.html#nixos-20-09)
 * For NixOS unstable
   - Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
   - [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
   - This branch is currently supporting the NixOS release 21.05 but
     we could remove this support on any NixOS unstable breaking
     change.
 [Subscribe to SNM Announcement List](https://www.freelists.org/list/snm)
 This is a very low volume list where new releases of SNM are announced, so you
-can stay up to date with bug fixes and updates.
+can stay up to date with bug fixes and updates. All announcements are signed by
 the gpg key with fingerprint
 ```
 D9FE 4119 F082 6F15 93BD  BD36 6162 DBA5 635E A16A
 ```
 ## Features
@ -71,15 +79,71 @@ can stay up to date with bug fixes and updates.
 - Subscribe to the [mailing list](https://www.freelists.org/archive/snm/)
 - Join the Libera Chat IRC channel `#nixos-mailserver`
 ### Quick Start
 ```nix
   { config, pkgs, ... }:
   let release = "nixos-21.05";
   in {
     imports = [
       (builtins.fetchTarball {
         url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz";
         # This hash needs to be updated
         sha256 = "0000000000000000000000000000000000000000000000000000";
       })
     ];
     mailserver = {
       enable = true;
       fqdn = "mail.example.com";
       domains = [ "example.com" "example2.com" ];
       loginAccounts = {
           "user1@example.com" = {
               # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
               hashedPasswordFile = "/hashed/password/file/location";
               aliases = [
                   "info@example.com"
                   "postmaster@example.com"
                   "postmaster@example2.com"
               ];
           };
       };
     };
   }
 ```
 For a complete list of options, see `default.nix`.
 ## How to Set Up a 10/10 Mail Server Guide
 Check out the [Complete Setup Guide](https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html) in the project's documentation.
-Check out the [Setup Guide](https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html) in the project's documentation.
+## How to Backup
-For a complete list of options, [see in readthedocs](https://nixos-mailserver.readthedocs.io/en/latest/options.html).
+Checkout the [Complete Backup Guide](https://nixos-mailserver.readthedocs.io/en/latest/backup-guide.html). Backups are easy with `SNM`.
 ## Development
-See the [How to Develop SNM](https://nixos-mailserver.readthedocs.io/en/latest/howto-develop.html) documentation page.
+See the [How to Develop SNM](https://nixos-mailserver.readthedocs.io/en/latest/howto-develop.html) wiki page.
 ## Release notes
 ### nixos-20.03
 - Rspamd is upgraded to 2.0 which deprecates the SQLite Bayes
  backend. We then moved to the Redis backend (the default since
  Rspamd 2.0). If you don't want to relearn the Redis backend from the
  scratch, we could manually run
      rspamadm statconvert --spam-db /var/lib/rspamd/bayes.spam.sqlite --ham-db /var/lib/rspamd/bayes.ham.sqlite -h 127.0.0.1:6379 --symbol-ham BAYES_HAM --symbol-spam BAYES_SPAM
  See the [Rspamd migration
  notes](https://rspamd.com/doc/migration.html#migration-to-rspamd-20)
  and [this SNM Merge
  Request](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/164)
  for details.
 ## Contributors
 See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/graphs/master)
@ -94,4 +158,6 @@ See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mails
 * Logo made with [Logomakr.com](https://logomakr.com)
-[logo]: docs/logo.png
+
 [logo]: logo/logo.png
--- a/default.nix
+++ b/default.nix
@ -44,17 +44,6 @@ in
      description = "The domains that this mail server serves.";
    };
    certificateDomains = mkOption {
      type = types.listOf types.str;
      example = [ "imap.example.com" "pop3.example.com" ];
      default = [];
      description = ''
        ({option}`mailserver.certificateScheme` == `acme-nginx`)
        Secondary domains and subdomains for which it is necessary to generate a certificate.
      '';
    };
    messageSizeLimit = mkOption {
      type = types.int;
      example = 52428800;
@ -76,14 +65,14 @@ in
            default = null;
            example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
            description = ''
-              The user's hashed password. Use `mkpasswd` as follows
+              The user's hashed password. Use `htpasswd` as follows
              ```
-              nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+              nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
              ```
              Warning: this is stored in plaintext in the Nix store!
-              Use {option}`mailserver.loginAccounts.<name>.hashedPasswordFile` instead.
+              Use `hashedPasswordFile` instead.
            '';
          };
@ -92,10 +81,10 @@ in
            default = null;
            example = "/run/keys/user1-passwordhash";
            description = ''
-              A file containing the user's hashed password. Use `mkpasswd` as follows
+              A file containing the user's hashed password. Use `htpasswd` as follows
              ```
-              nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+              nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
              ```
            '';
          };
@ -111,15 +100,6 @@ in
            '';
          };
          aliasesRegexp = mkOption {
            type = with types; listOf types.str;
            example = [''/^tom\..*@domain\.com$/''];
            default = [];
            description = ''
              Same as {option}`mailserver.aliases` but using PCRE (Perl compatible regex).
            '';
          };
          catchAll = mkOption {
            type = with types; listOf (enum cfg.domains);
            example = ["example.com" "example2.com"];
@ -169,7 +149,7 @@ in
            description = ''
              Specifies if the account should be a send-only account.
              Emails sent to send-only accounts will be rejected from
-              unauthorized senders with the `sendOnlyRejectMessage`
+              unauthorized senders with the sendOnlyRejectMessage
              stating the reason.
            '';
          };
@ -197,174 +177,23 @@ in
      };
      description = ''
        The login account of the domain. Every account is mapped to a unix user,
-        e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as
+        e.g. `user1@example.com`. To generate the passwords use `htpasswd` as
        follows
        ```
-        nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+        nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
        ```
      '';
      default = {};
    };
    ldap = {
      enable = mkEnableOption "LDAP support";
      uris  = mkOption {
        type = types.listOf types.str;
        example = literalExpression ''
          [
            "ldaps://ldap1.example.com"
            "ldaps://ldap2.example.com"
          ]
        '';
        description = ''
          URIs where your LDAP server can be reached
        '';
      };
      startTls = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable StartTLS upon connection to the server.
        '';
      };
      tlsCAFile = mkOption {
        type = types.path;
        default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
        defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
        description = ''
          Certifificate trust anchors used to verify the LDAP server certificate.
        '';
      };
      bind = {
        dn = mkOption {
          type = types.str;
          example = "cn=mail,ou=accounts,dc=example,dc=com";
          description = ''
            Distinguished name used by the mail server to do lookups
            against the LDAP servers.
          '';
        };
        passwordFile = mkOption {
          type = types.str;
          example = "/run/my-secret";
          description = ''
            A file containing the password required to authenticate against the LDAP servers.
          '';
        };
      };
      searchBase = mkOption {
        type = types.str;
        example = "ou=people,ou=accounts,dc=example,dc=com";
        description = ''
          Base DN at below which to search for users accounts.
        '';
      };
      searchScope = mkOption {
        type = types.enum [ "sub" "base" "one" ];
        default = "sub";
        description = ''
          Search scope below which users accounts are looked for.
        '';
      };
      dovecot = {
        userAttrs = mkOption {
          type = types.nullOr types.str;
          default = "";
          description = ''
            LDAP attributes to be retrieved during userdb lookups.
            See the users_attrs reference at
            https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#user-attrs
            in the Dovecot manual.
          '';
        };
        userFilter = mkOption {
          type = types.str;
          default = "mail=%u";
          example = "(&(objectClass=inetOrgPerson)(mail=%u))";
          description = ''
            Filter for user lookups in Dovecot.
            See the user_filter reference at
            https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#user-filter
            in the Dovecot manual.
          '';
        };
        passAttrs = mkOption {
          type = types.str;
          default = "userPassword=password";
          description = ''
            LDAP attributes to be retrieved during passdb lookups.
            See the pass_attrs reference at
            https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#pass-attrs
            in the Dovecot manual.
          '';
        };
        passFilter = mkOption {
          type = types.nullOr types.str;
          default = "mail=%u";
          example = "(&(objectClass=inetOrgPerson)(mail=%u))";
          description = ''
            Filter for password lookups in Dovecot.
            See the pass_filter reference for
            https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#pass-filter
            in the Dovecot manual.
          '';
        };
      };
      postfix = {
        filter = mkOption {
          type = types.str;
          default = "mail=%s";
          example = "(&(objectClass=inetOrgPerson)(mail=%s))";
          description = ''
            LDAP filter used to search for an account by mail, where
            `%s` is a substitute for the address in
            question.
          '';
        };
        uidAttribute = mkOption {
          type = types.str;
          default = "mail";
          example = "uid";
          description = ''
            The LDAP attribute referencing the account name for a user.
          '';
        };
        mailAttribute = mkOption {
          type = types.str;
          default = "mail";
          description = ''
            The LDAP attribute holding mail addresses for a user.
          '';
        };
      };
    };
    indexDir = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        Folder to store search indices. If null, indices are stored
        along with email, which could not necessarily be desirable,
-        especially when {option}`mailserver.fullTextSearch.enable` is `true` since
+        especially when the fullTextSearch option is enable since
        indices it creates are voluminous and do not need to be backed
        up.
@ -376,7 +205,7 @@ in
        https://doc.dovecot.org/configuration_manual/mail_location/#variables
        for details.
      '';
-      example = "/var/lib/dovecot/indices";
+      example = "/var/lib/docecot/indices/%d/%n";
    };
    fullTextSearch = {
@ -406,8 +235,8 @@ in
        default = "no";
        description = ''
          Fail searches when no index is available. If set to
-          `body`, then only body searches (as opposed to
+          <literal>body</literal>, then only body searches (as opposed to
-          header) are affected. If set to `no`, searches may
+          header) are affected. If set to <literal>no<literal>, searches may
          fall back to a very slow brute force search.
