Compare commits
1 commit
master
...
nixos-20.0
Author | SHA1 | Date | |
---|---|---|---|
|
c415bbb584 |
61 changed files with 905 additions and 3290 deletions
|
@ -1,17 +0,0 @@
|
|||
name: Build
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- 'master'
|
||||
|
||||
jobs:
|
||||
# deploy it upstream
|
||||
deploy:
|
||||
runs-on: docker
|
||||
steps:
|
||||
- name: "Deploy to Skynet"
|
||||
uses: https://forgejo.skynet.ie/Skynet/actions-deploy-to-skynet@v2
|
||||
with:
|
||||
input: 'simple-nixos-mailserver'
|
||||
token: ${{ secrets.API_TOKEN_FORGEJO }}
|
|
@ -3,11 +3,11 @@ hydra-pr:
|
|||
- merge_requests
|
||||
image: nixos/nix
|
||||
script:
|
||||
- nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID}'
|
||||
- nix run -f channel:nixos-unstable hydra-cli -c hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID} || (echo Go to https://hydra.nix-community.org/jobset/simple-nixos-mailserver/${CI_MERGE_REQUEST_IID}/latest-eval for details; exit 1)
|
||||
|
||||
hydra-master:
|
||||
only:
|
||||
- master
|
||||
image: nixos/nix
|
||||
script:
|
||||
- nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master'
|
||||
- nix run -f channel:nixos-unstable hydra-cli -c hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master || (echo Go to https://hydra.nix-community.org/jobset/simple-nixos-mailserver/master/latest-eval for details; exit 1)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ nixpkgs, pulls, ... }:
|
||||
{ nixpkgs, declInput, pulls }:
|
||||
|
||||
let
|
||||
pkgs = import nixpkgs {};
|
||||
|
@ -8,37 +8,85 @@ let
|
|||
{ enabled = 1;
|
||||
hidden = false;
|
||||
description = "PR ${num}: ${info.title}";
|
||||
nixexprinput = "snm";
|
||||
nixexprpath = ".hydra/default.nix";
|
||||
checkinterval = 30;
|
||||
schedulingshares = 20;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 1;
|
||||
type = 1;
|
||||
flake = "gitlab:simple-nixos-mailserver/nixos-mailserver/merge-requests/${info.iid}/head";
|
||||
type = 0;
|
||||
inputs = {
|
||||
snm = {
|
||||
type = "git";
|
||||
value = "${info.target_repo_url} merge-requests/${info.iid}/head";
|
||||
emailresponsible = false;
|
||||
};
|
||||
};
|
||||
}
|
||||
) prs;
|
||||
mkFlakeJobset = branch: {
|
||||
description = "Build ${branch} branch of Simple NixOS MailServer";
|
||||
checkinterval = "60";
|
||||
enabled = "1";
|
||||
schedulingshares = 100;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 3;
|
||||
hidden = false;
|
||||
type = 1;
|
||||
flake = "gitlab:simple-nixos-mailserver/nixos-mailserver/${branch}";
|
||||
};
|
||||
|
||||
desc = prJobsets // {
|
||||
"master" = mkFlakeJobset "master";
|
||||
"nixos-23.11" = mkFlakeJobset "nixos-23.11";
|
||||
"nixos-24.05" = mkFlakeJobset "nixos-24.05";
|
||||
};
|
||||
|
||||
log = {
|
||||
pulls = prs;
|
||||
jobsets = desc;
|
||||
master = {
|
||||
description = "Build master branch of Simple NixOS MailServer";
|
||||
checkinterval = "60";
|
||||
enabled = "1";
|
||||
nixexprinput = "snm";
|
||||
nixexprpath = ".hydra/default.nix";
|
||||
schedulingshares = 100;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 3;
|
||||
hidden = false;
|
||||
type = 0;
|
||||
inputs = {
|
||||
snm = {
|
||||
value = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver master";
|
||||
type = "git";
|
||||
emailresponsible = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
"nixos-20.03" = {
|
||||
description = "Build the nixos-20.03 branch of Simple NixOS MailServer";
|
||||
checkinterval = "60";
|
||||
enabled = "1";
|
||||
nixexprinput = "snm";
|
||||
nixexprpath = ".hydra/default.nix";
|
||||
schedulingshares = 100;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 3;
|
||||
hidden = false;
|
||||
type = 0;
|
||||
inputs = {
|
||||
snm = {
|
||||
value = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver nixos-20.03";
|
||||
type = "git";
|
||||
emailresponsible = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
"nixos-19.09" = {
|
||||
description = "Build the nixos-19.09 branch of Simple NixOS MailServer";
|
||||
checkinterval = "60";
|
||||
enabled = "1";
|
||||
nixexprinput = "snm";
|
||||
nixexprpath = ".hydra/default.nix";
|
||||
schedulingshares = 100;
|
||||
enableemail = false;
|
||||
emailoverride = "";
|
||||
keepnr = 3;
|
||||
hidden = false;
|
||||
type = 0;
|
||||
inputs = {
|
||||
snm = {
|
||||
value = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver nixos-19.09";
|
||||
type = "git";
|
||||
emailresponsible = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
in {
|
||||
|
@ -46,10 +94,5 @@ in {
|
|||
cat >$out <<EOF
|
||||
${builtins.toJSON desc}
|
||||
EOF
|
||||
# This is to get nice .jobsets build logs on Hydra
|
||||
cat >tmp <<EOF
|
||||
${builtins.toJSON log}
|
||||
EOF
|
||||
${pkgs.jq}/bin/jq . tmp
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
# Read the Docs configuration file
|
||||
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
|
||||
|
||||
# Required
|
||||
version: 2
|
||||
|
||||
build:
|
||||
os: ubuntu-22.04
|
||||
tools:
|
||||
python: "3"
|
||||
apt_packages:
|
||||
- nix
|
||||
- proot
|
||||
jobs:
|
||||
pre_install:
|
||||
- mkdir -p ~/.nix ~/.config/nix
|
||||
- echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
|
||||
- proot -b ~/.nix:/nix /bin/sh -c "nix build -L .#optionsDoc && cp -v result docs/options.md"
|
||||
|
||||
sphinx:
|
||||
configuration: docs/conf.py
|
||||
|
||||
formats:
|
||||
- pdf
|
||||
- epub
|
||||
|
||||
python:
|
||||
install:
|
||||
- requirements: docs/requirements.txt
|
105
README.md
105
README.md
|
@ -8,21 +8,25 @@
|
|||
For each NixOS release, we publish a branch. You then have to use the
|
||||
SNM branch corresponding to your NixOS version.
|
||||
|
||||
* For NixOS 24.05
|
||||
- Use the [SNM branch `nixos-24.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-24.05)
|
||||
- [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/)
|
||||
- [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/release-notes.html#nixos-24-05)
|
||||
* For NixOS 23.11
|
||||
- Use the [SNM branch `nixos-23.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.11)
|
||||
- [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/)
|
||||
- [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/release-notes.html#nixos-23-11)
|
||||
* For NixOS 20.03
|
||||
- Use the [SNM branch `nixos-20.03`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-20.03)
|
||||
- [Release notes](#nixos-2003)
|
||||
* For NixOS 19.09
|
||||
- Use the [SNM branch `nixos-19.09`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-19.09)
|
||||
* For NixOS unstable
|
||||
- Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
|
||||
- [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
|
||||
- This branch is currently still supporting the NixOS release 20.03
|
||||
but we could remove this support on any NixOS unstable breaking
|
||||
change.
|
||||
|
||||
[Subscribe to SNM Announcement List](https://www.freelists.org/list/snm)
|
||||
This is a very low volume list where new releases of SNM are announced, so you
|
||||
can stay up to date with bug fixes and updates.
|
||||
can stay up to date with bug fixes and updates. All announcements are signed by
|
||||
the gpg key with fingerprint
|
||||
|
||||
```
|
||||
D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A
|
||||
```
|
||||
|
||||
|
||||
## Features
|
||||
|
@ -31,15 +35,12 @@ can stay up to date with bug fixes and updates.
|
|||
* [x] Multiple Domains
|
||||
* Postfix MTA
|
||||
- [x] smtp on port 25
|
||||
- [x] submission tls on port 465
|
||||
- [x] submission starttls on port 587
|
||||
- [x] submission port 587
|
||||
- [x] lmtp with dovecot
|
||||
* Dovecot
|
||||
- [x] maildir folders
|
||||
- [x] imap with tls on port 993
|
||||
- [x] pop3 with tls on port 995
|
||||
- [x] imap with starttls on port 143
|
||||
- [x] pop3 with starttls on port 110
|
||||
- [x] imap starttls on port 143
|
||||
- [x] pop3 starttls on port 110
|
||||
* Certificates
|
||||
- [x] manual certificates
|
||||
- [x] on the fly creation
|
||||
|
@ -66,23 +67,77 @@ can stay up to date with bug fixes and updates.
|
|||
* DKIM Signing
|
||||
- [ ] Allow a per domain selector
|
||||
|
||||
### Get in touch
|
||||
### Changelog and How to Stay Up-to-Date
|
||||
|
||||
See the [mailing list archive](https://www.freelists.org/archive/snm/)
|
||||
|
||||
### Quick Start
|
||||
|
||||
```nix
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
(builtins.fetchTarball {
|
||||
# Pick a commit from the branch you are interested in
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/A-COMMIT-ID/nixos-mailserver-A-COMMIT-ID.tar.gz";
|
||||
# And set its hash
|
||||
sha256 = "0000000000000000000000000000000000000000000000000000";
|
||||
})
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" "example2.com" ];
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||
|
||||
aliases = [
|
||||
"info@example.com"
|
||||
"postmaster@example.com"
|
||||
"postmaster@example2.com"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
For a complete list of options, see `default.nix`.
|
||||
|
||||
|
||||
- Subscribe to the [mailing list](https://www.freelists.org/archive/snm/)
|
||||
- Join the Libera Chat IRC channel `#nixos-mailserver`
|
||||
|
||||
## How to Set Up a 10/10 Mail Server Guide
|
||||
Check out the [Complete Setup Guide](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/wikis/A-Complete-Setup-Guide) in the project's wiki.
|
||||
|
||||
Check out the [Setup Guide](https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html) in the project's documentation.
|
||||
## How to Backup
|
||||
|
||||
For a complete list of options, [see in readthedocs](https://nixos-mailserver.readthedocs.io/en/latest/options.html).
|
||||
Checkout the [Complete Backup Guide](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/wikis/A-Complete-Backup-Guide). Backups are easy with `SNM`.
|
||||
|
||||
## Development
|
||||
|
||||
See the [How to Develop SNM](https://nixos-mailserver.readthedocs.io/en/latest/howto-develop.html) documentation page.
|
||||
See the [How to Develop SNM](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/wikis/How-to-Develop-SNM) wiki page.
|
||||
|
||||
## Release notes
|
||||
|
||||
### nixos-20.03
|
||||
|
||||
- Rspamd is upgraded to 2.0 which deprecates the SQLite Bayes
|
||||
backend. We then moved to the Redis backend (the default since
|
||||
Rspamd 2.0). If you don't want to relearn the Redis backend from the
|
||||
scratch, we could manually run
|
||||
|
||||
rspamadm statconvert --spam-db /var/lib/rspamd/bayes.spam.sqlite --ham-db /var/lib/rspamd/bayes.ham.sqlite -h 127.0.0.1:6379 --symbol-ham BAYES_HAM --symbol-spam BAYES_SPAM
|
||||
|
||||
See the [Rspamd migration
|
||||
notes](https://rspamd.com/doc/migration.html#migration-to-rspamd-20)
|
||||
and [this SNM Merge
|
||||
Request](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/164)
|
||||
for details.
|
||||
|
||||
## Contributors
|
||||
See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/graphs/master)
|
||||
See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/graphs/master)
|
||||
|
||||
### Alternative Implementations
|
||||
* [NixCloud Webservices](https://github.com/nixcloud/nixcloud-webservices)
|
||||
|
@ -94,4 +149,6 @@ See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mails
|
|||
* Logo made with [Logomakr.com](https://logomakr.com)
|
||||
|
||||
|
||||
[logo]: docs/logo.png
|
||||
|
||||
|
||||
[logo]: logo/logo.png
|
||||
|
|
633
default.nix
633
default.nix
|
@ -1,3 +1,4 @@
|
|||
|
||||
# nixos-mailserver: a simple mail server
|
||||
# Copyright (C) 2016-2018 Robin Raymond
|
||||
#
|
||||
|
@ -25,12 +26,6 @@ in
|
|||
options.mailserver = {
|
||||
enable = mkEnableOption "nixos-mailserver";
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Automatically open ports in the firewall.";
|
||||
};
|
||||
|
||||
fqdn = mkOption {
|
||||
type = types.str;
|
||||
example = "mx.example.com";
|
||||
|
@ -44,17 +39,6 @@ in
|
|||
description = "The domains that this mail server serves.";
|
||||
};
|
||||
|
||||
certificateDomains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "imap.example.com" "pop3.example.com" ];
|
||||
default = [];
|
||||
description = ''
|
||||
({option}`mailserver.certificateScheme` == `acme-nginx`)
|
||||
|
||||
Secondary domains and subdomains for which it is necessary to generate a certificate.