        '';
      };
@ -445,7 +274,7 @@ in
        randomizedDelaySec = mkOption {
          type = types.int;
          default = 1000;
-          description = "Run the maintenance job not exactly at the time specified with `onCalendar`, but plus or minus this many seconds.";
+          description = "Run the maintenance job not exactly at the time specified with <literal>onCalendar</literal>, but plus or minus this many seconds.";
        };
      };
    };
@ -464,6 +293,7 @@ in
      type = let
        loginAccount = mkOptionType {
          name = "Login Account";
          check = (account: builtins.elem account (builtins.attrNames cfg.loginAccounts));
        };
      in with types; attrsOf (either loginAccount (nonEmptyListOf loginAccount));
      example = {
@ -496,7 +326,7 @@ in
        the value {`"user@example.com" = "user@elsewhere.com";}`
        means that mails to `user@example.com` are forwarded to
        `user@elsewhere.com`. The difference with the
-        {option}`mailserver.extraVirtualAliases` option is that `user@elsewhere.com`
+        `extraVirtualAliases` option is that `user@elsewhere.com`
        can't send mail as `user@example.com`. Also, this option
        allows to forward mails to external addresses.
      '';
@ -530,7 +360,7 @@ in
      description = ''
        The unix UID of the virtual mail user.  Be mindful that if this is
        changed, you will need to manually adjust the permissions of
-        `mailDirectory`.
+        mailDirectory.
      '';
    };
@ -573,14 +403,6 @@ in
      '';
    };
    useUTF8FolderNames = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Store mailbox names on disk using UTF-8 instead of modified UTF-7 (mUTF-7).
      '';
    };
    hierarchySeparator = mkOption {
      type = types.str;
      default = ".";
@ -619,26 +441,19 @@ in
      };
    };
-    certificateScheme = let
+    certificateScheme = mkOption {
-      schemes = [ "manual" "selfsigned" "acme-nginx" "acme" ];
+      type = types.enum [ 1 2 3 ];
-      translate = i: warn "Setting mailserver.certificateScheme by number is deprecated, please use names instead: 'mailserver.certificateScheme = ${builtins.toString i}' can be replaced by 'mailserver.certificateScheme = \"${(builtins.elemAt schemes (i - 1))}\"'."
+      default = 2;
        (builtins.elemAt schemes (i - 1));
    in mkOption {
      type = with types; coercedTo (enum [ 1 2 3 ]) translate (enum schemes);
      default = "selfsigned";
      description = ''
-        The scheme to use for managing TLS certificates:
+        Certificate Files. There are three options for these.
-        1. `manual`: you specify locations via {option}`mailserver.certificateFile` and
+        1) You specify locations and manually copy certificates there.
-           {option}`mailserver.keyFile` and manually copy certificates there.
+        2) You let the server create new (self signed) certificates on the fly.
-        2. `selfsigned`: you let the server create new (self-signed) certificates on the fly.
+        3) You let the server create a certificate via `Let's Encrypt`. Note that
-        3. `acme-nginx`: you let the server request certificates from [Let's Encrypt](https://letsencrypt.org)
+           this implies that a stripped down webserver has to be started. This also
-           via NixOS' ACME module. By default, this will set up a stripped-down Nginx server for
+           implies that the FQDN must be set as an `A` record to point to the IP of
-           {option}`mailserver.fqdn` and open port 80. For this to work, the FQDN must be properly
+           the server. In particular port 80 on the server will be opened. For details
-           configured to point to your server (see the [setup guide](setup-guide.rst) for more information).
+           on how to set up the domain records, see the guide in the readme.
        4. `acme`: you already have an ACME certificate set up (for example, you're already running a TLS-enabled
           Nginx server on the FQDN). This is better than `manual` because the appropriate services will be reloaded
           when the certificate is renewed.
      '';
    };
@ -646,9 +461,8 @@ in
      type = types.path;
      example = "/root/mail-server.crt";
      description = ''
-        ({option}`mailserver.certificateScheme` == `manual`)
+        Scheme 1)
-
+        Location of the certificate
        Location of the certificate.
      '';
    };
@ -656,9 +470,8 @@ in
      type = types.path;
      example = "/root/mail-server.key";
      description = ''
-        ({option}`mailserver.certificateScheme` == `manual`)
+        Scheme 1)
-
+        Location of the key file
        Location of the key file.
      '';
    };
@ -666,27 +479,13 @@ in
      type = types.path;
      default = "/var/certs";
      description = ''
-        ({option}`mailserver.certificateScheme` == `selfsigned`)
+        Scheme 2)
-
+        This is the folder where the certificate will be created. The name is
-        This is the folder where the self-signed certificate will be created. The name is
+        hardcoded to "cert-<domain>.pem" and "key-<domain>.pem" and the
        hardcoded to "cert-DOMAIN.pem" and "key-DOMAIN.pem" and the
        certificate is valid for 10 years.
      '';
    };
    acmeCertificateName = mkOption {
      type = types.str;
      default = cfg.fqdn;
      example = "example.com";
      description = ''
          ({option}`mailserver.certificateScheme` == `acme`)
        When the `acme` `certificateScheme` is selected, you can use this option
        to override the default certificate name. This is useful if you've
        generated a wildcard certificate, for example.
      '';
    };
    enableImap = mkOption {
      type = types.bool;
      default = true;
@ -776,7 +575,7 @@ in
      type = types.str;
      default = "mail";
      description = ''
-        The DKIM selector.
+
      '';
    };
@ -784,7 +583,7 @@ in
      type = types.path;
      default = "/var/dkim";
      description = ''
-        The DKIM directory.
+
      '';
    };
@ -795,93 +594,12 @@ in
            How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
            If you have already deployed a key with a different number of bits than specified
-            here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
+            here, then you should use a different selector (dkimSelector). In order to get
            this package to generate a key with the new number of bits, you will either have to
            change the selector or delete the old key file.
        '';
    };
    dkimHeaderCanonicalization = mkOption {
        type = types.enum ["relaxed" "simple"];
        default = "relaxed";
        description = ''
          DKIM canonicalization algorithm for message headers.
          See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
        '';
    };
    dkimBodyCanonicalization = mkOption {
        type = types.enum ["relaxed" "simple"];
        default = "relaxed";
        description = ''
          DKIM canonicalization algorithm for message bodies.
          See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
        '';
    };
    dmarcReporting = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to send out aggregated, daily DMARC reports in response to incoming
          mail, when the sender domain defines a DMARC policy including the RUA tag.
          This is helpful for the mail ecosystem, because it allows third parties to
          get notified about SPF/DKIM violations originating from their sender domains.
          See https://rspamd.com/doc/modules/dmarc.html#reporting
        '';
      };
      localpart = mkOption {
        type = types.str;
        default = "dmarc-noreply";
        example = "dmarc-report";
        description = ''
          The local part of the email address used for outgoing DMARC reports.
        '';
      };
      domain = mkOption {
        type = types.enum (cfg.domains);
        example = "example.com";
        description = ''
          The domain from which outgoing DMARC reports are served.
        '';
      };
      email = mkOption {
        type = types.str;
        default = with cfg.dmarcReporting; "${localpart}@${domain}";
        defaultText = literalExpression ''"''${localpart}@''${domain}"'';
        readOnly = true;
        description = ''
          The email address used for outgoing DMARC reports. Read-only.
        '';
      };
      organizationName = mkOption {
        type = types.str;
        example = "ACME Corp.";
        description = ''
          The name of your organization used in the `org_name` attribute in
          DMARC reports.
        '';
      };
      fromName = mkOption {
        type = types.str;
        default = cfg.dmarcReporting.organizationName;
        defaultText = literalMD "{option}`mailserver.dmarcReporting.organizationName`";
        description = ''
          The sender name for DMARC reports. Defaults to the organization name.
        '';
      };
    };
    debug = mkOption {
      type = types.bool;
      default = false;
@ -923,7 +641,7 @@ in
        type = types.str;
        # read the default from nixos' redis module
        default = let
-          cf = config.services.redis.servers.rspamd.bind;
+          cf = config.services.redis.bind;
          cfdefault = if cf == null then "127.0.0.1" else cf;
          ips = lib.strings.splitString " " cfdefault;
          ip = lib.lists.head (ips ++ [ "127.0.0.1" ]);
@ -932,27 +650,28 @@ in
        if (ip == "0.0.0.0" || ip == "::")
        then "127.0.0.1"
        else if isIpv6 ip then "[${ip}]" else ip;
        defaultText = lib.literalMD "computed from `config.services.redis.servers.rspamd.bind`";
        description = ''
-          Address that rspamd should use to contact redis.
+          Address that rspamd should use to contact redis. The default value
          is read from <literal>config.services.redis.bind</literal>.
        '';
      };
      port = mkOption {
        type = types.port;
-        default = config.services.redis.servers.rspamd.port;
+        default = config.services.redis.port;
        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.port";
        description = ''
-          Port that rspamd should use to contact redis.
+          Port that rspamd should use to contact redis. The default value is
          read from <literal>config.services.redis.port<literal>.
        '';
      };
      password = mkOption {
        type = types.nullOr types.str;
-        default = config.services.redis.servers.rspamd.requirePass;
+        default = config.services.redis.requirePass;
        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.requirePass";
        description = ''
-          Password that rspamd should use to contact redis, or null if not required.
+          Password that rspamd should use to contact redis, or null if not
          required. The default value is read from
          <literal>config.services.redis.requirePass<literal>.
        '';
      };
    };
@ -967,25 +686,10 @@ in
      '';
    };
    smtpdForbidBareNewline = mkOption {
      type = types.bool;
      default = true;
      description = ''
        With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
        disconnects a remote SMTP client that sends a line ending in a 'bare
        newline'.
        This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
        default to "yes" in Postfix 3.9.
        https://www.postfix.org/smtp-smuggling.html
      '';
    };
    sendingFqdn = mkOption {
      type = types.str;
      default = cfg.fqdn;
-      defaultText = lib.literalMD "{option}`mailserver.fqdn`";
+      defaultText = "config.mailserver.fqdn";
      example = "myserver.example.com";
      description = ''
        The fully qualified domain name of the mail server used to
@ -1001,7 +705,7 @@ in
        This setting allows the server to identify as
        myserver.example.com when forwarding mail, independently of
-        {option}`mailserver.fqdn` (which, for SSL reasons, should generally be the name
+        `fqdn` (which, for SSL reasons, should generally be the name
        to which the user connects).
        Set this to the name to which the sending IP's reverse DNS
@ -1069,11 +773,10 @@ in
                stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"
                if failed host ${cfg.fqdn} port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
-          check process rspamd with matching "rspamd: main process"
+          check process rspamd with pidfile /var/run/rspamd.pid
                start program = "${pkgs.systemd}/bin/systemctl start rspamd"
                stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"
        '';
        defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
        description = ''
          The configuration used for monitoring via monit.
          Use a mail address that you actively check and set it via 'set alert ...'.
@ -1090,8 +793,7 @@ in
        description = ''
          The location where borg saves the backups.
          This can be a local path or a remote location such as user@host:/path/to/repo.
-          It is exported and thus available as an environment variable to
+          It is exported and thus available as an environment variable to cmdPreexec and cmdPostexec.
          {option}`mailserver.borgbackup.cmdPreexec` and {option}`mailserver.borgbackup.cmdPostexec`.
        '';
      };
@ -1151,14 +853,13 @@ in
          default = "none";
          description = ''
            The backup can be encrypted by choosing any other value than 'none'.
-            When using encryption the password/passphrase must be provided in `passphraseFile`.
+            When using encryption the password / passphrase must be provided in passphraseFile.
          '';
        };
        passphraseFile = mkOption {
          type = types.nullOr types.path;
          default = null;
          description = "Path to a file containing the encryption password or passphrase.";
        };
      };
@ -1174,7 +875,6 @@ in
      locations = mkOption {
        type = types.listOf types.path;
        default = [cfg.mailDirectory];
        defaultText = lib.literalExpression "[ config.mailserver.mailDirectory ]";
        description = "The locations that are to be backed up by borg.";
      };
@ -1195,10 +895,9 @@ in
        default = null;
        description = ''
          The command to be executed before each backup operation.
-          This is called prior to borg init in the same script that runs borg init and create and `cmdPostexec`.
+          This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.
-        '';
+          Example:
-        example = ''
+            export BORG_RSH="ssh -i /path/to/private/key"
          export BORG_RSH="ssh -i /path/to/private/key"
        '';
      };
@ -1208,7 +907,7 @@ in
        description = ''
          The command to be executed after each backup operation.
          This is called after borg create completed successfully and in the same script that runs
-          `cmdPreexec`, borg init and create.
+          cmdPreexec, borg init and create.
        '';
      };
@ -1221,7 +920,7 @@ in
        example = true;
        description = ''
          Whether to enable automatic reboot after kernel upgrades.
-          This is to be used in conjunction with `system.autoUpgrade.enable = true;`
+          This is to be used in conjunction with system.autoUpgrade.enable = true"
        '';
      };
      method = mkOption {
@ -1296,7 +995,6 @@ in
  };
  imports = [
    ./mail-server/assertions.nix
    ./mail-server/borgbackup.nix
    ./mail-server/debug.nix
    ./mail-server/rsnapshot.nix
--- a/docs/add-radicale.rst
+++ b/docs/add-radicale.rst
@ -4,8 +4,8 @@ Add Radicale
 Configuration by @dotlambda
 Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional
-crypt passwords are no longer supported.  Instead bcrypt passwords
+crypt passwords, as generated by `mkpasswd`, are no longer supported.  Instead
-have to be used. These can still be generated using `mkpasswd -m bcrypt`.
+bcrypt passwords have to be used which can be generated using `htpasswd`.
 .. code:: nix
@ -24,13 +24,12 @@ have to be used. These can still be generated using `mkpasswd -m bcrypt`.
   in {
     services.radicale = {
       enable = true;
-       settings = {
+       config = ''
-         auth = {
+         [auth]
-           type = "htpasswd";
+         type = htpasswd
-           htpasswd_filename = "${htpasswd}";
+         htpasswd_filename = ${htpasswd}
-           htpasswd_encryption = "bcrypt";
+         htpasswd_encryption = bcrypt
-         };
+       '';
       };
     };
     services.nginx = {
--- a/docs/add-roundcube.rst
+++ b/docs/add-roundcube.rst
@ -1,32 +0,0 @@
 Add Roundcube, a webmail
 ========================
 The NixOS module for roundcube nearly works out of the box with SNM. By
 default, it sets up a nginx virtual host to serve the webmail, other web
 servers may require more work.
 .. code:: nix
   { config, pkgs, lib, ... }:
   with lib;
   {
     services.roundcube = {
        enable = true;
        # this is the url of the vhost, not necessarily the same as the fqdn of
        # the mailserver
        hostName = "webmail.example.com";
        extraConfig = ''
          # starttls needed for authentication, so the fqdn required to match
          # the certificate
          $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
          $config['smtp_user'] = "%u";
          $config['smtp_pass'] = "%p";
        '';
     };
     services.nginx.enable = true;
     networking.firewall.allowedTCPPorts = [ 80 443 ];
   }
--- a/docs/autodiscovery.rst
+++ b/docs/autodiscovery.rst
@ -1,18 +0,0 @@
 Autodiscovery
 =============
 `RFC6186 <https://www.rfc-editor.org/rfc/rfc6186>`_ allows supporting email clients to automatically discover SMTP / IMAP addresses
 of the mailserver. For that, the following records are required:
 ================= ==== ==== ======== ====== ==== =================
 Record            TTL  Type Priority Weight Port Value
 ================= ==== ==== ======== ====== ==== =================
 _submission._tcp  3600 SRV  5        0      587  mail.example.com.
 _submissions._tcp 3600 SRV  5        0      465  mail.example.com.
 _imap._tcp        3600 SRV  5        0      143  mail.example.com.
 _imaps._tcp       3600 SRV  5        0      993  mail.example.com.
 ================= ==== ==== ======== ====== ==== =================
 Please note that only a few MUAs currently implement this. For vendor-specific
 discovery mechanisms `automx <https://github.com/rseichter/automx2>`_ can be used instead.
--- a/docs/conf.py
+++ b/docs/conf.py
@ -18,7 +18,7 @@
 # -- Project information -----------------------------------------------------
 project = 'NixOS Mailserver'
-copyright = '2022, NixOS Mailserver Contributors'
+copyright = '2020, NixOS Mailserver Contributors'
 author = 'NixOS Mailserver Contributors'
@ -28,16 +28,8 @@ author = 'NixOS Mailserver Contributors'
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
    'myst_parser'
 ]
 myst_enable_extensions = [
    'colon_fence',
    'linkify',
 ]
 smartquotes = False
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@ -58,4 +50,4 @@ html_theme = 'sphinx_rtd_theme'
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = []
+html_static_path = ['_static']
--- a/docs/fts.rst
+++ b/docs/fts.rst
@ -42,7 +42,7 @@ Indices created by the full text search feature can take more disk
 space than the emails themselves. By default, they are kept in the
 emails location. When enabling the full text search feature, it is
 recommended to move indices in a different location, such as
-(``/var/lib/dovecot/indices``) by using the option
+(``/var/lib/docecot/indices/%d/%n``) by using the option
 ``mailserver.indexDir``.
 .. warning::
--- a/docs/howto-develop.rst
+++ b/docs/howto-develop.rst
@ -10,7 +10,7 @@ Run NixOS tests
 ---------------
 To run the test suite, you need to enable `Nix Flakes
-<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
+<https://nixos.wiki/wiki/Flakes#Installing_flakes>`.
 You can then run the testsuite via
@ -30,20 +30,21 @@ run tests manually. For instance:
 Contributing to the documentation
 ---------------------------------
-The documentation is written in RST (except option documentation which is in CommonMark),
+The documentation is written in RST, build with Sphinx and published
-built with Sphinx and published by `Read the Docs <https://readthedocs.org/>`_.
+by `Read the Docs <https://readthedocs.org/>`_.
-For the syntax, see the `RST/Sphinx primer
+For the syntax, see `RST/Sphinx Cheatsheet
-<https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html>`_.
+<https://sphinx-tutorial.readthedocs.io/cheatsheet/>`_.
 To build the documentation, you need to enable `Nix Flakes
 <https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
 The ``shell.nix`` provides all the tooling required to build the
 documentation:
 ::
-   $ nix build .#documentation
+   $ nix-shell
-   $ xdg-open result/index.html
+   $ cd docs
   $ make html
   $ firefox ./_build/html/index.html
 Nixops
 ------
--- a/docs/index.rst
+++ b/docs/index.rst
@ -6,7 +6,7 @@
 Welcome to NixOS Mailserver's documentation!
 ============================================
-.. image:: logo.png
+.. image:: ../logo/logo.png
   :width: 400
   :alt: SNM Logo
@ -17,7 +17,6 @@ Welcome to NixOS Mailserver's documentation!
   howto-develop
   faq
   release-notes
   options
 .. toctree::
   :maxdepth: 1
@ -25,12 +24,9 @@ Welcome to NixOS Mailserver's documentation!
   backup-guide
   add-radicale
   add-roundcube
   rspamd-tuning
   fts
   flakes
   autodiscovery
   ldap
 Indices and tables
 ==================
--- a/docs/ldap.rst
+++ b/docs/ldap.rst
@ -1,14 +0,0 @@
 LDAP Support
 ============
 It is possible to manage mail user accounts with LDAP rather than with
 the option `loginAccounts <options.html#mailserver-loginaccounts>`_.