|
||||
'';
|
||||
};
|
||||
|
||||
messageSizeLimit = mkOption {
|
||||
type = types.int;
|
||||
example = 52428800;
|
||||
|
@ -63,7 +47,7 @@ in
|
|||
};
|
||||
|
||||
loginAccounts = mkOption {
|
||||
type = types.attrsOf (types.submodule ({ name, ... }: {
|
||||
type = types.loaOf (types.submodule ({ name, ... }: {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
|
@ -79,11 +63,11 @@ in
|
|||
The user's hashed password. Use `mkpasswd` as follows
|
||||
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
mkpasswd -m sha-512 "super secret password"
|
||||
```
|
||||
|
||||
Warning: this is stored in plaintext in the Nix store!
|
||||
Use {option}`mailserver.loginAccounts.<name>.hashedPasswordFile` instead.
|
||||
Use `hashedPasswordFile` instead.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -95,7 +79,7 @@ in
|
|||
A file containing the user's hashed password. Use `mkpasswd` as follows
|
||||
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
mkpasswd -m sha-512 "super secret password"
|
||||
```
|
||||
'';
|
||||
};
|
||||
|
@ -111,15 +95,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
aliasesRegexp = mkOption {
|
||||
type = with types; listOf types.str;
|
||||
example = [''/^tom\..*@domain\.com$/''];
|
||||
default = [];
|
||||
description = ''
|
||||
Same as {option}`mailserver.aliases` but using PCRE (Perl compatible regex).
|
||||
'';
|
||||
};
|
||||
|
||||
catchAll = mkOption {
|
||||
type = with types; listOf (enum cfg.domains);
|
||||
example = ["example.com" "example2.com"];
|
||||
|
@ -169,7 +144,7 @@ in
|
|||
description = ''
|
||||
Specifies if the account should be a send-only account.
|
||||
Emails sent to send-only accounts will be rejected from
|
||||
unauthorized senders with the `sendOnlyRejectMessage`
|
||||
unauthorized senders with the sendOnlyRejectMessage
|
||||
stating the reason.
|
||||
'';
|
||||
};
|
||||
|
@ -201,255 +176,12 @@ in
|
|||
follows
|
||||
|
||||
```
|
||||
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
mkpasswd -m sha-512 "super secret password"
|
||||
```
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
|
||||
ldap = {
|
||||
enable = mkEnableOption "LDAP support";
|
||||
|
||||
uris = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = literalExpression ''
|
||||
[
|
||||
"ldaps://ldap1.example.com"
|
||||
"ldaps://ldap2.example.com"
|
||||
]
|
||||
'';
|
||||
description = ''
|
||||
URIs where your LDAP server can be reached
|
||||
'';
|
||||
};
|
||||
|
||||
startTls = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable StartTLS upon connection to the server.
|
||||
'';
|
||||
};
|
||||
|
||||
tlsCAFile = mkOption {
|
||||
type = types.path;
|
||||
default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
|
||||
description = ''
|
||||
Certifificate trust anchors used to verify the LDAP server certificate.
|
||||
'';
|
||||
};
|
||||
|
||||
bind = {
|
||||
dn = mkOption {
|
||||
type = types.str;
|
||||
example = "cn=mail,ou=accounts,dc=example,dc=com";
|
||||
description = ''
|
||||
Distinguished name used by the mail server to do lookups
|
||||
against the LDAP servers.
|
||||
'';
|
||||
};
|
||||
|
||||
passwordFile = mkOption {
|
||||
type = types.str;
|
||||
example = "/run/my-secret";
|
||||
description = ''
|
||||
A file containing the password required to authenticate against the LDAP servers.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
searchBase = mkOption {
|
||||
type = types.str;
|
||||
example = "ou=people,ou=accounts,dc=example,dc=com";
|
||||
description = ''
|
||||
Base DN at below which to search for users accounts.
|
||||
'';
|
||||
};
|
||||
|
||||
searchScope = mkOption {
|
||||
type = types.enum [ "sub" "base" "one" ];
|
||||
default = "sub";
|
||||
description = ''
|
||||
Search scope below which users accounts are looked for.
|
||||
'';
|
||||
};
|
||||
|
||||
dovecot = {
|
||||
userAttrs = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
LDAP attributes to be retrieved during userdb lookups.
|
||||
|
||||
See the users_attrs reference at
|
||||
https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#user-attrs
|
||||
in the Dovecot manual.
|
||||
'';
|
||||
};
|
||||
|
||||
userFilter = mkOption {
|
||||
type = types.str;
|
||||
default = "mail=%u";
|
||||
example = "(&(objectClass=inetOrgPerson)(mail=%u))";
|
||||
description = ''
|
||||
Filter for user lookups in Dovecot.
|
||||
|
||||
See the user_filter reference at
|
||||
https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#user-filter
|
||||
in the Dovecot manual.
|
||||
'';
|
||||
};
|
||||
|
||||
passAttrs = mkOption {
|
||||
type = types.str;
|
||||
default = "userPassword=password";
|
||||
description = ''
|
||||
LDAP attributes to be retrieved during passdb lookups.
|
||||
|
||||
See the pass_attrs reference at
|
||||
https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#pass-attrs
|
||||
in the Dovecot manual.
|
||||
'';
|
||||
};
|
||||
|
||||
passFilter = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "mail=%u";
|
||||
example = "(&(objectClass=inetOrgPerson)(mail=%u))";
|
||||
description = ''
|
||||
Filter for password lookups in Dovecot.
|
||||
|
||||
See the pass_filter reference for
|
||||
https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/#pass-filter
|
||||
in the Dovecot manual.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
postfix = {
|
||||
filter = mkOption {
|
||||
type = types.str;
|
||||
default = "mail=%s";
|
||||
example = "(&(objectClass=inetOrgPerson)(mail=%s))";
|
||||
description = ''
|
||||
LDAP filter used to search for an account by mail, where
|
||||
`%s` is a substitute for the address in
|
||||
question.
|
||||
'';
|
||||
};
|
||||
|
||||
uidAttribute = mkOption {
|
||||
type = types.str;
|
||||
default = "mail";
|
||||
example = "uid";
|
||||
description = ''
|
||||
The LDAP attribute referencing the account name for a user.
|
||||
'';
|
||||
};
|
||||
|
||||
mailAttribute = mkOption {
|
||||
type = types.str;
|
||||
default = "mail";
|
||||
description = ''
|
||||
The LDAP attribute holding mail addresses for a user.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
indexDir = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Folder to store search indices. If null, indices are stored
|
||||
along with email, which could not necessarily be desirable,
|
||||
especially when {option}`mailserver.fullTextSearch.enable` is `true` since
|
||||
indices it creates are voluminous and do not need to be backed
|
||||
up.
|
||||
|
||||
Be careful when changing this option value since all indices
|
||||
would be recreated at the new location (and clients would need
|
||||
to resynchronize).
|
||||
|
||||
Note the some variables can be used in the file path. See
|
||||
https://doc.dovecot.org/configuration_manual/mail_location/#variables
|
||||
for details.
|
||||
'';
|
||||
example = "/var/lib/dovecot/indices";
|
||||
};
|
||||
|
||||
fullTextSearch = {
|
||||
enable = mkEnableOption "Full text search indexing with xapian. This has significant performance and disk space cost.";
|
||||
autoIndex = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable automatic indexing of messages as they are received or modified.";
|
||||
};
|
||||
autoIndexExclude = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "\\Trash" "SomeFolder" "Other/*" ];
|
||||
description = ''
|
||||
Mailboxes to exclude from automatic indexing.
|
||||
'';
|
||||
};
|
||||
|
||||
indexAttachments = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Also index text-only attachements. Binary attachements are never indexed.";
|
||||
};
|
||||
|
||||
enforced = mkOption {
|
||||
type = types.enum [ "yes" "no" "body" ];
|
||||
default = "no";
|
||||
description = ''
|
||||
Fail searches when no index is available. If set to
|
||||
`body`, then only body searches (as opposed to
|
||||
header) are affected. If set to `no`, searches may
|
||||
fall back to a very slow brute force search.
|
||||
'';
|
||||
};
|
||||
|
||||
minSize = mkOption {
|
||||
type = types.int;
|
||||
default = 2;
|
||||
description = "Size of the smallest n-gram to index.";
|
||||
};
|
||||
maxSize = mkOption {
|
||||
type = types.int;
|
||||
default = 20;
|
||||
description = "Size of the largest n-gram to index.";
|
||||
};
|
||||
memoryLimit = mkOption {
|
||||
type = types.nullOr types.int;
|
||||
default = null;
|
||||
example = 2000;
|
||||
description = "Memory limit for the indexer process, in MiB. If null, leaves the default (which is rather low), and if 0, no limit.";
|
||||
};
|
||||
|
||||
maintenance = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Regularly optmize indices, as recommended by upstream.";
|
||||
};
|
||||
|
||||
onCalendar = mkOption {
|
||||
type = types.str;
|
||||
default = "daily";
|
||||
description = "When to run the maintenance job. See systemd.time(7) for more information about the format.";
|
||||
};
|
||||
|
||||
randomizedDelaySec = mkOption {
|
||||
type = types.int;
|
||||
default = 1000;
|
||||
description = "Run the maintenance job not exactly at the time specified with `onCalendar`, but plus or minus this many seconds.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
lmtpSaveToDetailMailbox = mkOption {
|
||||
type = types.enum ["yes" "no"];
|
||||
default = "yes";
|
||||
|
@ -461,11 +193,14 @@ in
|
|||
};
|
||||
|
||||
extraVirtualAliases = mkOption {
|
||||
type = let
|
||||
loginAccount = mkOptionType {
|
||||
name = "Login Account";
|
||||
};
|
||||
in with types; attrsOf (either loginAccount (nonEmptyListOf loginAccount));
|
||||
type = types.loaOf (mkOptionType {
|
||||
name = "Login Account";
|
||||
check = (ele:
|
||||
let accounts = builtins.attrNames cfg.loginAccounts;
|
||||
in if (builtins.isList ele)
|
||||
then (builtins.all (x: builtins.elem x accounts) ele) && (builtins.length ele > 0)
|
||||
else (builtins.elem ele accounts));
|
||||
});
|
||||
example = {
|
||||
"info@example.com" = "user1@example.com";
|
||||
"postmaster@example.com" = "user1@example.com";
|
||||
|
@ -486,23 +221,6 @@ in
|
|||
default = {};
|
||||
};
|
||||
|
||||
forwards = mkOption {
|
||||
type = with types; attrsOf (either (listOf str) str);
|
||||
example = {
|
||||
"user@example.com" = "user@elsewhere.com";
|
||||
};
|
||||
description = ''
|
||||
To forward mails to an external address. For instance,
|
||||
the value {`"user@example.com" = "user@elsewhere.com";}`
|
||||
means that mails to `user@example.com` are forwarded to
|
||||
`user@elsewhere.com`. The difference with the
|
||||
{option}`mailserver.extraVirtualAliases` option is that `user@elsewhere.com`
|
||||
can't send mail as `user@example.com`. Also, this option
|
||||
allows to forward mails to external addresses.
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
|
||||
rejectSender = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "@example.com" "spammer@example.net" ];
|
||||
|
@ -530,7 +248,7 @@ in
|
|||
description = ''
|
||||
The unix UID of the virtual mail user. Be mindful that if this is
|
||||
changed, you will need to manually adjust the permissions of
|
||||
`mailDirectory`.
|
||||
mailDirectory.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -573,14 +291,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
useUTF8FolderNames = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Store mailbox names on disk using UTF-8 instead of modified UTF-7 (mUTF-7).
|
||||
'';
|
||||
};
|
||||
|
||||
hierarchySeparator = mkOption {
|
||||
type = types.str;
|
||||
default = ".";
|
||||
|
@ -599,46 +309,46 @@ in
|
|||
The mailboxes for dovecot.
|
||||
Depending on the mail client used it might be necessary to change some mailbox's name.
|
||||
'';
|
||||
default = {
|
||||
Trash = {
|
||||
default = [
|
||||
{
|
||||
name = "Trash";
|
||||
auto = "no";
|
||||
specialUse = "Trash";
|
||||
};
|
||||
Junk = {
|
||||
}
|
||||
|
||||
{
|
||||
name = "Junk";
|
||||
auto = "subscribe";
|
||||
specialUse = "Junk";
|
||||
};
|
||||
Drafts = {
|
||||
}
|
||||
|
||||
{
|
||||
name = "Drafts";
|
||||
auto = "subscribe";
|
||||
specialUse = "Drafts";
|
||||
};
|
||||
Sent = {
|
||||
}
|
||||
|
||||
{
|
||||
name = "Sent";
|
||||
auto = "subscribe";
|
||||
specialUse = "Sent";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
certificateScheme = let
|
||||
schemes = [ "manual" "selfsigned" "acme-nginx" "acme" ];
|
||||
translate = i: warn "Setting mailserver.certificateScheme by number is deprecated, please use names instead: 'mailserver.certificateScheme = ${builtins.toString i}' can be replaced by 'mailserver.certificateScheme = \"${(builtins.elemAt schemes (i - 1))}\"'."
|
||||
(builtins.elemAt schemes (i - 1));
|
||||
in mkOption {
|
||||
type = with types; coercedTo (enum [ 1 2 3 ]) translate (enum schemes);
|
||||
default = "selfsigned";
|
||||
certificateScheme = mkOption {
|
||||
type = types.enum [ 1 2 3 ];
|
||||
default = 2;
|
||||
description = ''
|
||||
The scheme to use for managing TLS certificates:
|
||||
Certificate Files. There are three options for these.
|
||||
|
||||
1. `manual`: you specify locations via {option}`mailserver.certificateFile` and
|
||||
{option}`mailserver.keyFile` and manually copy certificates there.
|
||||
2. `selfsigned`: you let the server create new (self-signed) certificates on the fly.
|
||||
3. `acme-nginx`: you let the server request certificates from [Let's Encrypt](https://letsencrypt.org)
|
||||
via NixOS' ACME module. By default, this will set up a stripped-down Nginx server for
|
||||
{option}`mailserver.fqdn` and open port 80. For this to work, the FQDN must be properly
|
||||
configured to point to your server (see the [setup guide](setup-guide.rst) for more information).
|
||||
4. `acme`: you already have an ACME certificate set up (for example, you're already running a TLS-enabled
|
||||
Nginx server on the FQDN). This is better than `manual` because the appropriate services will be reloaded
|
||||
when the certificate is renewed.
|
||||
1) You specify locations and manually copy certificates there.
|
||||
2) You let the server create new (self signed) certificates on the fly.
|
||||
3) You let the server create a certificate via `Let's Encrypt`. Note that
|
||||
this implies that a stripped down webserver has to be started. This also
|
||||
implies that the FQDN must be set as an `A` record to point to the IP of
|
||||
the server. In particular port 80 on the server will be opened. For details
|
||||
on how to set up the domain records, see the guide in the readme.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -646,9 +356,8 @@ in
|
|||
type = types.path;
|
||||
example = "/root/mail-server.crt";
|
||||
description = ''
|
||||
({option}`mailserver.certificateScheme` == `manual`)
|
||||
|
||||
Location of the certificate.
|
||||
Scheme 1)
|
||||
Location of the certificate
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -656,9 +365,8 @@ in
|
|||
type = types.path;
|
||||
example = "/root/mail-server.key";
|
||||
description = ''
|
||||
({option}`mailserver.certificateScheme` == `manual`)
|
||||
|
||||
Location of the key file.
|
||||
Scheme 1)
|
||||
Location of the key file
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -666,56 +374,32 @@ in
|
|||
type = types.path;
|
||||
default = "/var/certs";
|
||||
description = ''
|
||||
({option}`mailserver.certificateScheme` == `selfsigned`)
|
||||
|
||||
This is the folder where the self-signed certificate will be created. The name is
|
||||
hardcoded to "cert-DOMAIN.pem" and "key-DOMAIN.pem" and the
|
||||
Sceme 2)
|
||||
This is the folder where the certificate will be created. The name is
|
||||
hardcoded to "cert-<domain>.pem" and "key-<domain>.pem" and the
|
||||
certificate is valid for 10 years.
|
||||
'';
|
||||
};
|
||||
|
||||
acmeCertificateName = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.fqdn;
|
||||
example = "example.com";
|
||||
description = ''
|
||||
({option}`mailserver.certificateScheme` == `acme`)
|
||||
|
||||
When the `acme` `certificateScheme` is selected, you can use this option
|
||||
to override the default certificate name. This is useful if you've
|
||||
generated a wildcard certificate, for example.
|
||||
'';
|
||||
};
|
||||
|
||||
enableImap = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to enable IMAP with STARTTLS on port 143.
|
||||
Whether to enable imap / pop3. Both variants are only supported in the
|
||||
(sane) startTLS configuration. The ports are
|
||||
|
||||
110 - Pop3
|
||||
143 - IMAP
|
||||
587 - SMTP with login
|
||||
'';
|
||||
};
|
||||
|
||||
enableImapSsl = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable IMAP with TLS in wrapper-mode on port 993.
|
||||
'';
|
||||
};
|
||||
|
||||
enableSubmission = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to enable SMTP with STARTTLS on port 587.
|
||||
'';
|
||||
};
|
||||
|
||||
enableSubmissionSsl = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to enable SMTP with TLS in wrapper-mode on port 465.
|
||||
Whether to enable IMAPS, setting this option to true will open port 993
|
||||
in the firewall.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -723,7 +407,12 @@ in
|
|||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable POP3 with STARTTLS on port on port 110.
|
||||
Whether to enable POP3. Both variants are only supported in the (sane)
|
||||
startTLS configuration. The ports are
|
||||
|
||||
110 - Pop3
|
||||
143 - IMAP
|
||||
587 - SMTP with login
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -731,7 +420,8 @@ in
|
|||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable POP3 with TLS in wrapper-mode on port 995.
|
||||
Whether to enable POP3S, setting this option to true will open port 995
|
||||
in the firewall.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -747,14 +437,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
sieveDirectory = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/sieve";
|
||||
description = ''
|
||||
Where to store the sieve scripts.
|
||||
'';
|
||||
};
|
||||
|
||||
virusScanning = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
@ -776,7 +458,7 @@ in
|
|||
type = types.str;
|
||||
default = "mail";
|
||||
description = ''
|
||||
The DKIM selector.
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -784,7 +466,7 @@ in
|
|||
type = types.path;
|
||||
default = "/var/dkim";
|
||||
description = ''
|
||||
The DKIM directory.
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -795,93 +477,12 @@ in
|
|||
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
|
||||
|
||||
If you have already deployed a key with a different number of bits than specified
|
||||
here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
|
||||
here, then you should use a different selector (dkimSelector). In order to get
|
||||
this package to generate a key with the new number of bits, you will either have to
|
||||
change the selector or delete the old key file.
|
||||
'';
|
||||
};
|
||||
|
||||
dkimHeaderCanonicalization = mkOption {
|
||||
type = types.enum ["relaxed" "simple"];
|
||||
default = "relaxed";
|
||||
description = ''
|
||||
DKIM canonicalization algorithm for message headers.
|
||||
|
||||
See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
|
||||
'';
|
||||
};
|
||||
|
||||
dkimBodyCanonicalization = mkOption {
|
||||
type = types.enum ["relaxed" "simple"];
|
||||
default = "relaxed";
|
||||
description = ''
|
||||
DKIM canonicalization algorithm for message bodies.
|
||||
|
||||
See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
|
||||
'';
|
||||
};
|
||||
|
||||
dmarcReporting = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to send out aggregated, daily DMARC reports in response to incoming
|
||||
mail, when the sender domain defines a DMARC policy including the RUA tag.
|
||||
|
||||
This is helpful for the mail ecosystem, because it allows third parties to
|
||||
get notified about SPF/DKIM violations originating from their sender domains.
|
||||
|
||||
See https://rspamd.com/doc/modules/dmarc.html#reporting
|
||||
'';
|
||||
};
|
||||
|
||||
localpart = mkOption {
|
||||
type = types.str;
|
||||
default = "dmarc-noreply";
|
||||
example = "dmarc-report";
|
||||
description = ''
|
||||
The local part of the email address used for outgoing DMARC reports.
|
||||
'';
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
type = types.enum (cfg.domains);
|
||||
example = "example.com";
|
||||
description = ''
|
||||
The domain from which outgoing DMARC reports are served.
|
||||
'';
|
||||
};
|
||||
|
||||
email = mkOption {
|
||||
type = types.str;
|
||||
default = with cfg.dmarcReporting; "${localpart}@${domain}";
|
||||
defaultText = literalExpression ''"''${localpart}@''${domain}"'';
|
||||
readOnly = true;
|
||||
description = ''
|
||||
The email address used for outgoing DMARC reports. Read-only.
|
||||
'';
|
||||
};
|
||||
|
||||
organizationName = mkOption {
|
||||
type = types.str;
|
||||
example = "ACME Corp.";
|
||||
description = ''
|
||||
The name of your organization used in the `org_name` attribute in
|
||||
DMARC reports.
|
||||
'';
|
||||
};
|
||||
|
||||
fromName = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.dmarcReporting.organizationName;
|
||||
defaultText = literalMD "{option}`mailserver.dmarcReporting.organizationName`";
|
||||
description = ''
|
||||
The sender name for DMARC reports. Defaults to the organization name.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
debug = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
@ -910,20 +511,12 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
recipientDelimiter = mkOption {
|
||||
type = types.str;
|
||||
default = "+";
|
||||
description = ''
|
||||
Configure the recipient delimiter.
|
||||
'';
|
||||
};
|
||||
|
||||
redis = {
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
# read the default from nixos' redis module
|
||||
default = let
|
||||
cf = config.services.redis.servers.rspamd.bind;
|
||||
cf = config.services.redis.bind;
|
||||
cfdefault = if cf == null then "127.0.0.1" else cf;
|
||||
ips = lib.strings.splitString " " cfdefault;
|
||||
ip = lib.lists.head (ips ++ [ "127.0.0.1" ]);
|
||||
|
@ -932,27 +525,28 @@ in
|
|||
if (ip == "0.0.0.0" || ip == "::")
|
||||
then "127.0.0.1"
|
||||
else if isIpv6 ip then "[${ip}]" else ip;
|
||||
defaultText = lib.literalMD "computed from `config.services.redis.servers.rspamd.bind`";
|
||||
description = ''
|
||||
Address that rspamd should use to contact redis.
|
||||
Address that rspamd should use to contact redis. The default value
|
||||
is read from <literal>config.services.redis.bind</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = config.services.redis.servers.rspamd.port;
|
||||
defaultText = lib.literalExpression "config.services.redis.servers.rspamd.port";
|
||||
default = config.services.redis.port;
|
||||
description = ''
|
||||
Port that rspamd should use to contact redis.
|
||||
Port that rspamd should use to contact redis. The default value is
|
||||
read from <literal>config.services.redis.port<literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
password = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = config.services.redis.servers.rspamd.requirePass;
|
||||
defaultText = lib.literalExpression "config.services.redis.servers.rspamd.requirePass";
|
||||
default = config.services.redis.requirePass;
|
||||
description = ''
|
||||
Password that rspamd should use to contact redis, or null if not required.
|
||||
Password that rspamd should use to contact redis, or null if not
|
||||
required. The default value is read from
|
||||
<literal>config.services.redis.requirePass<literal>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -967,48 +561,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
smtpdForbidBareNewline = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
|
||||
disconnects a remote SMTP client that sends a line ending in a 'bare
|
||||
newline'.
|
||||
|
||||
This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
|
||||
default to "yes" in Postfix 3.9.
|
||||
|
||||
https://www.postfix.org/smtp-smuggling.html
|
||||
'';
|
||||
};
|
||||
|
||||
sendingFqdn = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.fqdn;
|
||||
defaultText = lib.literalMD "{option}`mailserver.fqdn`";
|
||||
example = "myserver.example.com";
|
||||
description = ''
|
||||
The fully qualified domain name of the mail server used to
|
||||
identify with remote servers.
|
||||
|
||||
If this server's IP serves purposes other than a mail server,
|
||||
it may be desirable for the server to have a name other than
|
||||
that to which the user will connect. For example, the user
|
||||
might connect to mx.example.com, but the server's IP has
|
||||
reverse DNS that resolves to myserver.example.com; in this
|
||||
scenario, some mail servers may reject or penalize the
|
||||
message.
|
||||
|
||||
This setting allows the server to identify as
|
||||
myserver.example.com when forwarding mail, independently of
|
||||
{option}`mailserver.fqdn` (which, for SSL reasons, should generally be the name
|
||||
to which the user connects).
|
||||
|
||||
Set this to the name to which the sending IP's reverse DNS
|
||||
resolves.
|
||||
'';
|
||||
};
|
||||
|
||||
policydSPFExtraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
@ -1069,11 +621,10 @@ in
|
|||
stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"
|
||||
if failed host ${cfg.fqdn} port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
|
||||
|
||||
check process rspamd with matching "rspamd: main process"
|
||||
check process rspamd with pidfile /var/run/rspamd.pid
|
||||
start program = "${pkgs.systemd}/bin/systemctl start rspamd"
|
||||
stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"
|
||||
'';
|
||||
defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
|
||||
description = ''
|
||||
The configuration used for monitoring via monit.
|
||||
Use a mail address that you actively check and set it via 'set alert ...'.
|
||||
|
@ -1090,8 +641,7 @@ in
|
|||
description = ''
|
||||
The location where borg saves the backups.
|
||||
This can be a local path or a remote location such as user@host:/path/to/repo.
|
||||
It is exported and thus available as an environment variable to
|
||||
{option}`mailserver.borgbackup.cmdPreexec` and {option}`mailserver.borgbackup.cmdPostexec`.
|
||||
It is exported and thus available as an environment variable to cmdPreexec and cmdPostexec.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -1151,14 +701,13 @@ in
|
|||
default = "none";
|
||||
description = ''
|
||||
The backup can be encrypted by choosing any other value than 'none'.
|
||||
When using encryption the password/passphrase must be provided in `passphraseFile`.
|
||||
When using encryption the password / passphrase must be provided in passphraseFile.