 All related LDAP options are described in the `LDAP options section
 <options.html#mailserver-ldap>`_ and the `LDAP test
 <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/tests/ldap.nix>`_
 provides a getting started example.
 .. note::
   The LDAP support can not be enabled if some accounts are also defined with ``mailserver.loginAccounts``.
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@ -1,51 +1,6 @@
 Release Notes
 =============
 NixOS 24.05
 -----------
 - Add new option ``acmeCertificateName`` which can be used to support
  wildcard certificates
 NixOS 23.11
 -----------
 - Add basic support for LDAP users
 - Add support for regex (PCRE) aliases
 NixOS 23.05
 -----------
 - Existing ACME certificates can be reused without configuring NGINX
 - Certificate scheme is no longer a number, but a meaningful string instead
 NixOS 22.11
 -----------
 - Allow Rspamd to send DMARC reporting
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/244>`__)
 NixOS 22.05
 -----------
 - Make NixOS Mailserver options discoverable from search.nixos.org
 - Add a roundcube setup guide in the documentation
 NixOS 21.11
 -----------
 - Switch default DKIM body policy from simple to relaxed
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/247>`__)
 - Ensure locally-delivered mails have the X-Original-To header
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/243>`__)
 - NixOS Mailserver options are detailed in the `documentation
  <https://nixos-mailserver.readthedocs.io/en/latest/options.html>`__
 - New options ``dkimBodyCanonicalization`` and
  ``dkimHeaderCanonicalization``
 - New option ``certificateDomains`` to generate certificate for
  additional domains (such as ``imap.example.com``)
 NixOS 21.05
 -----------
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@ -1,4 +0,0 @@
 sphinx ~= 5.3
 sphinx_rtd_theme ~= 1.1
 myst-parser ~= 0.18
 linkify-it-py ~= 2.0
--- a/docs/setup-guide.rst
+++ b/docs/setup-guide.rst
@ -48,19 +48,18 @@ Setup the server
 ~~~~~~~~~~~~~~~~
 The following describes a server setup that is fairly complete. Even
-though there are more possible options (see the `NixOS Mailserver
+though there are more possible options (see the ``default.nix`` file),
-options documentation <options.html>`_), these should be the most
+these should be the most common ones.
 common ones.
 .. code:: nix
-   { config, pkgs, ... }: {
+   { config, pkgs, ... }:
   {
     imports = [
       (builtins.fetchTarball {
-         # Pick a release version you are interested in and set its hash, e.g.
+         # Pick a commit from the branch you are interested in
-         url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.05/nixos-mailserver-nixos-23.05.tar.gz";
+         url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/A-COMMIT-ID/nixos-mailserver-A-COMMIT-ID.tar.gz";
-         # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
+         # And set its hash
         # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
         sha256 = "0000000000000000000000000000000000000000000000000000";
       })
     ];
@ -71,21 +70,19 @@ common ones.
       domains = [ "example.com" ];
       # A list of all login accounts. To create the password hashes, use
-       # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+       # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
       loginAccounts = {
-         "user1@example.com" = {
+           "user1@example.com" = {
-           hashedPasswordFile = "/a/file/containing/a/hashed/password";
+               hashedPasswordFile = "/a/file/containing/a/hashed/password";
-           aliases = ["postmaster@example.com"];
+               aliases = ["postmaster@example.com"];
-         };
+           };
-         "user2@example.com" = { ... };
+           "user2@example.com" = { ... };
       };
       # Use Let's Encrypt certificates. Note that this needs to set up a stripped
       # down nginx and opens port 80.
-       certificateScheme = "acme-nginx";
+       certificateScheme = 3;
     };
     security.acme.acceptTerms = true;
     security.acme.defaults.email = "security@example.com";
   }
 After a ``nixos-rebuild switch`` your server should be running all
@ -99,14 +96,7 @@ Set rDNS (reverse DNS) entry for server
 Wherever you have rented your server, you should be able to set reverse
 DNS entries for the IP’s you own. Add an entry resolving ``1.2.3.4``
-to ``mail.example.com``.
+to ``mail.example.com``
 .. warning::
   We don't recommend setting up a mail server if you are not able to
   set a reverse DNS on your public IP because sent emails would be
   mostly marked as spam. Note that many residential ISP providers
   don't allow you to set a reverse DNS entry.
 You can check this with
--- a/flake.lock
+++ b/flake.lock
@ -16,29 +16,13 @@
        "type": "gitlab"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1717602782,
+        "lastModified": 1626852498,
-        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
+        "narHash": "sha256-lOXUJvi0FJUXHTVSiC5qsMRtEUgqM4mGZpMESLuGhmo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
+        "rev": "16105403bdd843540cbef9c63fc0f16c1c6eaa70",
        "type": "github"
      },
      "original": {
@ -47,27 +31,42 @@
        "type": "indirect"
      }
    },
-    "nixpkgs-24_05": {
+    "nixpkgs-21_05": {
      "locked": {
-        "lastModified": 1717144377,
+        "lastModified": 1625692408,
-        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.05",
+        "ref": "nixos-21.05",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-24_05": "nixpkgs-24_05"
+        "nixpkgs-21_05": "nixpkgs-21_05",
        "utils": "utils"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -2,30 +2,27 @@
  description = "A complete and Simple Nixos Mailserver";
  inputs = {
-    flake-compat = {
+    utils.url = "github:numtide/flake-utils";
      url = "github:edolstra/flake-compat";
      flake = false;
    };
    nixpkgs.url = "flake:nixpkgs/nixos-unstable";
-    nixpkgs-24_05.url = "flake:nixpkgs/nixos-24.05";
+    nixpkgs-21_05.url = "flake:nixpkgs/nixos-21.05";
    blobs = {
      url = "gitlab:simple-nixos-mailserver/blobs";
      flake = false;
    };
  };
-  outputs = { self, blobs, nixpkgs, nixpkgs-24_05, ... }: let
+  outputs = { self, utils, blobs, nixpkgs, nixpkgs-21_05 }: let
    lib = nixpkgs.lib;
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};
    # We want to test nixos-mailserver on several nixos releases
    releases = [
      {
        name = "unstable";
        pkgs = nixpkgs.legacyPackages.${system};
      }
      {
-        name = "24.05";
+        name = "21_05";
-        pkgs = nixpkgs-24_05.legacyPackages.${system};
+        pkgs = nixpkgs-21_05.legacyPackages.${system};
      }
    ];
    testNames = [
@ -33,10 +30,9 @@
      "external"
      "clamav"
      "multiple"
      "ldap"
    ];
    genTest = testName: release: {
-      "name"= "${testName}-${builtins.replaceStrings ["."] ["_"] release.name}";
+      "name"= "${testName}-${release.name}";
      "value"= import (./tests/. + "/${testName}.nix") {
        pkgs = release.pkgs;
        inherit blobs;
@ -48,80 +44,23 @@
    #   external-21_05 = <derivation>;
    #   ...
    # }
-    allTests = lib.listToAttrs (
+    allTests = pkgs.lib.listToAttrs (
-      lib.flatten (map (t: map (r: genTest t r) releases) testNames));
+      pkgs.lib.flatten (map (t: map (r: genTest t r) releases) testNames));
    mailserverModule = import ./.;
    # Generate a MarkDown file describing the options of the NixOS mailserver module
    optionsDoc = let
      eval = lib.evalModules {
        modules = [
          mailserverModule
          {
            _module.check = false;
            mailserver = {
              fqdn = "mx.example.com";
              domains = [
                "example.com"
              ];
              dmarcReporting = {
                organizationName = "Example Corp";
                domain = "example.com";
              };
            };
          }
        ];
      };
      options = builtins.toFile "options.json" (builtins.toJSON
        (lib.filter (opt: opt.visible && !opt.internal && lib.head opt.loc == "mailserver")
          (lib.optionAttrSetToDocList eval.options)));
    in pkgs.runCommand "options.md" { buildInputs = [pkgs.python3Minimal]; } ''
      echo "Generating options.md from ${options}"
      python ${./scripts/generate-options.py} ${options} > $out
    '';
    documentation = pkgs.stdenv.mkDerivation {
      name = "documentation";
      src = lib.sourceByRegex ./docs ["logo\\.png" "conf\\.py" "Makefile" ".*\\.rst"];
      buildInputs = [(
        pkgs.python3.withPackages (p: with p; [
          sphinx
          sphinx_rtd_theme
          myst-parser
          linkify-it-py
        ])
      )];
      buildPhase = ''
        cp ${optionsDoc} options.md
        # Workaround for https://github.com/sphinx-doc/sphinx/issues/3451
        unset SOURCE_DATE_EPOCH
        make html
      '';
      installPhase = ''
        cp -Tr _build/html $out
      '';
    };
  in {
-    nixosModules = rec {
+    nixosModules.mailserver = import ./.;
-      mailserver = mailserverModule;
+    nixosModule = self.nixosModules.mailserver;
-      default = mailserver;
+    hydraJobs.${system} = allTests;
    };
    nixosModule = self.nixosModules.default; # compatibility
    hydraJobs.${system} = allTests // {
      inherit documentation;
    };
    checks.${system} = allTests;
-    packages.${system} = {
+    devShell.${system} = pkgs.mkShell {
-      inherit optionsDoc documentation;
+      buildInputs = with pkgs; [
-    };
+        (python3.withPackages (p: with p; [
-    devShells.${system}.default = pkgs.mkShell {
+          sphinx
-      inputsFrom = [ documentation ];
+          sphinx_rtd_theme
-      packages = with pkgs; [
+        ]))
        jq
        clamav
      ];
    };
    devShell.${system} = self.devShells.${system}.default; # compatibility
  };
 }
--- a/logo/logo.png
+++ b/logo/logo.png
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@ -1,18 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  assertions = lib.optionals config.mailserver.ldap.enable [
    {
      assertion = config.mailserver.loginAccounts == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
    }
    {
      assertion = config.mailserver.forwards == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
    {
      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
    }
  ];
 }
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@ -21,22 +21,22 @@ let
 in
 {
  # cert :: PATH
-  certificatePath = if cfg.certificateScheme == "manual"
+  certificatePath = if cfg.certificateScheme == 1
             then cfg.certificateFile
-             else if cfg.certificateScheme == "selfsigned"
+             else if cfg.certificateScheme == 2
                  then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
-                  else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
+                  else if cfg.certificateScheme == 3
-                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
-                       else throw "unknown certificate scheme";
+                       else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
  # key :: PATH
-  keyPath = if cfg.certificateScheme == "manual"
+  keyPath = if cfg.certificateScheme == 1
        then cfg.keyFile
-        else if cfg.certificateScheme == "selfsigned"
+        else if cfg.certificateScheme == 2
             then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
-              else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
+              else if cfg.certificateScheme == 3
-                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
-                   else throw "unknown certificate scheme";
+                   else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
  passwordFiles = let
    mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
@ -45,26 +45,4 @@ in
    if value.hashedPasswordFile == null then
      builtins.toString (mkHashFile name value.hashedPassword)
    else value.hashedPasswordFile) cfg.loginAccounts;
  # Appends the LDAP bind password to files to avoid writing this
  # password into the Nix store.
  appendLdapBindPwd = {
    name, file, prefix, suffix ? "", passwordFile, destination
  }: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
    #!${pkgs.stdenv.shell}
    set -euo pipefail
    baseDir=$(dirname ${destination})
    if (! test -d "$baseDir"); then
      mkdir -p $baseDir
      chmod 755 $baseDir
    fi
    cat ${file} > ${destination}
    echo -n '${prefix}' >> ${destination}
    cat ${passwordFile} >> ${destination}
    echo -n '${suffix}' >> ${destination}
    chmod 600 ${destination}
  '';
 }
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@ -23,17 +23,14 @@ let
  passwdDir = "/run/dovecot2";
  passwdFile = "${passwdDir}/passwd";
-  userdbFile = "${passwdDir}/userdb";
+
  # This file contains the ldap bind password
  ldapConfFile = "${passwdDir}/dovecot-ldap.conf.ext";
  bool2int = x: if x then "1" else "0";
  maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
  maildirUTF8FolderNames = lib.optionalString cfg.useUTF8FolderNames ":UTF-8";
  # maildir in format "/${domain}/${user}"
  dovecotMaildir =
-    "maildir:${cfg.mailDirectory}/%d/%n${maildirLayoutAppendix}${maildirUTF8FolderNames}"
+    "maildir:${cfg.mailDirectory}/%d/%n${maildirLayoutAppendix}"
    + (lib.optionalString (cfg.indexDir != null)
       ":INDEX=${cfg.indexDir}/%d/%n"
      );
@ -60,42 +57,6 @@ let
    '';
  };
  ldapConfig = pkgs.writeTextFile {
    name = "dovecot-ldap.conf.ext.template";
    text = ''
      ldap_version = 3
      uris = ${lib.concatStringsSep " " cfg.ldap.uris}
      ${lib.optionalString cfg.ldap.startTls ''
      tls = yes
      ''}
      tls_require_cert = hard
      tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
      dn = ${cfg.ldap.bind.dn}
      sasl_bind = no
      auth_bind = yes
      base = ${cfg.ldap.searchBase}
      scope = ${mkLdapSearchScope cfg.ldap.searchScope}
      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != null) ''
      user_attrs = ${cfg.ldap.dovecot.userAttrs}
      ''}
      user_filter = ${cfg.ldap.dovecot.userFilter}
      ${lib.optionalString (cfg.ldap.dovecot.passAttrs != "") ''
      pass_attrs = ${cfg.ldap.dovecot.passAttrs}
      ''}
      pass_filter = ${cfg.ldap.dovecot.passFilter}
    '';
  };
  setPwdInLdapConfFile = appendLdapBindPwd {
    name = "ldap-conf-file";
    file = ldapConfig;
    prefix = ''dnpass = "'';
    suffix = ''"'';
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapConfFile;
  };
  genPasswdScript = pkgs.writeScript "generate-password-file" ''
    #!${pkgs.stdenv.shell}
@ -106,9 +67,6 @@ let
      chmod 755 "${passwdDir}"
    fi
    # Prevent world-readable password files, even temporarily.
    umask 077
    for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
      if [ ! -f "$f" ]; then
        echo "Expected password hash file $f does not exist!"
@ -118,48 +76,18 @@ let
    cat <<EOF > ${passwdFile}
    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
-      "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
+      "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
    ) cfg.loginAccounts)}
    EOF
    cat <<EOF > ${userdbFile}
    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
      "${name}:::::::"
        + (if lib.isString value.quota
              then "userdb_quota_rule=*:storage=${value.quota}"
              else "")
    ) cfg.loginAccounts)}
    EOF
    chmod 600 ${passwdFile}
  '';
  junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
  junkMailboxNumber = builtins.length junkMailboxes;
  # The assertion garantees there is exactly one Junk mailbox.
  junkMailboxName = if junkMailboxNumber == 1 then builtins.elemAt junkMailboxes 0 else "";
  mkLdapSearchScope = scope: (
    if scope == "sub" then "subtree"
    else if scope == "one" then "onelevel"
    else scope
  );
 in
 {
  config = with cfg; lib.mkIf enable {
    assertions = [
      {
        assertion = junkMailboxNumber == 1;
        message = "nixos-mailserver requires exactly one dovecot mailbox with the 'special use' flag set to 'Junk' (${builtins.toString junkMailboxNumber} have been found)";
      }
    ];
    # for sieve-test. Shelling it in on demand usually doesnt' work, as it reads
    # the global config and tries to open shared libraries configured in there,
    # which are usually not compatible.
    environment.systemPackages = [
      pkgs.dovecot_pigeonhole
    ];
    services.dovecot2 = {
      enable = true;
      enableImap = enableImap || enableImapSsl;
@ -176,48 +104,17 @@ in
      mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
      protocols = lib.optional cfg.enableManageSieve "sieve";
-      pluginSettings = {
+      sieveScripts = {
-        sieve = "file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve";
+        after = builtins.toFile "spam.sieve" ''
        sieve_default = "file:${cfg.sieveDirectory}/%u/default.sieve";
        sieve_default_name = "default";
      };
      sieve = {
        extensions = [
          "fileinto"
        ];
        scripts.after = builtins.toFile "spam.sieve" ''
          require "fileinto";
          if header :is "X-Spam" "Yes" {
-              fileinto "${junkMailboxName}";
+              fileinto "Junk";
              stop;
          }
        '';
        pipeBins = map lib.getExe [
          (pkgs.writeShellScriptBin "sa-learn-ham.sh"
            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
          (pkgs.writeShellScriptBin "sa-learn-spam.sh"
            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
        ];
      };
      imapsieve.mailbox = [
        {
          name = junkMailboxName;
          causes = [ "COPY" "APPEND" ];
          before = ./dovecot/imap_sieve/report-spam.sieve;
        }
        {
          name = "*";
          from = junkMailboxName;
          causes = [ "COPY" ];
          before = ./dovecot/imap_sieve/report-ham.sieve;
        }
      ];
      mailboxes = cfg.mailboxes;
      extraConfig = ''
@ -307,23 +204,9 @@ in
        userdb {
          driver = passwd-file
-          args = ${userdbFile}
+          args = ${passwdFile}
          default_fields = uid=${builtins.toString cfg.vmailUID} gid=${builtins.toString cfg.vmailUID} home=${cfg.mailDirectory}
        }
        ${lib.optionalString cfg.ldap.enable ''
        passdb {
          driver = ldap
          args = ${ldapConfFile}
        }
        userdb {
          driver = ldap
          args = ${ldapConfFile}
          default_fields = home=/var/vmail/ldap/%u uid=${toString cfg.vmailUID} gid=${toString cfg.vmailUID}
        }
        ''}
        service auth {
          unix_listener auth {
            mode = 0660
@ -339,7 +222,29 @@ in
          inbox = yes
        }
-        ${lib.optionalString cfg.fullTextSearch.enable ''
+        plugin {
          sieve_plugins = sieve_imapsieve sieve_extprograms
          sieve = file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve
          sieve_default = file:${cfg.sieveDirectory}/%u/default.sieve
          sieve_default_name = default
          # From elsewhere to Spam folder
          imapsieve_mailbox1_name = Junk
          imapsieve_mailbox1_causes = COPY
          imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
          # From Spam folder to elsewhere
          imapsieve_mailbox2_name = *
          imapsieve_mailbox2_from = Junk
          imapsieve_mailbox2_causes = COPY
          imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        }
        ${lib.optionalString (cfg.fullTextSearch.enable != null) ''
        plugin {
          plugin = fts fts_xapian
          fts = xapian
@ -367,10 +272,17 @@ in
    systemd.services.dovecot2 = {
      preStart = ''
        ${genPasswdScript}
-      '' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
+        rm -rf '${stateDir}/imap_sieve'
        mkdir '${stateDir}/imap_sieve'
        cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
        for k in "${stateDir}/imap_sieve"/*.sieve ; do
          ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
        done
        chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
      '';
    };
-    systemd.services.postfix.restartTriggers = [ genPasswdScript ] ++ (lib.optional cfg.ldap.enable [setPwdInLdapConfFile]);
+    systemd.services.postfix.restartTriggers = [ genPasswdScript ];
    systemd.services.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable) {
      description = "Optimize dovecot indices for fts_xapian";
--- a/mail-server/environment.nix
+++ b/mail-server/environment.nix
@ -23,6 +23,6 @@ in
  config = with cfg; lib.mkIf enable {
    environment.systemPackages = with pkgs; [
      dovecot opendkim openssh postfix rspamd
-    ] ++ (if certificateScheme == "selfsigned" then [ openssl ] else []);
+    ] ++ (if certificateScheme == 2 then [ openssl ] else []);
  };
 }
--- a/mail-server/networking.nix
+++ b/mail-server/networking.nix
@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 let
  cfg = config.mailserver;
@ -31,7 +31,7 @@ in
        ++ lib.optional enablePop3 110
        ++ lib.optional enablePop3Ssl 995
        ++ lib.optional enableManageSieve 4190
-        ++ lib.optional (certificateScheme == "acme-nginx") 80;
+        ++ lib.optional (certificateScheme == 3) 80;
    };
  };
 }
--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@ -17,26 +17,28 @@
 { config, pkgs, lib, ... }:
-with (import ./common.nix { inherit config lib pkgs; });
+with (import ./common.nix { inherit config; });
 let
  cfg = config.mailserver;
  acmeRoot = "/var/lib/acme/acme-challenge";
 in
 {
-  config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
+  config = lib.mkIf (cfg.enable && cfg.certificateScheme == 3) {
-    services.nginx = lib.mkIf (cfg.certificateScheme == "acme-nginx") {
+    services.nginx = {
      enable = true;
      virtualHosts."${cfg.fqdn}" = {
        serverName = cfg.fqdn;
        serverAliases = cfg.certificateDomains;
        forceSSL = true;
        enableACME = true;
        acmeRoot = acmeRoot;
      };
    };
-    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
+    security.acme.certs."${cfg.fqdn}".postRun = ''
-      "postfix.service"