|
||||
'';
|
||||
};
|
||||
|
||||
passphraseFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = "Path to a file containing the encryption password or passphrase.";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -1174,7 +723,6 @@ in
|
|||
locations = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [cfg.mailDirectory];
|
||||
defaultText = lib.literalExpression "[ config.mailserver.mailDirectory ]";
|
||||
description = "The locations that are to be backed up by borg.";
|
||||
};
|
||||
|
||||
|
@ -1195,10 +743,9 @@ in
|
|||
default = null;
|
||||
description = ''
|
||||
The command to be executed before each backup operation.
|
||||
This is called prior to borg init in the same script that runs borg init and create and `cmdPostexec`.
|
||||
'';
|
||||
example = ''
|
||||
export BORG_RSH="ssh -i /path/to/private/key"
|
||||
This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.
|
||||
Example:
|
||||
export BORG_RSH="ssh -i /path/to/private/key"
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -1208,7 +755,7 @@ in
|
|||
description = ''
|
||||
The command to be executed after each backup operation.
|
||||
This is called after borg create completed successfully and in the same script that runs
|
||||
`cmdPreexec`, borg init and create.
|
||||
cmdPreexec, borg init and create.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -1221,7 +768,7 @@ in
|
|||
example = true;
|
||||
description = ''
|
||||
Whether to enable automatic reboot after kernel upgrades.
|
||||
This is to be used in conjunction with `system.autoUpgrade.enable = true;`
|
||||
This is to be used in conjunction with system.autoUpgrade.enable = true"
|
||||
'';
|
||||
};
|
||||
method = mkOption {
|
||||
|
@ -1296,9 +843,7 @@ in
|
|||
};
|
||||
|
||||
imports = [
|
||||
./mail-server/assertions.nix
|
||||
./mail-server/borgbackup.nix
|
||||
./mail-server/debug.nix
|
||||
./mail-server/rsnapshot.nix
|
||||
./mail-server/clamav.nix
|
||||
./mail-server/monit.nix
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
# Minimal makefile for Sphinx documentation
|
||||
#
|
||||
|
||||
# You can set these variables from the command line, and also
|
||||
# from the environment for the first two.
|
||||
SPHINXOPTS ?=
|
||||
SPHINXBUILD ?= sphinx-build
|
||||
SOURCEDIR = .
|
||||
BUILDDIR = _build
|
||||
|
||||
# Put it first so that "make" without argument is like "make help".
|
||||
help:
|
||||
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
|
||||
|
||||
.PHONY: help Makefile
|
||||
|
||||
# Catch-all target: route all unknown targets to Sphinx using the new
|
||||
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
|
||||
%: Makefile
|
||||
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
|
|
@ -1,55 +0,0 @@
|
|||
Add Radicale
|
||||
============
|
||||
|
||||
Configuration by @dotlambda
|
||||
|
||||
Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional
|
||||
crypt passwords are no longer supported. Instead bcrypt passwords
|
||||
have to be used. These can still be generated using `mkpasswd -m bcrypt`.
|
||||
|
||||
.. code:: nix
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
mailAccounts = config.mailserver.loginAccounts;
|
||||
htpasswd = pkgs.writeText "radicale.users" (concatStrings
|
||||
(flip mapAttrsToList mailAccounts (mail: user:
|
||||
mail + ":" + user.hashedPassword + "\n"
|
||||
))
|
||||
);
|
||||
|
||||
in {
|
||||
services.radicale = {
|
||||
enable = true;
|
||||
settings = {
|
||||
auth = {
|
||||
type = "htpasswd";
|
||||
htpasswd_filename = "${htpasswd}";
|
||||
htpasswd_encryption = "bcrypt";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"cal.example.com" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:5232/";
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Script-Name /;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass_header Authorization;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
Add Roundcube, a webmail
|
||||
========================
|
||||
|
||||
The NixOS module for roundcube nearly works out of the box with SNM. By
|
||||
default, it sets up a nginx virtual host to serve the webmail, other web
|
||||
servers may require more work.
|
||||
|
||||
.. code:: nix
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
services.roundcube = {
|
||||
enable = true;
|
||||
# this is the url of the vhost, not necessarily the same as the fqdn of
|
||||
# the mailserver
|
||||
hostName = "webmail.example.com";
|
||||
extraConfig = ''
|
||||
# starttls needed for authentication, so the fqdn required to match
|
||||
# the certificate
|
||||
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
|
||||
$config['smtp_user'] = "%u";
|
||||
$config['smtp_pass'] = "%p";
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
Autodiscovery
|
||||
=============
|
||||
|
||||
`RFC6186 <https://www.rfc-editor.org/rfc/rfc6186>`_ allows supporting email clients to automatically discover SMTP / IMAP addresses
|
||||
of the mailserver. For that, the following records are required:
|
||||
|
||||
================= ==== ==== ======== ====== ==== =================
|
||||
Record TTL Type Priority Weight Port Value
|
||||
================= ==== ==== ======== ====== ==== =================
|
||||
_submission._tcp 3600 SRV 5 0 587 mail.example.com.
|
||||
_submissions._tcp 3600 SRV 5 0 465 mail.example.com.
|
||||
_imap._tcp 3600 SRV 5 0 143 mail.example.com.
|
||||
_imaps._tcp 3600 SRV 5 0 993 mail.example.com.
|
||||
================= ==== ==== ======== ====== ==== =================
|
||||
|
||||
Please note that only a few MUAs currently implement this. For vendor-specific
|
||||
discovery mechanisms `automx <https://github.com/rseichter/automx2>`_ can be used instead.
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
Backup Guide
|
||||
============
|
||||
|
||||
First off you should have a backup of your ``configuration.nix`` file
|
||||
where you have the server config (but that is already in a git
|
||||
repository right?)
|
||||
|
||||
Next you need to backup ``/var/vmail`` or whatever you have specified
|
||||
for the option ``mailDirectory``. This is where all the mails reside.
|
||||
Good options are a cron job with ``rsync`` or ``scp``. But really
|
||||
anything works, as it is simply a folder with plenty of files in it. If
|
||||
your backup solution does not preserve the owner of the files don’t
|
||||
forget to ``chown`` them to ``virtualMail:virtualMail`` if you copy them
|
||||
back (or whatever you specified as ``vmailUserName``, and
|
||||
``vmailGoupName``).
|
||||
|
||||
Finally you can (optionally) make a backup of ``/var/dkim`` (or whatever
|
||||
you specified as ``dkimKeyDirectory``). If you should lose those don’t
|
||||
worry, new ones will be created on the fly. But you will need to repeat
|
||||
step ``B)5`` and correct all the ``dkim`` keys.
|
61
docs/conf.py
61
docs/conf.py
|
@ -1,61 +0,0 @@
|
|||
# Configuration file for the Sphinx documentation builder.
|
||||
#
|
||||
# This file only contains a selection of the most common options. For a full
|
||||
# list see the documentation:
|
||||
# https://www.sphinx-doc.org/en/master/usage/configuration.html
|
||||
|
||||
# -- Path setup --------------------------------------------------------------
|
||||
|
||||
# If extensions (or modules to document with autodoc) are in another directory,
|
||||
# add these directories to sys.path here. If the directory is relative to the
|
||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||
#
|
||||
# import os
|
||||
# import sys
|
||||
# sys.path.insert(0, os.path.abspath('.'))
|
||||
|
||||
|
||||
# -- Project information -----------------------------------------------------
|
||||
|
||||
project = 'NixOS Mailserver'
|
||||
copyright = '2022, NixOS Mailserver Contributors'
|
||||
author = 'NixOS Mailserver Contributors'
|
||||
|
||||
|
||||
# -- General configuration ---------------------------------------------------
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be
|
||||
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
|
||||
# ones.
|
||||
extensions = [
|
||||
'myst_parser'
|
||||
]
|
||||
|
||||
myst_enable_extensions = [
|
||||
'colon_fence',
|
||||
'linkify',
|
||||
]
|
||||
|
||||
smartquotes = False
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['_templates']
|
||||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
# This pattern also affects html_static_path and html_extra_path.
|
||||
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
|
||||
|
||||
master_doc = 'index'
|
||||
|
||||
# -- Options for HTML output -------------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
#
|
||||
html_theme = 'sphinx_rtd_theme'
|
||||
|
||||
# Add any paths that contain custom static files (such as style sheets) here,
|
||||
# relative to this directory. They are copied after the builtin static files,
|
||||
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||
html_static_path = []
|
22
docs/faq.rst
22
docs/faq.rst
|
@ -1,22 +0,0 @@
|
|||
FAQ
|
||||
===
|
||||
|
||||
``catchAll`` users can't send email as user other than themself
|
||||
---------------------------------------------------------------
|
||||
|
||||
To allow a ``catchAll`` user to send mail with the address used as
|
||||
recipient, the option ``aliases`` has to be used instead of ``catchAll``.
|
||||
|
||||
For instance, to allow ``user@example.com`` to catch all mails to the
|
||||
domain ``example.com`` and send mails with any address of this domain:
|
||||
|
||||
|
||||
.. code:: nix
|
||||
|
||||
mailserver.loginAccounts = {
|
||||
"user@example.com" = {
|
||||
aliases = [ "@example.com" ];
|
||||
};
|
||||
};
|
||||
|
||||
See also `this discussion <https://github.com/r-raymond/nixos-mailserver/issues/49>`__ for details.
|
|
@ -1,30 +0,0 @@
|
|||
Nix Flakes
|
||||
==========
|
||||
|
||||
If you're using `flakes <https://nixos.wiki/wiki/Flakes>`__, you can use
|
||||
the following minimal ``flake.nix`` as an example:
|
||||
|
||||
.. code:: nix
|
||||
|
||||
{
|
||||
description = "NixOS configuration";
|
||||
|
||||
inputs.simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-20.09";
|
||||
|
||||
outputs = { self, nixpkgs, simple-nixos-mailserver }: {
|
||||
nixosConfigurations = {
|
||||
hostname = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
simple-nixos-mailserver.nixosModule
|
||||
{
|
||||
mailserver = {
|
||||
enable = true;
|
||||
# ...
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
69
docs/fts.rst
69
docs/fts.rst
|
@ -1,69 +0,0 @@
|
|||
Full text search
|
||||
==========================
|
||||
|
||||
By default, when your IMAP client searches for an email containing some
|
||||
text in its *body*, dovecot will read all your email sequentially. This
|
||||
is very slow and IO intensive. To speed body searches up, it is possible to
|
||||
*index* emails with a plugin to dovecot, ``fts_xapian``.
|
||||
|
||||
Enabling full text search
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
To enable indexing for full text search here is an example configuration.
|
||||
|
||||
.. code:: nix
|
||||
|
||||
{
|
||||
mailserver = {
|
||||
# ...
|
||||
fullTextSearch = {
|
||||
enable = true;
|
||||
# index new email as they arrive
|
||||
autoIndex = true;
|
||||
# this only applies to plain text attachments, binary attachments are never indexed
|
||||
indexAttachments = true;
|
||||
enforced = "body";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
The ``enforced`` parameter tells dovecot to fail any body search query that cannot
|
||||
use an index. This prevents dovecot to fall back to the IO-intensive brute
|
||||
force search.
|
||||
|
||||
If you set ``autoIndex`` to ``false``, indices will be created when the IMAP client
|
||||
issues a search query, so latency will be high.
|
||||
|
||||
Resource requirements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Indices created by the full text search feature can take more disk
|
||||
space than the emails themselves. By default, they are kept in the
|
||||
emails location. When enabling the full text search feature, it is
|
||||
recommended to move indices in a different location, such as
|
||||
(``/var/lib/dovecot/indices``) by using the option
|
||||
``mailserver.indexDir``.
|
||||
|
||||
.. warning::
|
||||
|
||||
When the value of the ``indexDir`` option is changed, all dovecot
|
||||
indices needs to be recreated: clients would need to resynchronize.
|
||||
|
||||
Indexation itself is rather resouces intensive, in CPU, and for emails with
|
||||
large headers, in memory as well. Initial indexation of existing emails can take
|
||||
hours. If the indexer worker is killed or segfaults during indexation, it can
|
||||
be that it tried to allocate more memory than allowed. You can increase the memory
|
||||
limit by eg ``mailserver.fullTextSearch.memoryLimit = 2000`` (in MiB).
|
||||
|
||||
Mitigating resources requirements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
You can:
|
||||
|
||||
* disable indexation of attachements ``mailserver.fullTextSearch.indexAttachments = false``
|
||||
* reduce the size of ngrams to be indexed ``mailserver.fullTextSearch.minSize`` and ``maxSize``
|
||||
* disable automatic indexation for some folders with
|
||||
``mailserver.fullTextSearch.autoIndexExclude``. Folders can be specified by
|
||||
name (``"Trash"``), by special use (``"\\Junk"``) or with a wildcard.