+      systemctl reload nginx
-      "dovecot2.service"
+      systemctl reload postfix
-    ];
+      systemctl reload dovecot2
    '';
  };
 }
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@ -29,7 +29,7 @@ let
      dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt";
    in
        ''
-          if [ ! -f "${dkim_key}" ]
+          if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
          then
              ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
                                                   -d "${dom}" \
@ -37,16 +37,15 @@ let
                                                   --directory="${cfg.dkimKeyDirectory}"
              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
              chmod 644 "${dkim_txt}"
              echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}"
          fi
        '';
  createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
-  keyTable = pkgs.writeText "opendkim-KeyTable"
+  keyTable = pkgs.writeText "opendkim-KeyTable" 
-    (lib.concatStringsSep "\n" (lib.flip map cfg.domains
+    (lib.concatStringsSep "\n" (lib.flip map cfg.domains 
      (dom: "${dom} ${dom}:${cfg.dkimSelector}:${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key")));
-  signingTable = pkgs.writeText "opendkim-SigningTable"
+  signingTable = pkgs.writeText "opendkim-SigningTable" 
    (lib.concatStringsSep "\n" (lib.flip map cfg.domains (dom: "${dom} ${dom}")));
  dkim = config.services.opendkim;
@ -60,7 +59,7 @@ in
        keyPath = cfg.dkimKeyDirectory;
        domains = "csl:${builtins.concatStringsSep "," cfg.domains}";
        configFile = pkgs.writeText "opendkim.conf" (''
-          Canonicalization ${cfg.dkimHeaderCanonicalization}/${cfg.dkimBodyCanonicalization}
+          Canonicalization relaxed/simple
          UMask 0002
          Socket ${dkim.socket}
          KeyTable file:${keyTable}
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -33,11 +33,6 @@ let
      let to = name;
      in map (from: {"${from}" = to;}) (value.aliases ++ lib.singleton name))
    cfg.loginAccounts));
  regex_valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
    (name: value:
      let to = name;
      in map (from: {"${from}" = to;}) value.aliasesRegexp)
    cfg.loginAccounts));
  # catchAllPostfix :: Map String [String]
  catchAllPostfix =  mergeLookupTables (lib.flatten (lib.mapAttrsToList
@ -70,10 +65,6 @@ let
    content = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix]);
  in builtins.toFile "valias" content;
  regex_valiases_file = let
    content = lookupTableToString regex_valiases_postfix;
  in builtins.toFile "regex_valias" content;
  # denied_recipients_postfix :: [ String ]
  denied_recipients_postfix = (map
    (acct: "${acct.name} REJECT ${acct.sendOnlyRejectMessage}")
@ -103,7 +94,6 @@ let
  # every alias is owned (uniquely) by its user.
  # The user's own address is already in all_valiases_postfix.
  vaccounts_file = builtins.toFile "vaccounts" (lookupTableToString all_valiases_postfix);
  regex_vaccounts_file = builtins.toFile "regex_vaccounts" (lookupTableToString regex_valiases_postfix);
  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" (''
     # Removes sensitive headers from mails handed in via the submission port.
@ -133,7 +123,6 @@ let
  policyd-spf = pkgs.writeText "policyd-spf.conf" cfg.policydSPFExtraConfig;
  mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
  mappedRegexFile = name: "pcre:/var/lib/postfix/conf/${name}";
  submissionOptions =
    {
@ -144,73 +133,21 @@ let
      smtpd_sasl_security_options = "noanonymous";
      smtpd_sasl_local_domain = "$myhostname";
      smtpd_client_restrictions = "permit_sasl_authenticated,reject";
-      smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts${lib.optionalString cfg.ldap.enable ",ldap:${ldapSenderLoginMapFile}"}${lib.optionalString (regex_valiases_postfix != {}) ",pcre:/etc/postfix/regex_vaccounts"}";
+      smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
      smtpd_sender_restrictions = "reject_sender_login_mismatch";
      smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
      cleanup_service_name = "submission-header-cleanup";
    };
  commonLdapConfig = ''
    server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
    start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
    version = 3
    tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
    tls_require_cert = yes
    search_base = ${cfg.ldap.searchBase}
    scope = ${cfg.ldap.searchScope}
    bind = yes
    bind_dn = ${cfg.ldap.bind.dn}
  '';
  ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
    ${commonLdapConfig}
    query_filter = ${cfg.ldap.postfix.filter}
    result_attribute = ${cfg.ldap.postfix.mailAttribute}
  '';
  ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
  appendPwdInSenderLoginMap = appendLdapBindPwd {
    name = "ldap-sender-login-map";
    file = ldapSenderLoginMap;
    prefix = "bind_pw = ";
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapSenderLoginMapFile;
  };
  ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
    ${commonLdapConfig}
    query_filter = ${cfg.ldap.postfix.filter}
    result_attribute = ${cfg.ldap.postfix.uidAttribute}
  '';
  ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
  appendPwdInVirtualMailboxMap = appendLdapBindPwd {
    name = "ldap-virtual-mailbox-map";
    file = ldapVirtualMailboxMap;
    prefix = "bind_pw = ";
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapVirtualMailboxMapFile;
  };
 in
 {
  config = with cfg; lib.mkIf enable {
    systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
      preStart = ''
        ${appendPwdInVirtualMailboxMap}
        ${appendPwdInSenderLoginMap}
      '';
      restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
    };
    services.postfix = {
      enable = true;
      hostname = "${sendingFqdn}";
      networksStyle = "host";
      mapFiles."valias" = valiases_file;
      mapFiles."regex_valias" = regex_valiases_file;
      mapFiles."vaccounts" = vaccounts_file;
      mapFiles."regex_vaccounts" = regex_vaccounts_file;
      mapFiles."denied_recipients" = denied_recipients_file;
      mapFiles."reject_senders" = reject_senders_file;
      mapFiles."reject_recipients" = reject_recipients_file;
@ -233,19 +170,8 @@ in
        virtual_gid_maps = "static:5000";
        virtual_mailbox_base = mailDirectory;
        virtual_mailbox_domains = vhosts_file;
-        virtual_mailbox_maps = [
+        virtual_mailbox_maps = mappedFile "valias";
          (mappedFile "valias")
        ] ++ lib.optionals (cfg.ldap.enable) [
          "ldap:${ldapVirtualMailboxMapFile}"
        ] ++ lib.optionals (regex_valiases_postfix != {}) [
          (mappedRegexFile "regex_valias")
        ];
        virtual_alias_maps = lib.mkAfter (lib.optionals (regex_valiases_postfix != {}) [
          (mappedRegexFile "regex_valias")
        ]);
        virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
        # Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
        lmtp_destination_recipient_limit = "1";
        # sasl with dovecot
        smtpd_sasl_type = "dovecot";
@ -274,6 +200,9 @@ in
        # Submission by mail clients is handled in submissionOptions
        smtpd_tls_security_level = "may";
        # strong might suffice and is computationally less expensive
        smtpd_tls_eecdh_grade = "ultra";
        # Disable obselete protocols
        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
@ -306,26 +235,18 @@ in
        milter_protocol = "6";
        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
        # Fix for https://www.postfix.org/smtp-smuggling.html
        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
        smtpd_forbid_bare_newline_exclusions = "$mynetworks";
      };
      submissionOptions = submissionOptions;
      submissionsOptions = submissionOptions;
      masterConfig = {
        "lmtp" = {
          # Add headers when delivering, see http://www.postfix.org/smtp.8.html
          # D => Delivered-To, O => X-Original-To, R => Return-Path
          args = [ "flags=O" ];
        };
        "policy-spf" = {
          type = "unix";
          privileged = true;
          chroot = false;
          command = "spawn";
-          args = [ "user=nobody" "argv=${pkgs.spf-engine}/bin/policyd-spf" "${policyd-spf}"];
+          args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
        };
        "submission-header-cleanup" = {
          type = "unix";
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -30,7 +30,7 @@ in
      inherit debug;
      locals = {
          "milter_headers.conf" = { text = ''
-              extended_spam_headers = true;
+              extended_spam_headers = yes;
          ''; };
          "redis.conf" = { text = ''
              servers = "${cfg.redis.address}:${toString cfg.redis.port}";
@ -56,17 +56,14 @@ in
              # Disable outbound email signing, we use opendkim for this
              enabled = false;
          ''; };
-          "dmarc.conf" = { text = ''
+      };
-              ${lib.optionalString cfg.dmarcReporting.enable ''
+
-              reporting {
+      overrides = {
-                enabled = true;
+        "milter_headers.conf" = {
-                email = "${cfg.dmarcReporting.email}";
+          text = ''
-                domain = "${cfg.dmarcReporting.domain}";
+            extended_spam_headers = true;
-                org_name = "${cfg.dmarcReporting.organizationName}";
+          '';
-                from_name = "${cfg.dmarcReporting.fromName}";
+        };
                msgid_from = "dmarc-rua";
              }''}
          ''; };
      };
      workers.rspamd_proxy = {
@ -101,72 +98,11 @@ in
    };
-    services.redis.servers.rspamd = {
+    services.redis.enable = true;
      enable = lib.mkDefault true;
      port = lib.mkDefault 6380;
    };
    systemd.services.rspamd = {
-      requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
+      requires = [ "redis.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
-      after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
+      after = [ "redis.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
    };
    systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
      # Explicitly select yesterday's date to work around broken
      # default behaviour when called without a date.
      # https://github.com/rspamd/rspamd/issues/4062
      script = ''
        ${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
      '';
      serviceConfig = {
        User = "${config.services.rspamd.user}";
        Group = "${config.services.rspamd.group}";
        AmbientCapabilities = [];
        CapabilityBoundingSet = "";
        DevicePolicy = "closed";
        IPAddressAllow = "localhost";
        LockPersonality = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateMounts = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProcSubset = "pid";
        ProtectSystem = "strict";
        RemoveIPC = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
        UMask = "0077";
      };
    };
    systemd.timers.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
      description = "Daily delivery of aggregated DMARC reports";
      wantedBy = [
        "timers.target"
      ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
        RandomizedDelaySec = 86400;
        FixedRandomDelay = true;
      };
    };
    systemd.services.postfix = {
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@ -19,9 +19,9 @@
 let
  cfg = config.mailserver;
  certificatesDeps =
-    if cfg.certificateScheme == "manual" then
+    if cfg.certificateScheme == 1 then
      []
-    else if cfg.certificateScheme == "selfsigned" then
+    else if cfg.certificateScheme == 2 then
      [ "mailserver-selfsigned-certificate.service" ]
    else
      [ "acme-finished-${cfg.fqdn}.target" ];
@ -29,7 +29,7 @@ in
 {
  config = with cfg; lib.mkIf enable {
    # Create self signed certificate
-    systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == "selfsigned") {
+    systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == 2) {
      after = [ "local-fs.target" ];
      script = ''
        # Create certificates if they do not exist yet
@ -64,8 +64,6 @@ in
      in ''
        # Create mail directory and set permissions. See
        # <http://wiki2.dovecot.org/SharedMailboxes/Permissions>.
        # Prevent world-readable paths, even temporarily.
        umask 007
        mkdir -p ${directories}
        chgrp "${vmailGroupName}" ${directories}
        chmod 02770 ${directories}
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@ -34,9 +34,6 @@ let
    set -euo pipefail
    # Prevent world-readable paths, even temporarily.
    umask 007
    # Create directory to store user sieve scripts if it doesn't exist
    if (! test -d "${sieveDirectory}"); then
      mkdir "${sieveDirectory}"
--- a/scripts/generate-options.py
+++ b/scripts/generate-options.py
@ -1,82 +0,0 @@
 import json
 import sys
 header = """
 # Mailserver options
 ## `mailserver`
 """
 template = """
 `````{{option}} {key}
 {description}
 {type}
 {default}
 {example}
 `````
 """
 f = open(sys.argv[1])
 options = json.load(f)
 groups = ["mailserver.loginAccounts",
          "mailserver.certificate",
          "mailserver.dkim",
          "mailserver.dmarcReporting",
          "mailserver.fullTextSearch",
          "mailserver.redis",
          "mailserver.ldap",
          "mailserver.monitoring",
          "mailserver.backup",
          "mailserver.borgbackup"]
 def render_option_value(opt, attr):
  if attr in opt:
      if isinstance(opt[attr], dict) and '_type' in opt[attr]:
          if opt[attr]['_type'] == 'literalExpression':
              if '\n' in opt[attr]['text']:
                  res = '\n```nix\n' + opt[attr]['text'].rstrip('\n') + '\n```'
              else:
                  res = '```{}```'.format(opt[attr]['text'])
          elif opt[attr]['_type'] == 'literalMD':
              res = opt[attr]['text']
      else:
          s = str(opt[attr])
          if s == "":
              res = '`""`'
          elif '\n' in s:
              res = '\n```\n' + s.rstrip('\n') + '\n```'
          else:
              res = '```{}```'.format(s)
      res = '- ' + attr + ': ' + res
  else:
      res = ""
  return res
 def print_option(opt):
    if isinstance(opt['description'], dict) and '_type' in opt['description']: # mdDoc
        description = opt['description']['text']
    else:
        description = opt['description']
    print(template.format(
        key=opt['name'],
        description=description or "",
        type="- type: ```{}```".format(opt['type']),
        default=render_option_value(opt, 'default'),
        example=render_option_value(opt, 'example')))
 print(header)
 for opt in options:
    if any([opt['name'].startswith(c) for c in groups]):
        continue
    print_option(opt)
 for c in groups:
    print('## `{}`'.format(c))
    print()
    for opt in options:
        if opt['name'].startswith(c):
            print_option(opt)
--- a/scripts/mail-check.py
+++ b/scripts/mail-check.py
@ -9,7 +9,7 @@ import time
 RETRY = 100
-def _send_mail(smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr, subject, starttls):
+def _send_mail(smtp_host, smtp_port, from_addr, from_pwd, to_addr, subject, starttls):
    print("Sending mail with subject '{}'".format(subject))
    message = "\n".join([
        "From: {from_addr}",
@ -30,7 +30,7 @@ def _send_mail(smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr
                    if starttls:
                        smtp.starttls()
                    if from_pwd is not None:
-                        smtp.login(smtp_username or from_addr, from_pwd)
+                        smtp.login(from_addr, from_pwd)
                    smtp.sendmail(from_addr, [to_addr], message)
                    return
@ -141,7 +141,6 @@ def send_and_read(args):
    _send_mail(smtp_host=args.smtp_host,
               smtp_port=args.smtp_port,
               smtp_username=args.smtp_username,
               from_addr=args.from_addr,
               from_pwd=src_pwd,
               to_addr=args.to_addr,
@ -172,7 +171,6 @@ parser_send_and_read = subparsers.add_parser('send-and-read', description="Send
 parser_send_and_read.add_argument('--smtp-host', type=str)
 parser_send_and_read.add_argument('--smtp-port', type=str, default=25)
 parser_send_and_read.add_argument('--smtp-starttls', action='store_true')
 parser_send_and_read.add_argument('--smtp-username', type=str, default='', help="username used for smtp login. If not specified, the from-addr value is used")
 parser_send_and_read.add_argument('--from-addr', type=str)
 parser_send_and_read.add_argument('--imap-host', required=True, type=str)
 parser_send_and_read.add_argument('--imap-port', type=str, default=993)
--- a/shell.nix
+++ b/shell.nix
@ -1,10 +1 @@
-(import
+(import (builtins.fetchGit "https://github.com/edolstra/flake-compat") { src = ./.; }).shellNix
  (
    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
    fetchTarball {
      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
      sha256 = lock.nodes.flake-compat.locked.narHash;
    }
  )
  { src = ./.; }
 ).shellNix
--- a/tests/clamav.nix
+++ b/tests/clamav.nix
@ -189,10 +189,10 @@ pkgs.nixosTest {
      # TODO put this blocking into the systemd units? I am not sure if rspamd already waits for the clamd socket.
      server.wait_until_succeeds(
-          "set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+          "set +e; timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
      )
      server.wait_until_succeeds(
-          "set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
+          "set +e; timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
      )
      client.execute("cp -p /etc/root/.* ~/")
--- a/tests/external.nix
+++ b/tests/external.nix
@ -43,11 +43,6 @@ pkgs.nixosTest {
              domains = [ "example.com" "example2.com" ];
              rewriteMessageId = true;
              dkimKeyBits = 1535;
              dmarcReporting = {
                enable = true;
                domain = "example.com";
                organizationName = "ACME Corp";
              };