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
Contribute or troubleshoot
|
||||
==========================
|
||||
|
||||
To report an issue, please go to
|
||||
`<https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues>`_.
|
||||
|
||||
You can also chat with us on the Libera IRC channel ``#nixos-mailserver``.
|
||||
|
||||
Run NixOS tests
|
||||
---------------
|
||||
|
||||
To run the test suite, you need to enable `Nix Flakes
|
||||
<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
|
||||
|
||||
You can then run the testsuite via
|
||||
|
||||
::
|
||||
|
||||
$ nix flake check -L
|
||||
|
||||
Since Nix doesn't garantee your machine have enough resources to run
|
||||
all test VMs in parallel, some tests can fail. You would then haev to
|
||||
run tests manually. For instance:
|
||||
|
||||
::
|
||||
|
||||
$ nix build .#hydraJobs.x86_64-linux.external-unstable -L
|
||||
|
||||
|
||||
Contributing to the documentation
|
||||
---------------------------------
|
||||
|
||||
The documentation is written in RST (except option documentation which is in CommonMark),
|
||||
built with Sphinx and published by `Read the Docs <https://readthedocs.org/>`_.
|
||||
|
||||
For the syntax, see the `RST/Sphinx primer
|
||||
<https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html>`_.
|
||||
|
||||
To build the documentation, you need to enable `Nix Flakes
|
||||
<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
|
||||
|
||||
|
||||
::
|
||||
|
||||
$ nix build .#documentation
|
||||
$ xdg-open result/index.html
|
||||
|
||||
Nixops
|
||||
------
|
||||
|
||||
You can test the setup via ``nixops``. After installation, do
|
||||
|
||||
::
|
||||
|
||||
$ nixops create nixops/single-server.nix nixops/vbox.nix -d mail
|
||||
$ nixops deploy -d mail
|
||||
$ nixops info -d mail
|
||||
|
||||
You can then test the server via e.g. \ ``telnet``. To log into it, use
|
||||
|
||||
::
|
||||
|
||||
$ nixops ssh -d mail mailserver
|
||||
|
||||
Imap
|
||||
----
|
||||
|
||||
To test imap manually use
|
||||
|
||||
::
|
||||
|
||||
$ openssl s_client -host mail.example.com -port 143 -starttls imap
|
|
@ -1,40 +0,0 @@
|
|||
.. NixOS Mailserver documentation master file, created by
|
||||
sphinx-quickstart on Thu Jul 2 20:50:36 2020.
|
||||
You can adapt this file completely to your liking, but it should at least
|
||||
contain the root `toctree` directive.
|
||||
|
||||
Welcome to NixOS Mailserver's documentation!
|
||||
============================================
|
||||
|
||||
.. image:: logo.png
|
||||
:width: 400
|
||||
:alt: SNM Logo
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
setup-guide
|
||||
howto-develop
|
||||
faq
|
||||
release-notes
|
||||
options
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
:caption: How-to
|
||||
|
||||
backup-guide
|
||||
add-radicale
|
||||
add-roundcube
|
||||
rspamd-tuning
|
||||
fts
|
||||
flakes
|
||||
autodiscovery
|
||||
ldap
|
||||
|
||||
Indices and tables
|
||||
==================
|
||||
|
||||
* :ref:`genindex`
|
||||
* :ref:`modindex`
|
||||
* :ref:`search`
|
|
@ -1,14 +0,0 @@
|
|||
LDAP Support
|
||||
============
|
||||
|
||||
It is possible to manage mail user accounts with LDAP rather than with
|
||||
the option `loginAccounts <options.html#mailserver-loginaccounts>`_.
|
||||
|
||||
All related LDAP options are described in the `LDAP options section
|
||||
<options.html#mailserver-ldap>`_ and the `LDAP test
|
||||
<https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/tests/ldap.nix>`_
|
||||
provides a getting started example.
|
||||
|
||||
.. note::
|
||||
The LDAP support can not be enabled if some accounts are also defined with ``mailserver.loginAccounts``.
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
Release Notes
|
||||
=============
|
||||
|
||||
NixOS 24.05
|
||||
-----------
|
||||
|
||||
- Add new option ``acmeCertificateName`` which can be used to support
|
||||
wildcard certificates
|
||||
|
||||
NixOS 23.11
|
||||
-----------
|
||||
|
||||
- Add basic support for LDAP users
|
||||
- Add support for regex (PCRE) aliases
|
||||
|
||||
NixOS 23.05
|
||||
-----------
|
||||
|
||||
- Existing ACME certificates can be reused without configuring NGINX
|
||||
- Certificate scheme is no longer a number, but a meaningful string instead
|
||||
|
||||
NixOS 22.11
|
||||
-----------
|
||||
|
||||
- Allow Rspamd to send DMARC reporting
|
||||
(`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/244>`__)
|
||||
|
||||
NixOS 22.05
|
||||
-----------
|
||||
|
||||
- Make NixOS Mailserver options discoverable from search.nixos.org
|
||||
- Add a roundcube setup guide in the documentation
|
||||
|
||||
NixOS 21.11
|
||||
-----------
|
||||
|
||||
- Switch default DKIM body policy from simple to relaxed
|
||||
(`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/247>`__)
|
||||
- Ensure locally-delivered mails have the X-Original-To header
|
||||
(`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/243>`__)
|
||||
- NixOS Mailserver options are detailed in the `documentation
|
||||
<https://nixos-mailserver.readthedocs.io/en/latest/options.html>`__
|
||||
- New options ``dkimBodyCanonicalization`` and
|
||||
``dkimHeaderCanonicalization``
|
||||
- New option ``certificateDomains`` to generate certificate for
|
||||
additional domains (such as ``imap.example.com``)
|
||||
|
||||
|
||||
NixOS 21.05
|
||||
-----------
|
||||
|
||||
- New `fullTextSearch` option to search in messages (based on Xapian)
|
||||
(`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/212>`__)
|
||||
- Flake support
|
||||
(`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/200>`__)
|
||||
- New `openFirewall` option defaulting to `true`
|
||||
- We moved from Freenode to Libera Chat
|
||||
|
||||
NixOS 20.09
|
||||
-----------
|
||||
|
||||
- IMAP and Submission with TLS wrapped-mode are now enabled by default
|
||||
on ports 993 and 465 respectively
|
||||
- OpenDKIM is now sandboxed with Systemd
|
||||
- New `forwards` option to forwards emails to external addresses
|
||||
(`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/193>`__)
|
||||
- New `sendingFqdn` option to specify the fqdn of the machine sending
|
||||
email (`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/187>`__)
|
||||
- Move the Gitlab wiki to `ReadTheDocs
|
||||
<https://nixos-mailserver.readthedocs.io/en/latest/>`_
|
|
@ -1,4 +0,0 @@
|
|||
sphinx ~= 5.3
|
||||
sphinx_rtd_theme ~= 1.1
|
||||
myst-parser ~= 0.18
|
||||
linkify-it-py ~= 2.0
|
|
@ -1,113 +0,0 @@
|
|||
Tune spam filtering
|
||||
===================
|
||||
|
||||
SNM comes with the `rspamd spam filtering system <https://rspamd.com/>`_
|
||||
enabled by default. Although its out-of-the-box performance is good, you
|
||||
can increase its efficiency by tuning its behaviour.
|
||||
|
||||
Auto-learning
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Moving spam email to the Junk folder (and false-positives out of it) will
|
||||
trigger an automatic training of the Bayesian filters, improving filtering
|
||||
of future emails.
|
||||
|
||||
Train from existing folders
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you kept previous spam, you can train the filter from it. Note that the
|
||||
`rspamd FAQ <https://rspamd.com/doc/faq.html#how-can-i-learn-messages>`_
|
||||
indicates that *you should always learn both classes with almost equal
|
||||
amount of messages to increase performance of the statistical engine.*
|
||||
|
||||
You can run the training in a root shell as follows:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
# Path to the controller socket
|
||||
export RSOCK="/var/run/rspamd/worker-controller.sock"
|
||||
|
||||
# Learn the Junk folder as spam
|
||||
rspamc -h $RSOCK learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
|
||||
|
||||
# Learn the INBOX as ham
|
||||
rspamc -h $RSOCK learn_ham /var/vmail/$DOMAIN/$USER/cur/
|
||||
|
||||
# Check that training was successful
|
||||
rspamc -h $RSOCK stat | grep learned
|
||||
|
||||
Tune symbol weight
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The ``X-Spamd-Result`` header is automatically added to your emails, detailing
|
||||
the scoring decisions. The `modules documentation <https://rspamd.com/doc/modules/>`_
|
||||
details the meaning of each symbol. You can tune the weight if a symbol if needed.
|
||||
|
||||
.. code:: nix
|
||||
|
||||
services.rspamd.locals = {
|
||||
"groups.conf".text = ''
|
||||
symbols {
|
||||
"FORGED_RECIPIENTS" { weight = 0; }
|
||||
}'';
|
||||
};
|
||||
|
||||
Tune action thresholds
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
After scoring the message, rspamd decides on an action based on configurable thresholds.
|
||||
By default, rspamd will tell postfix to reject any message with a score higher than 15.
|
||||
If you experience issues in scoring or want to stay on the safe side, you can disable
|
||||
this behaviour by tuning the configuration. For example:
|
||||
|
||||
.. code:: nix
|
||||
|
||||
services.rspamd.extraConfig = ''
|
||||
actions {
|
||||
reject = null; # Disable rejects, default is 15
|
||||
add_header = 6; # Add header when reaching this score
|
||||
greylist = 4; # Apply greylisting when reaching this score
|
||||
}
|
||||
'';
|
||||
|
||||
|
||||
Access the rspamd web UI
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Rspamd comes with `a web interface <https://rspamd.com/webui/>`_ that displays statistics
|
||||
and history of past scans. **We do NOT recommend using it to change the configuration**
|
||||
as doing so will override values from the configuration set in the previous sections.
|
||||
|
||||
The UI is served on the ``/var/run/rspamd/worker-controller.sock`` Unix socket. Here are
|
||||
two ways to access it from your browser.
|
||||
|
||||
With ssh forwarding
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
For occasional access, the simplest way is to forward the socket to localhost and open
|
||||
http://localhost:3333 in your browser.
|
||||
|
||||
.. code:: shell
|
||||
|
||||
ssh -L 3333:/run/rspamd/worker-controller.sock $HOSTNAME
|
||||
|
||||
With an nginx reverse-proxy
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
|
||||
**Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
|
||||
exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
|
||||
|
||||
.. code:: nix
|
||||
|
||||
services.nginx.virtualHosts.rspamd = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
basicAuthFile = "/basic/auth/hashes/file";
|
||||
serverName = "rspamd.example.com";
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
|
||||
};
|
||||
};
|
||||
};
|
|
@ -1,227 +0,0 @@
|
|||
Setup Guide
|
||||
===========
|
||||
|
||||
Mail servers can be a tricky thing to set up. This guide is supposed to
|
||||
run you through the most important steps to achieve a 10/10 score on
|
||||
`<https://mail-tester.com>`_.
|
||||
|
||||
What you need is:
|
||||
|
||||
- a server running NixOS with a public IP
|
||||
- a domain name.
|
||||
|
||||
.. note::
|
||||
|
||||
In the following, we consider a server with the public IP ``1.2.3.4``
|
||||
and the domain ``example.com``.
|
||||
|
||||
First, we will set the minimum DNS configuration to be able to deploy
|
||||
an up and running mail server. Once the server is deployed, we could
|
||||
then set all DNS entries required to send and receive mails on this
|
||||
server.
|
||||
|
||||
Setup DNS A record for server
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Add a DNS record to the domain ``example.com`` with the following
|
||||
entries
|
||||
|
||||
==================== ===== ==== =============
|
||||
Name (Subdomain) TTL Type Value
|
||||
==================== ===== ==== =============
|
||||
``mail.example.com`` 10800 A ``1.2.3.4``
|
||||
==================== ===== ==== =============
|
||||
|
||||
You can check this with
|
||||
|
||||
::
|
||||
|
||||
$ ping mail.example.com
|
||||
64 bytes from mail.example.com (1.2.3.4): icmp_seq=1 ttl=46 time=21.3 ms
|
||||
...
|
||||
|
||||
Note that it can take a while until a DNS entry is propagated. This
|
||||
DNS entry is required for the Let's Encrypt certificate generation
|
||||
(which is used in the below configuration example).
|
||||
|
||||
Setup the server
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
The following describes a server setup that is fairly complete. Even
|
||||
though there are more possible options (see the `NixOS Mailserver
|
||||
options documentation <options.html>`_), these should be the most
|
||||
common ones.
|
||||
|
||||
.. code:: nix
|
||||
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
(builtins.fetchTarball {
|
||||
# Pick a release version you are interested in and set its hash, e.g.
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.05/nixos-mailserver-nixos-23.05.tar.gz";
|
||||
# To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
|
||||
# release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
|
||||
sha256 = "0000000000000000000000000000000000000000000000000000";
|
||||
})
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" ];
|
||||
|
||||
# A list of all login accounts. To create the password hashes, use
|
||||
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPasswordFile = "/a/file/containing/a/hashed/password";
|
||||
aliases = ["postmaster@example.com"];
|
||||
};
|
||||
"user2@example.com" = { ... };
|
||||
};
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = "acme-nginx";
|
||||
};
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "security@example.com";
|
||||
}
|
||||
|
||||
After a ``nixos-rebuild switch`` your server should be running all
|
||||
mail components.
|
||||
|
||||
Setup all other DNS requirements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Set rDNS (reverse DNS) entry for server
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Wherever you have rented your server, you should be able to set reverse
|
||||
DNS entries for the IP’s you own. Add an entry resolving ``1.2.3.4``
|
||||
to ``mail.example.com``.
|
||||
|
||||
.. warning::
|
||||
|
||||
We don't recommend setting up a mail server if you are not able to
|
||||
set a reverse DNS on your public IP because sent emails would be
|
||||
mostly marked as spam. Note that many residential ISP providers
|
||||
don't allow you to set a reverse DNS entry.
|
||||
|
||||
You can check this with
|
||||
|
||||
::
|
||||
|
||||
$ nix-shell -p bind --command "host 1.2.3.4"
|
||||
4.3.2.1.in-addr.arpa domain name pointer mail.example.com.
|
||||
|
||||
Note that it can take a while until a DNS entry is propagated.
|
||||
|
||||
Set a ``MX`` record
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
||||
Add a ``MX`` record to the domain ``example.com``.
|
||||
|
||||
================ ==== ======== =================
|
||||
Name (Subdomain) Type Priority Value
|
||||
================ ==== ======== =================
|
||||
example.com MX 10 mail.example.com
|
||||
================ ==== ======== =================
|
||||
|
||||
You can check this with
|
||||
|
||||
::
|
||||
|
||||
$ nix-shell -p bind --command "host -t mx example.com"
|
||||
example.com mail is handled by 10 mail.example.com.
|
||||
|
||||
Note that it can take a while until a DNS entry is propagated.
|
||||
|
||||
Set a ``SPF`` record
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Add a `SPF <https://en.wikipedia.org/wiki/Sender_Policy_Framework>`_
|
||||
record to the domain ``example.com``.
|
||||
|
||||
================ ===== ==== ================================
|
||||
Name (Subdomain) TTL Type Value
|
||||
================ ===== ==== ================================
|
||||
example.com 10800 TXT `v=spf1 a:mail.example.com -all`
|
||||
================ ===== ==== ================================
|
||||
|
||||
You can check this with
|
||||
|
||||
::
|
||||
|
||||
$ nix-shell -p bind --command "host -t TXT example.com"
|
||||
example.com descriptive text "v=spf1 a:mail.example.com -all"
|
||||
|
||||
Note that it can take a while until a DNS entry is propagated.
|
||||
|
||||
Set ``DKIM`` signature
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
On your server, the ``opendkim`` systemd service generated a file
|
||||
containing your DKIM public key in the file
|
||||
``/var/dkim/example.com.mail.txt``. The content of this file looks
|
||||
like
|
||||
|
||||
::
|
||||
|
||||
mail._domainkey IN TXT "v=DKIM1; k=rsa; s=email; p=<really-long-key>" ; ----- DKIM mail for domain.tld
|
||||
|
||||
where ``really-long-key`` is your public key.
|
||||
|
||||
Based on the content of this file, we can add a ``DKIM`` record to the
|
||||
domain ``example.com``.
|
||||
|
||||
=========================== ===== ==== ==============================
|
||||
Name (Subdomain) TTL Type Value
|
||||
=========================== ===== ==== ==============================
|
||||
mail._domainkey.example.com 10800 TXT ``v=DKIM1; p=<really-long-key>``
|
||||
=========================== ===== ==== ==============================
|
||||
|
||||
You can check this with
|
||||
|
||||
::
|
||||
|
||||
$ nix-shell -p bind --command "host -t txt mail._domainkey.example.com"
|
||||
mail._domainkey.example.com descriptive text "v=DKIM1;p=<really-long-key>"
|
||||
|
||||
Note that it can take a while until a DNS entry is propagated.
|
||||
|
||||
Set a ``DMARC`` record
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Add a ``DMARC`` record to the domain ``example.com``.
|
||||
|
||||
======================== ===== ==== ====================
|
||||
Name (Subdomain) TTL Type Value
|
||||
======================== ===== ==== ====================
|
||||
_dmarc.example.com 10800 TXT ``v=DMARC1; p=none``
|
||||
======================== ===== ==== ====================
|
||||
|
||||
You can check this with
|
||||
|
||||
::
|
||||
|
||||
$ nix-shell -p bind --command "host -t TXT _dmarc.example.com"
|
||||
_dmarc.example.com descriptive text "v=DMARC1; p=none"
|
||||
|
||||
Note that it can take a while until a DNS entry is propagated.
|
||||
|
||||
|
||||
Test your Setup
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
Write an email to your aunt (who has been waiting for your reply far too
|
||||
long), and sign up for some of the finest newsletters the Internet has.
|
||||
Maybe you want to sign up for the `SNM Announcement
|
||||
List <https://www.freelists.org/list/snm>`__?
|
||||
|
||||
Besides that, you can send an email to
|
||||
`mail-tester.com <https://www.mail-tester.com/>`__ and see how you
|
||||
score, and let `mxtoolbox.com <http://mxtoolbox.com/>`__ take a look at
|
||||
your setup, but if you followed the steps closely then everything should
|
||||
be awesome!
|
76
flake.lock
76
flake.lock
|
@ -1,76 +0,0 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1717602782,
|
||||
"narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-24_05": {
|
||||
"locked": {
|
||||
"lastModified": 1717144377,
|
||||
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-24.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-24_05": "nixpkgs-24_05"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
127
flake.nix
127
flake.nix
|
@ -1,127 +0,0 @@
|
|||
{
|
||||
description = "A complete and Simple Nixos Mailserver";
|
||||
|
||||
inputs = {
|
||||
flake-compat = {
|
||||
url = "github:edolstra/flake-compat";
|
||||
flake = false;
|
||||
};
|
||||
nixpkgs.url = "flake:nixpkgs/nixos-unstable";
|
||||
nixpkgs-24_05.url = "flake:nixpkgs/nixos-24.05";
|
||||
blobs = {
|
||||
url = "gitlab:simple-nixos-mailserver/blobs";
|
||||
flake = false;
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, blobs, nixpkgs, nixpkgs-24_05, ... }: let
|
||||
lib = nixpkgs.lib;
|
||||
system = "x86_64-linux";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
releases = [
|
||||
{
|
||||
name = "unstable";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
}
|
||||
{
|
||||
name = "24.05";
|
||||
pkgs = nixpkgs-24_05.legacyPackages.${system};
|
||||
}
|
||||
];
|
||||
testNames = [
|
||||
"internal"
|
||||
"external"
|
||||
"clamav"
|
||||
"multiple"
|
||||
"ldap"
|
||||
];
|
||||
genTest = testName: release: {
|
||||
"name"= "${testName}-${builtins.replaceStrings ["."] ["_"] release.name}";
|
||||
"value"= import (./tests/. + "/${testName}.nix") {
|
||||
pkgs = release.pkgs;
|
||||
inherit blobs;
|
||||
};
|
||||
};
|
||||
# Generate an attribute set such as
|
||||
# {
|
||||
# external-unstable = <derivation>;
|
||||
# external-21_05 = <derivation>;
|
||||
# ...
|
||||
# }
|
||||
allTests = lib.listToAttrs (
|
||||
lib.flatten (map (t: map (r: genTest t r) releases) testNames));
|
||||
|
||||
mailserverModule = import ./.;
|
||||
|
||||
# Generate a MarkDown file describing the options of the NixOS mailserver module
|
||||
optionsDoc = let
|
||||
eval = lib.evalModules {
|
||||
modules = [
|
||||
mailserverModule
|
||||
{
|
||||
_module.check = false;
|
||||
mailserver = {
|
||||
fqdn = "mx.example.com";
|
||||
domains = [
|
||||
"example.com"
|
||||
];
|
||||
dmarcReporting = {
|
||||
organizationName = "Example Corp";
|
||||
domain = "example.com";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
options = builtins.toFile "options.json" (builtins.toJSON
|
||||
(lib.filter (opt: opt.visible && !opt.internal && lib.head opt.loc == "mailserver")
|
||||
(lib.optionAttrSetToDocList eval.options)));
|
||||
in pkgs.runCommand "options.md" { buildInputs = [pkgs.python3Minimal]; } ''
|
||||
echo "Generating options.md from ${options}"
|
||||
python ${./scripts/generate-options.py} ${options} > $out
|
||||
'';
|
||||
|
||||
documentation = pkgs.stdenv.mkDerivation {
|
||||
name = "documentation";
|
||||
src = lib.sourceByRegex ./docs ["logo\\.png" "conf\\.py" "Makefile" ".*\\.rst"];
|
||||
buildInputs = [(
|
||||
pkgs.python3.withPackages (p: with p; [
|
||||
sphinx
|
||||
sphinx_rtd_theme
|
||||
myst-parser
|
||||
linkify-it-py
|
||||
])
|
||||
)];
|
||||
buildPhase = ''
|
||||
cp ${optionsDoc} options.md
|
||||
# Workaround for https://github.com/sphinx-doc/sphinx/issues/3451
|
||||
unset SOURCE_DATE_EPOCH
|
||||
make html
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -Tr _build/html $out
|
||||
'';
|
||||
};
|
||||
|
||||
in {
|
||||
nixosModules = rec {
|
||||
mailserver = mailserverModule;
|
||||
default = mailserver;
|
||||
};
|
||||
nixosModule = self.nixosModules.default; # compatibility
|
||||
hydraJobs.${system} = allTests // {
|
||||
inherit documentation;
|
||||
};
|
||||
checks.${system} = allTests;
|
||||
packages.${system} = {
|
||||
inherit optionsDoc documentation;
|
||||
};
|
||||
devShells.${system}.default = pkgs.mkShell {
|
||||
inputsFrom = [ documentation ];
|
||||
packages = with pkgs; [
|
||||
clamav
|
||||
];
|
||||
};
|
||||
devShell.${system} = self.devShells.${system}.default; # compatibility
|
||||
};
|
||||
}
|
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB |
|
@ -1,18 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
assertions = lib.optionals config.mailserver.ldap.enable [
|
||||
{
|
||||
assertion = config.mailserver.loginAccounts == {};
|
||||
message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
|
||||
}
|
||||
{
|
||||
assertion = config.mailserver.forwards == {};
|
||||
message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
|
||||
}
|
||||
] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
|
||||
{
|
||||
assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
|
||||
message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
|
||||
}
|
||||
];
|
||||
}
|
|
@ -14,17 +14,19 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, pkgs, lib, options, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (cfg.enable && cfg.virusScanning) {
|
||||
services.clamav.daemon = {
|
||||
enable = true;
|
||||
settings.PhishingScanURLs = "no";
|
||||
};
|
||||
services.clamav.daemon.enable = true;
|
||||
services.clamav.updater.enable = true;
|
||||
|
||||
services.clamav.daemon.extraConfig = ''
|
||||
PhishingScanURLs no
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -21,22 +21,22 @@ let
|
|||
in
|
||||
{
|
||||
# cert :: PATH
|
||||
certificatePath = if cfg.certificateScheme == "manual"
|
||||
certificatePath = if cfg.certificateScheme == 1
|
||||
then cfg.certificateFile
|
||||
else if cfg.certificateScheme == "selfsigned"
|
||||
else if cfg.certificateScheme == 2
|
||||
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
|
||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
||||
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
|
||||
else throw "unknown certificate scheme";
|
||||
else if cfg.certificateScheme == 3
|
||||
then "/var/lib/acme/${cfg.fqdn}/fullchain.pem"
|
||||
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
|
||||
|
||||
# key :: PATH
|
||||
keyPath = if cfg.certificateScheme == "manual"
|
||||
keyPath = if cfg.certificateScheme == 1
|
||||
then cfg.keyFile
|
||||
else if cfg.certificateScheme == "selfsigned"
|
||||
else if cfg.certificateScheme == 2
|
||||
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
|
||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
||||
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
|
||||
else throw "unknown certificate scheme";
|
||||
else if cfg.certificateScheme == 3
|
||||
then "/var/lib/acme/${cfg.fqdn}/key.pem"
|
||||
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
|
||||
|
||||
passwordFiles = let
|
||||
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
||||
|
@ -45,26 +45,4 @@ in
|
|||
if value.hashedPasswordFile == null then
|
||||
builtins.toString (mkHashFile name value.hashedPassword)
|
||||
else value.hashedPasswordFile) cfg.loginAccounts;