              loginAccounts = {
                  "user1@example.com" = {
@ -350,7 +345,7 @@ pkgs.nixosTest {
      # TODO put this blocking into the systemd units?
      server.wait_until_succeeds(
-          "set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+          "set +e; timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
      )
      client.execute("cp -p /etc/root/.* ~/")
@ -494,21 +489,18 @@ pkgs.nixosTest {
          client.fail("search Junk a >&2")
          # check that search really goes through the indexer
          server.succeed(
-              "journalctl -u dovecot2 | grep -E 'indexer-worker.* Done indexing .INBOX.' >&2"
+              "journalctl -u dovecot2 | grep -E 'indexer-worker.* Mailbox INBOX: Mailbox opened because: indexing' >&2"
          )
          # check that Junk is not indexed
          server.fail("journalctl -u dovecot2 | grep 'indexer-worker' | grep -i 'JUNK' >&2")
      with subtest("dmarc reporting"):
          server.systemctl("start rspamd-dmarc-reporter.service")
      with subtest("no warnings or errors"):
          server.fail("journalctl -u postfix | grep -i error >&2")
          server.fail("journalctl -u postfix | grep -i warning >&2")
          server.fail("journalctl -u dovecot2 | grep -i error >&2")
          # harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
          server.fail(
-              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -v 'FTS Xapian: Box is empty' | grep -i warning >&2"
+              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -i warning >&2"
          )
    '';
 }
--- a/tests/internal.nix
+++ b/tests/internal.nix
@ -29,8 +29,8 @@ let
  hashPassword = password: pkgs.runCommand
    "password-${password}-hashed"
-    { buildInputs = [ pkgs.mkpasswd ]; inherit password; } ''
+    { buildInputs = [ pkgs.apacheHttpd ]; } ''
-      mkpasswd -sm bcrypt <<<"$password" > $out
+      htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
    '';
  hashedPasswordFile = hashPassword "my-password";
@ -55,7 +55,7 @@ pkgs.nixosTest {
      mailserver = {
        enable = true;
        fqdn = "mail.example.com";
-        domains = [ "example.com" "domain.com" ];
+        domains = [ "example.com" ];
        localDnsResolver = false;
        loginAccounts = {
@ -64,7 +64,6 @@ pkgs.nixosTest {
          };
          "user2@example.com" = {
            hashedPasswordFile = hashedPasswordFile;
            aliasesRegexp = [''/^user2.*@domain\.com$/''];
          };
          "send-only@example.com" = {
            hashedPasswordFile = hashPassword "send-only";
@ -127,46 +126,6 @@ pkgs.nixosTest {
            )
        )
    with subtest("regex email alias are received"):
        # A mail sent to user2-regex-alias@domain.com is in the user2@example.com mailbox
        machine.succeed(
            " ".join(
                [
                    "mail-check send-and-read",
                    "--smtp-port 587",
                    "--smtp-starttls",
                    "--smtp-host localhost",
                    "--imap-host localhost",
                    "--imap-username user2@example.com",
                    "--from-addr user1@example.com",
                    "--to-addr user2-regex-alias@domain.com",
                    "--src-password-file ${passwordFile}",
                    "--dst-password-file ${passwordFile}",
                    "--ignore-dkim-spf",
                ]
            )
        )
    with subtest("user can send from regex email alias"):
        # A mail sent from user2-regex-alias@domain.com, using user2@example.com credentials is received
        machine.succeed(
            " ".join(
                [
                    "mail-check send-and-read",
                    "--smtp-port 587",
                    "--smtp-starttls",
                    "--smtp-host localhost",
                    "--imap-host localhost",
                    "--smtp-username user2@example.com",
                    "--from-addr user2-regex-alias@domain.com",
                    "--to-addr user1@example.com",
                    "--src-password-file ${passwordFile}",
                    "--dst-password-file ${passwordFile}",
                    "--ignore-dkim-spf",
                ]
            )
        )
    with subtest("vmail gid is set correctly"):
        machine.succeed("getent group vmail | grep 5000")
@ -177,7 +136,7 @@ pkgs.nixosTest {
            "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
        )
        machine.succeed(
-            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q '554 5.5.0 Error'"
+            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q 'This account cannot receive emails'"
        )
    with subtest("rspamd controller serves web ui"):
--- a/tests/ldap.nix
+++ b/tests/ldap.nix
@ -1,183 +0,0 @@
 { pkgs ? import <nixpkgs> {}
 , ...
 }:
 let
  bindPassword = "unsafegibberish";
  alicePassword = "testalice";
  bobPassword = "testbob";
 in
 pkgs.nixosTest {
  name = "ldap";
  nodes = {
    machine = { config, pkgs, ... }: {
      imports = [
        ./../default.nix
        ./lib/config.nix
      ];
      virtualisation.memorySize = 1024;
      services.openssh = {
        enable = true;
        permitRootLogin = "yes";
      };
      environment.systemPackages = [
        (pkgs.writeScriptBin "mail-check" ''
          ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
        '')];
      environment.etc.bind-password.text = bindPassword;
      services.openldap = {
        enable = true;
        settings = {
          children = {
            "cn=schema".includes = [
              "${pkgs.openldap}/etc/schema/core.ldif"
              "${pkgs.openldap}/etc/schema/cosine.ldif"
              "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
              "${pkgs.openldap}/etc/schema/nis.ldif"
            ];
            "olcDatabase={1}mdb" = {
              attrs = {
                objectClass = [
                  "olcDatabaseConfig"
                  "olcMdbConfig"
                ];
                olcDatabase = "{1}mdb";
                olcDbDirectory = "/var/lib/openldap/example";
                olcSuffix = "dc=example";
              };
            };
          };
        };
        declarativeContents."dc=example" = ''
          dn: dc=example
          objectClass: domain
          dc: example
          dn: cn=mail,dc=example
          objectClass: organizationalRole
          objectClass: simpleSecurityObject
          objectClass: top
          cn: mail
          userPassword: ${bindPassword}
          dn: ou=users,dc=example
          objectClass: organizationalUnit
          ou: users
          dn: cn=alice,ou=users,dc=example
          objectClass: inetOrgPerson
          cn: alice
          sn: Foo
          mail: alice@example.com
          userPassword: ${alicePassword}
          dn: cn=bob,ou=users,dc=example
          objectClass: inetOrgPerson
          cn: bob
          sn: Bar
          mail: bob@example.com
          userPassword: ${bobPassword}
        '';
      };
      mailserver = {
        enable = true;
        fqdn = "mail.example.com";
        domains = [ "example.com" ];
        localDnsResolver = false;
        ldap = {
          enable = true;
          uris = [
            "ldap://"
          ];
          bind = {
            dn = "cn=mail,dc=example";
            passwordFile = "/etc/bind-password";
          };
          searchBase = "ou=users,dc=example";
          searchScope = "sub";
        };
        vmailGroupName = "vmail";
        vmailUID = 5000;
        enableImap = false;
      };
    };
  };
  testScript = ''
    import sys
    import re
    machine.start()
    machine.wait_for_unit("multi-user.target")
    # This function retrieves the ldap table file from a postconf
    # command.
    # A key lookup is achived and the returned value is compared
    # to the expected value.
    def test_lookup(postconf_cmdline, key, expected):
      conf = machine.succeed(postconf_cmdline).rstrip()
      ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1)
      value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip()
      try:
        assert value == expected
      except AssertionError:
        print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr)
        raise
    with subtest("Test postmap lookups"):
      test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com")
      test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com")
      test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com")
      test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com")
    with subtest("Test doveadm lookups"):
      machine.succeed("doveadm user -u alice@example.com")
      machine.succeed("doveadm user -u bob@example.com")
    with subtest("Files containing secrets are only readable by root"):
      machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'")
      machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'")
    with subtest("Test account/mail address binding"):
      machine.fail(" ".join([
        "mail-check send-and-read",
        "--smtp-port 587",
        "--smtp-starttls",
        "--smtp-host localhost",
        "--smtp-username alice@example.com",
        "--imap-host localhost",
        "--imap-username bob@example.com",
        "--from-addr bob@example.com",
        "--to-addr aliceb@example.com",
        "--src-password-file <(echo '${alicePassword}')",
        "--dst-password-file <(echo '${bobPassword}')",
        "--ignore-dkim-spf"
      ]))
      machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'")
    with subtest("Test mail delivery"):
      machine.succeed(" ".join([
        "mail-check send-and-read",
        "--smtp-port 587",
        "--smtp-starttls",
        "--smtp-host localhost",
        "--smtp-username alice@example.com",
        "--imap-host localhost",
        "--imap-username bob@example.com",
        "--from-addr alice@example.com",
        "--to-addr bob@example.com",
        "--src-password-file <(echo '${alicePassword}')",
        "--dst-password-file <(echo '${bobPassword}')",
        "--ignore-dkim-spf"
      ]))
  '';
 }
--- a/tests/minimal.nix
+++ b/tests/minimal.nix
@ -14,9 +14,9 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-import <nixpkgs/nixos/tests/make-test-python.nix> {
+import <nixpkgs/nixos/tests/make-test.nix> {
-  nodes.machine =
+  machine =
    { config, pkgs, ... }:
    {
        imports = [
@ -26,6 +26,6 @@ import <nixpkgs/nixos/tests/make-test-python.nix> {
  testScript =
    ''
-      machine.wait_for_unit("multi-user.target");
+      $machine->waitForUnit("multi-user.target");
    '';
 }
--- a/tests/multiple.nix
+++ b/tests/multiple.nix
@ -5,9 +5,9 @@
 let
    hashPassword = password: pkgs.runCommand
      "password-${password}-hashed"
-      { buildInputs = [ pkgs.mkpasswd ]; inherit password; }
+      { buildInputs = [ pkgs.apacheHttpd ]; }
      ''
-        mkpasswd -sm bcrypt <<<"$password" > $out
+        htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
      '';
    password = pkgs.writeText "password" "password";
@ -30,8 +30,6 @@ let
      };
      services.dnsmasq = {
        enable = true;
        # Fixme: once nixos-22.11 has been removed, could be replaced by
        # settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
        extraConfig = ''
          mx-host=domain1.com,domain1,10
          mx-host=domain2.com,domain2,10