|
||||
|
||||
# Appends the LDAP bind password to files to avoid writing this
|
||||
# password into the Nix store.
|
||||
appendLdapBindPwd = {
|
||||
name, file, prefix, suffix ? "", passwordFile, destination
|
||||
}: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
set -euo pipefail
|
||||
|
||||
baseDir=$(dirname ${destination})
|
||||
if (! test -d "$baseDir"); then
|
||||
mkdir -p $baseDir
|
||||
chmod 755 $baseDir
|
||||
fi
|
||||
|
||||
cat ${file} > ${destination}
|
||||
echo -n '${prefix}' >> ${destination}
|
||||
cat ${passwordFile} >> ${destination}
|
||||
echo -n '${suffix}' >> ${destination}
|
||||
chmod 600 ${destination}
|
||||
'';
|
||||
|
||||
}
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
mailserver.policydSPFExtraConfig = lib.mkIf config.mailserver.debug "debugLevel = 4";
|
||||
}
|
|
@ -23,20 +23,11 @@ let
|
|||
|
||||
passwdDir = "/run/dovecot2";
|
||||
passwdFile = "${passwdDir}/passwd";
|
||||
userdbFile = "${passwdDir}/userdb";
|
||||
# This file contains the ldap bind password
|
||||
ldapConfFile = "${passwdDir}/dovecot-ldap.conf.ext";
|
||||
bool2int = x: if x then "1" else "0";
|
||||
|
||||
maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
|
||||
maildirUTF8FolderNames = lib.optionalString cfg.useUTF8FolderNames ":UTF-8";
|
||||
|
||||
# maildir in format "/${domain}/${user}"
|
||||
dovecotMaildir =
|
||||
"maildir:${cfg.mailDirectory}/%d/%n${maildirLayoutAppendix}${maildirUTF8FolderNames}"
|
||||
+ (lib.optionalString (cfg.indexDir != null)
|
||||
":INDEX=${cfg.indexDir}/%d/%n"
|
||||
);
|
||||
dovecotMaildir = "maildir:${cfg.mailDirectory}/%d/%n${maildirLayoutAppendix}";
|
||||
|
||||
postfixCfg = config.services.postfix;
|
||||
dovecot2Cfg = config.services.dovecot2;
|
||||
|
@ -60,42 +51,6 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
|
||||
ldapConfig = pkgs.writeTextFile {
|
||||
name = "dovecot-ldap.conf.ext.template";
|
||||
text = ''
|
||||
ldap_version = 3
|
||||
uris = ${lib.concatStringsSep " " cfg.ldap.uris}
|
||||
${lib.optionalString cfg.ldap.startTls ''
|
||||
tls = yes
|
||||
''}
|
||||
tls_require_cert = hard
|
||||
tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
|
||||
dn = ${cfg.ldap.bind.dn}
|
||||
sasl_bind = no
|
||||
auth_bind = yes
|
||||
base = ${cfg.ldap.searchBase}
|
||||
scope = ${mkLdapSearchScope cfg.ldap.searchScope}
|
||||
${lib.optionalString (cfg.ldap.dovecot.userAttrs != null) ''
|
||||
user_attrs = ${cfg.ldap.dovecot.userAttrs}
|
||||
''}
|
||||
user_filter = ${cfg.ldap.dovecot.userFilter}
|
||||
${lib.optionalString (cfg.ldap.dovecot.passAttrs != "") ''
|
||||
pass_attrs = ${cfg.ldap.dovecot.passAttrs}
|
||||
''}
|
||||
pass_filter = ${cfg.ldap.dovecot.passFilter}
|
||||
'';
|
||||
};
|
||||
|
||||
setPwdInLdapConfFile = appendLdapBindPwd {
|
||||
name = "ldap-conf-file";
|
||||
file = ldapConfig;
|
||||
prefix = ''dnpass = "'';
|
||||
suffix = ''"'';
|
||||
passwordFile = cfg.ldap.bind.passwordFile;
|
||||
destination = ldapConfFile;
|
||||
};
|
||||
|
||||
genPasswdScript = pkgs.writeScript "generate-password-file" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
|
||||
|
@ -106,9 +61,6 @@ let
|
|||
chmod 755 "${passwdDir}"
|
||||
fi
|
||||
|
||||
# Prevent world-readable password files, even temporarily.
|
||||
umask 077
|
||||
|
||||
for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
|
||||
if [ ! -f "$f" ]; then
|
||||
echo "Expected password hash file $f does not exist!"
|
||||
|
@ -118,52 +70,22 @@ let
|
|||
|
||||
cat <<EOF > ${passwdFile}
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
||||
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
|
||||
) cfg.loginAccounts)}
|
||||
EOF
|
||||
|
||||
cat <<EOF > ${userdbFile}
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
||||
"${name}:::::::"
|
||||
"${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
|
||||
+ (if lib.isString value.quota
|
||||
then "userdb_quota_rule=*:storage=${value.quota}"
|
||||
else "")
|
||||
) cfg.loginAccounts)}
|
||||
EOF
|
||||
|
||||
chmod 600 ${passwdFile}
|
||||
'';
|
||||
|
||||
junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
|
||||
junkMailboxNumber = builtins.length junkMailboxes;
|
||||
# The assertion garantees there is exactly one Junk mailbox.
|
||||
junkMailboxName = if junkMailboxNumber == 1 then builtins.elemAt junkMailboxes 0 else "";
|
||||
|
||||
mkLdapSearchScope = scope: (
|
||||
if scope == "sub" then "subtree"
|
||||
else if scope == "one" then "onelevel"
|
||||
else scope
|
||||
);
|
||||
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = junkMailboxNumber == 1;
|
||||
message = "nixos-mailserver requires exactly one dovecot mailbox with the 'special use' flag set to 'Junk' (${builtins.toString junkMailboxNumber} have been found)";
|
||||
}
|
||||
];
|
||||
|
||||
# for sieve-test. Shelling it in on demand usually doesnt' work, as it reads
|
||||
# the global config and tries to open shared libraries configured in there,
|
||||
# which are usually not compatible.
|
||||
environment.systemPackages = [
|
||||
pkgs.dovecot_pigeonhole
|
||||
];
|
||||
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
enableImap = enableImap || enableImapSsl;
|
||||
enablePop3 = enablePop3 || enablePop3Ssl;
|
||||
enableImap = enableImap;
|
||||
enablePop3 = enablePop3;
|
||||
enablePAM = false;
|
||||
enableQuota = true;
|
||||
mailGroup = vmailGroupName;
|
||||
|
@ -172,52 +94,20 @@ in
|
|||
sslServerCert = certificatePath;
|
||||
sslServerKey = keyPath;
|
||||
enableLmtp = true;
|
||||
modules = [ pkgs.dovecot_pigeonhole ] ++ (lib.optional cfg.fullTextSearch.enable pkgs.dovecot_fts_xapian );
|
||||
mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
|
||||
protocols = lib.optional cfg.enableManageSieve "sieve";
|
||||
modules = [ pkgs.dovecot_pigeonhole ];
|
||||
protocols = [ "sieve" ];
|
||||
|
||||
pluginSettings = {
|
||||
sieve = "file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve";
|
||||
sieve_default = "file:${cfg.sieveDirectory}/%u/default.sieve";
|
||||
sieve_default_name = "default";
|
||||
};
|
||||
|
||||
sieve = {
|
||||
extensions = [
|
||||
"fileinto"
|
||||
];
|
||||
|
||||
scripts.after = builtins.toFile "spam.sieve" ''
|
||||
sieveScripts = {
|
||||
after = builtins.toFile "spam.sieve" ''
|
||||
require "fileinto";
|
||||
|
||||
if header :is "X-Spam" "Yes" {
|
||||
fileinto "${junkMailboxName}";
|
||||
fileinto "Junk";
|
||||
stop;
|
||||
}
|
||||
'';
|
||||
|
||||
pipeBins = map lib.getExe [
|
||||
(pkgs.writeShellScriptBin "sa-learn-ham.sh"
|
||||
"exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
|
||||
(pkgs.writeShellScriptBin "sa-learn-spam.sh"
|
||||
"exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
|
||||
];
|
||||
};
|
||||
|
||||
imapsieve.mailbox = [
|
||||
{
|
||||
name = junkMailboxName;
|
||||
causes = [ "COPY" "APPEND" ];
|
||||
before = ./dovecot/imap_sieve/report-spam.sieve;
|
||||
}
|
||||
{
|
||||
name = "*";
|
||||
from = junkMailboxName;
|
||||
causes = [ "COPY" ];
|
||||
before = ./dovecot/imap_sieve/report-ham.sieve;
|
||||
}
|
||||
];
|
||||
|
||||
mailboxes = cfg.mailboxes;
|
||||
|
||||
extraConfig = ''
|
||||
|
@ -228,49 +118,6 @@ in
|
|||
verbose_ssl = yes
|
||||
''}
|
||||
|
||||
${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
${if cfg.enableImap then ''
|
||||
port = 143
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
inet_listener imaps {
|
||||
${if cfg.enableImapSsl then ''
|
||||
port = 993
|
||||
ssl = yes
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
}
|
||||
''}
|
||||
${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
|
||||
service pop3-login {
|
||||
inet_listener pop3 {
|
||||
${if cfg.enablePop3 then ''
|
||||
port = 110
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
inet_listener pop3s {
|
||||
${if cfg.enablePop3Ssl then ''
|
||||
port = 995
|
||||
ssl = yes
|
||||
'' else ''
|
||||
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
||||
port = 0
|
||||
''}
|
||||
}
|
||||
}
|
||||
''}
|
||||
|
||||
protocol imap {
|
||||
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
||||
mail_plugins = $mail_plugins imap_sieve
|
||||
|
@ -282,8 +129,6 @@ in
|
|||
|
||||
mail_access_groups = ${vmailGroupName}
|
||||
ssl = required
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_prefer_server_ciphers = yes
|
||||
|
||||
service lmtp {
|
||||
unix_listener dovecot-lmtp {
|
||||
|
@ -293,7 +138,7 @@ in
|
|||
}
|
||||
}
|
||||
|
||||
recipient_delimiter = ${cfg.recipientDelimiter}
|
||||
recipient_delimiter = +
|
||||
lmtp_save_to_detail_mailbox = ${cfg.lmtpSaveToDetailMailbox}
|
||||
|
||||
protocol lmtp {
|
||||
|
@ -307,23 +152,9 @@ in
|
|||
|
||||
userdb {
|
||||
driver = passwd-file
|
||||
args = ${userdbFile}
|
||||
default_fields = uid=${builtins.toString cfg.vmailUID} gid=${builtins.toString cfg.vmailUID} home=${cfg.mailDirectory}
|
||||
args = ${passwdFile}
|
||||
}
|
||||
|
||||
${lib.optionalString cfg.ldap.enable ''
|
||||
passdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
default_fields = home=/var/vmail/ldap/%u uid=${toString cfg.vmailUID} gid=${toString cfg.vmailUID}
|
||||
}
|
||||
''}
|
||||
|
||||
service auth {
|
||||
unix_listener auth {
|
||||
mode = 0660
|
||||
|
@ -339,61 +170,55 @@ in
|
|||
inbox = yes
|
||||
}
|
||||
|
||||
${lib.optionalString cfg.fullTextSearch.enable ''
|
||||
plugin {
|
||||
plugin = fts fts_xapian
|
||||
fts = xapian
|
||||
fts_xapian = partial=${toString cfg.fullTextSearch.minSize} full=${toString cfg.fullTextSearch.maxSize} attachments=${bool2int cfg.fullTextSearch.indexAttachments} verbose=${bool2int cfg.debug}
|
||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||
sieve = file:/var/sieve/%u/scripts;active=/var/sieve/%u/active.sieve
|
||||
sieve_default = file:/var/sieve/%u/default.sieve
|
||||
sieve_default_name = default
|
||||
|
||||
fts_autoindex = ${if cfg.fullTextSearch.autoIndex then "yes" else "no"}
|
||||
# From elsewhere to Spam folder
|
||||
imapsieve_mailbox1_name = Junk
|
||||
imapsieve_mailbox1_causes = COPY
|
||||
imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
|
||||
|
||||
${lib.strings.concatImapStringsSep "\n" (n: x: "fts_autoindex_exclude${if n==1 then "" else toString n} = ${x}") cfg.fullTextSearch.autoIndexExclude}
|
||||
# From Spam folder to elsewhere
|
||||
imapsieve_mailbox2_name = *
|
||||
imapsieve_mailbox2_from = Junk
|
||||
imapsieve_mailbox2_causes = COPY
|
||||
imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
|
||||
|
||||
fts_enforced = ${cfg.fullTextSearch.enforced}
|
||||
sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
|
||||
|
||||
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
||||
}
|
||||
|
||||
${lib.optionalString (cfg.fullTextSearch.memoryLimit != null) ''
|
||||
service indexer-worker {
|
||||
vsz_limit = ${toString (cfg.fullTextSearch.memoryLimit*1024*1024)}
|
||||
}
|
||||
''}
|
||||
''}
|
||||
|
||||
lda_mailbox_autosubscribe = yes
|
||||
lda_mailbox_autocreate = yes
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.dovecot2 = {
|
||||
preStart = ''
|
||||
${genPasswdScript}
|
||||
'' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
|
||||
};
|
||||
|
||||
systemd.services.postfix.restartTriggers = [ genPasswdScript ] ++ (lib.optional cfg.ldap.enable [setPwdInLdapConfFile]);
|
||||
|
||||
systemd.services.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable) {
|
||||
description = "Optimize dovecot indices for fts_xapian";
|
||||
requisite = [ "dovecot2.service" ];
|
||||
after = [ "dovecot2.service" ];
|
||||
startAt = cfg.fullTextSearch.maintenance.onCalendar;
|
||||
systemd.services.gen-passwd-file = {
|
||||
serviceConfig = {
|
||||
ExecStart = genPasswdScript;
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
|
||||
PrivateDevices = true;
|
||||
PrivateNetwork = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectSystem = true;
|
||||
PrivateTmp = true;
|
||||
};
|
||||
};
|
||||
systemd.timers.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable && cfg.fullTextSearch.maintenance.randomizedDelaySec != 0) {
|
||||
timerConfig = {
|
||||
RandomizedDelaySec = cfg.fullTextSearch.maintenance.randomizedDelaySec;
|
||||
};
|
||||
|
||||
systemd.services.dovecot2 = {
|
||||
after = [ "gen-passwd-file.service" ];
|
||||
wants = [ "gen-passwd-file.service" ];
|
||||
requires = [ "gen-passwd-file.service" ];
|
||||
preStart = ''
|
||||
rm -rf '${stateDir}/imap_sieve'
|
||||
mkdir '${stateDir}/imap_sieve'
|
||||
cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
|
||||
for k in "${stateDir}/imap_sieve"/*.sieve ; do
|
||||
${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
|
||||
done
|
||||
chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.postfix.restartTriggers = [ passwdFile ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -23,6 +23,6 @@ in
|
|||
config = with cfg; lib.mkIf enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
dovecot opendkim openssh postfix rspamd
|
||||
] ++ (if certificateScheme == "selfsigned" then [ openssl ] else []);
|
||||
] ++ (if certificateScheme == 2 then [ openssl ] else []);
|
||||
};
|
||||
}
|
||||
|
|
|
@ -22,6 +22,7 @@ in
|
|||
{
|
||||
config = lib.mkIf (cfg.enable && cfg.localDnsResolver) {
|
||||
services.kresd.enable = true;
|
||||
networking.nameservers = [ "127.0.0.1" ];
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -14,24 +14,22 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ config, lib, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf (enable && openFirewall) {
|
||||
config = with cfg; lib.mkIf enable {
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 25 ]
|
||||
++ lib.optional enableSubmission 587
|
||||
++ lib.optional enableSubmissionSsl 465
|
||||
allowedTCPPorts = [ 25 587 ]
|
||||
++ lib.optional enableImap 143
|
||||
++ lib.optional enableImapSsl 993
|
||||
++ lib.optional enablePop3 110
|
||||
++ lib.optional enablePop3Ssl 995
|
||||
++ lib.optional enableManageSieve 4190
|
||||
++ lib.optional (certificateScheme == "acme-nginx") 80;
|
||||
++ lib.optional (certificateScheme == 3) 80;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -17,26 +17,28 @@
|
|||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with (import ./common.nix { inherit config lib pkgs; });
|
||||
with (import ./common.nix { inherit config; });
|
||||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
acmeRoot = "/var/lib/acme/acme-challenge";
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
|
||||
services.nginx = lib.mkIf (cfg.certificateScheme == "acme-nginx") {
|
||||
config = lib.mkIf (cfg.enable && cfg.certificateScheme == 3) {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${cfg.fqdn}" = {
|
||||
serverName = cfg.fqdn;
|
||||
serverAliases = cfg.certificateDomains;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
acmeRoot = acmeRoot;
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
|
||||
"postfix.service"
|
||||
"dovecot2.service"
|
||||
];
|
||||
security.acme.certs."${cfg.fqdn}".postRun = ''
|
||||
systemctl reload nginx
|
||||
systemctl reload postfix
|
||||
systemctl reload dovecot2
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -29,7 +29,7 @@ let
|
|||
dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt";
|
||||
in
|
||||
''
|
||||
if [ ! -f "${dkim_key}" ]
|
||||
if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
|
||||
then
|
||||
${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
|
||||
-d "${dom}" \
|
||||
|
@ -37,16 +37,15 @@ let
|
|||
--directory="${cfg.dkimKeyDirectory}"
|
||||
mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
|
||||
mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
|
||||
chmod 644 "${dkim_txt}"
|
||||
echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}"
|
||||
fi
|
||||
'';
|
||||
createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
|
||||
|
||||
keyTable = pkgs.writeText "opendkim-KeyTable"
|
||||
(lib.concatStringsSep "\n" (lib.flip map cfg.domains
|
||||
keyTable = pkgs.writeText "opendkim-KeyTable"
|
||||
(lib.concatStringsSep "\n" (lib.flip map cfg.domains
|
||||
(dom: "${dom} ${dom}:${cfg.dkimSelector}:${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key")));
|
||||
signingTable = pkgs.writeText "opendkim-SigningTable"
|
||||
signingTable = pkgs.writeText "opendkim-SigningTable"
|
||||
(lib.concatStringsSep "\n" (lib.flip map cfg.domains (dom: "${dom} ${dom}")));
|
||||
|
||||
dkim = config.services.opendkim;
|
||||
|
@ -57,10 +56,9 @@ in
|
|||
services.opendkim = {
|
||||
enable = true;
|
||||
selector = cfg.dkimSelector;
|
||||
keyPath = cfg.dkimKeyDirectory;
|
||||
domains = "csl:${builtins.concatStringsSep "," cfg.domains}";
|
||||
configFile = pkgs.writeText "opendkim.conf" (''
|
||||
Canonicalization ${cfg.dkimHeaderCanonicalization}/${cfg.dkimBodyCanonicalization}
|
||||
Canonicalization relaxed/simple
|
||||
UMask 0002
|
||||
Socket ${dkim.socket}
|
||||
KeyTable file:${keyTable}
|
||||
|
|
|
@ -22,57 +22,33 @@ let
|
|||
inherit (lib.strings) concatStringsSep;
|
||||
cfg = config.mailserver;
|
||||
|
||||
# Merge several lookup tables. A lookup table is a attribute set where
|
||||
# - the key is an address (user@example.com) or a domain (@example.com)
|
||||
# - the value is a list of addresses
|
||||
mergeLookupTables = tables: lib.zipAttrsWith (n: v: lib.flatten v) tables;
|
||||
|
||||
# valiases_postfix :: Map String [String]
|
||||
valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
|
||||
# valiases_postfix :: [ String ]
|
||||
valiases_postfix = lib.flatten (lib.mapAttrsToList
|
||||
(name: value:
|
||||
let to = name;
|
||||
in map (from: {"${from}" = to;}) (value.aliases ++ lib.singleton name))
|
||||
cfg.loginAccounts));
|
||||
regex_valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
|
||||
in map (from: "${from} ${to}") (value.aliases ++ lib.singleton name))
|
||||
cfg.loginAccounts);
|
||||
|
||||
# catchAllPostfix :: [ String ]
|
||||
catchAllPostfix = lib.flatten (lib.mapAttrsToList
|
||||
(name: value:
|
||||
let to = name;
|
||||
in map (from: {"${from}" = to;}) value.aliasesRegexp)
|
||||
cfg.loginAccounts));
|
||||
in map (from: "@${from} ${to}") value.catchAll)
|
||||
cfg.loginAccounts);
|
||||
|
||||
# catchAllPostfix :: Map String [String]
|
||||
catchAllPostfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
|
||||
(name: value:
|
||||
let to = name;
|
||||
in map (from: {"@${from}" = to;}) value.catchAll)
|
||||
cfg.loginAccounts));
|
||||
# extra_valiases_postfix :: [ String ]
|
||||
extra_valiases_postfix =
|
||||
(map
|
||||
(from:
|
||||
let to = cfg.extraVirtualAliases.${from};
|
||||
aliasList = (l: let aliasStr = builtins.foldl' (x: y: x + y + ", ") "" l;
|
||||
in builtins.substring 0 (builtins.stringLength aliasStr - 2) aliasStr);
|
||||
in if (builtins.isList to) then "${from} " + (aliasList to)
|
||||
else "${from} ${to}")
|
||||
(builtins.attrNames cfg.extraVirtualAliases));
|
||||
|
||||
# all_valiases_postfix :: Map String [String]
|
||||
all_valiases_postfix = mergeLookupTables [valiases_postfix extra_valiases_postfix];
|
||||
|
||||
# attrsToLookupTable :: Map String (Either String [ String ]) -> Map String [String]
|
||||
attrsToLookupTable = aliases: let
|
||||
lookupTables = lib.mapAttrsToList (from: to: {"${from}" = to;}) aliases;
|
||||
in mergeLookupTables lookupTables;
|
||||
|
||||
# extra_valiases_postfix :: Map String [String]
|
||||
extra_valiases_postfix = attrsToLookupTable cfg.extraVirtualAliases;
|
||||
|
||||
# forwards :: Map String [String]
|
||||
forwards = attrsToLookupTable cfg.forwards;
|
||||
|
||||
# lookupTableToString :: Map String [String] -> String
|
||||
lookupTableToString = attrs: let
|
||||
valueToString = value: lib.concatStringsSep ", " value;
|
||||
in lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
|
||||
|
||||
# valiases_file :: Path
|
||||
valiases_file = let
|
||||
content = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix]);
|
||||
in builtins.toFile "valias" content;
|
||||
|
||||
regex_valiases_file = let
|
||||
content = lookupTableToString regex_valiases_postfix;
|
||||
in builtins.toFile "regex_valias" content;
|
||||
# all_valiases_postfix :: [ String ]
|
||||
all_valiases_postfix = valiases_postfix ++ extra_valiases_postfix;
|
||||
|
||||
# denied_recipients_postfix :: [ String ]
|
||||
denied_recipients_postfix = (map
|
||||
|
@ -80,12 +56,19 @@ let
|
|||
(lib.filter (acct: acct.sendOnly) (lib.attrValues cfg.loginAccounts)));
|
||||
denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients_postfix);
|
||||
|
||||
|
||||
# valiases_file :: Path
|
||||
valiases_file = builtins.toFile "valias"
|
||||
(lib.concatStringsSep "\n" (all_valiases_postfix ++
|
||||
catchAllPostfix));
|
||||
|
||||
reject_senders_postfix = (map
|
||||
(sender:
|
||||
"${sender} REJECT")
|
||||
(cfg.rejectSender));
|
||||
reject_senders_file = builtins.toFile "reject_senders" (lib.concatStringsSep "\n" (reject_senders_postfix)) ;
|
||||
|
||||
|
||||
reject_recipients_postfix = (map
|
||||
(recipient:
|
||||
"${recipient} REJECT")
|
||||
|
@ -102,8 +85,7 @@ let
|
|||
# for details on how this file looks. By using the same file as valiases,
|
||||
# every alias is owned (uniquely) by its user.
|
||||
# The user's own address is already in all_valiases_postfix.
|
||||
vaccounts_file = builtins.toFile "vaccounts" (lookupTableToString all_valiases_postfix);
|
||||
regex_vaccounts_file = builtins.toFile "regex_vaccounts" (lookupTableToString regex_valiases_postfix);
|
||||
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" all_valiases_postfix);
|
||||
|
||||
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" (''
|
||||
# Removes sensitive headers from mails handed in via the submission port.
|
||||
|
@ -130,100 +112,36 @@ let
|
|||
(lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
|
||||
++ [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||
|
||||
policyd-spf = pkgs.writeText "policyd-spf.conf" cfg.policydSPFExtraConfig;
|
||||
policyd-spf = pkgs.writeText "policyd-spf.conf" (
|
||||
cfg.policydSPFExtraConfig
|
||||
+ (lib.optionalString cfg.debug ''
|
||||
debugLevel = 4
|
||||
''));
|
||||
|
||||
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
|
||||
mappedRegexFile = name: "pcre:/var/lib/postfix/conf/${name}";
|
||||
|
||||
submissionOptions =
|
||||
{
|
||||
smtpd_tls_security_level = "encrypt";
|
||||
smtpd_sasl_auth_enable = "yes";
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
smtpd_sasl_security_options = "noanonymous";
|
||||
smtpd_sasl_local_domain = "$myhostname";
|
||||
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
||||
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts${lib.optionalString cfg.ldap.enable ",ldap:${ldapSenderLoginMapFile}"}${lib.optionalString (regex_valiases_postfix != {}) ",pcre:/etc/postfix/regex_vaccounts"}";
|
||||
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||
cleanup_service_name = "submission-header-cleanup";
|
||||
};
|
||||
|
||||
commonLdapConfig = ''
|
||||
server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
|
||||
start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
|
||||
version = 3
|
||||
tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
|
||||
tls_require_cert = yes
|
||||
|
||||
search_base = ${cfg.ldap.searchBase}
|
||||
scope = ${cfg.ldap.searchScope}
|
||||
|
||||
bind = yes
|
||||
bind_dn = ${cfg.ldap.bind.dn}
|
||||
'';
|
||||
|
||||
ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
|
||||
${commonLdapConfig}
|
||||
query_filter = ${cfg.ldap.postfix.filter}
|
||||
result_attribute = ${cfg.ldap.postfix.mailAttribute}
|
||||
'';
|
||||
ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
|
||||
appendPwdInSenderLoginMap = appendLdapBindPwd {
|
||||
name = "ldap-sender-login-map";
|
||||
file = ldapSenderLoginMap;
|
||||
prefix = "bind_pw = ";
|
||||
passwordFile = cfg.ldap.bind.passwordFile;
|
||||
destination = ldapSenderLoginMapFile;
|
||||
};
|
||||
|
||||
ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
|
||||
${commonLdapConfig}
|
||||
query_filter = ${cfg.ldap.postfix.filter}
|
||||
result_attribute = ${cfg.ldap.postfix.uidAttribute}
|
||||
'';
|
||||
ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
|
||||
appendPwdInVirtualMailboxMap = appendLdapBindPwd {
|
||||
name = "ldap-virtual-mailbox-map";
|
||||
file = ldapVirtualMailboxMap;
|
||||
prefix = "bind_pw = ";
|
||||
passwordFile = cfg.ldap.bind.passwordFile;
|
||||
destination = ldapVirtualMailboxMapFile;
|
||||
};
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
|
||||
systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
|
||||
preStart = ''
|
||||
${appendPwdInVirtualMailboxMap}
|
||||
${appendPwdInSenderLoginMap}
|
||||
'';
|
||||
restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
hostname = "${sendingFqdn}";
|
||||
hostname = "${fqdn}";
|
||||
networksStyle = "host";
|
||||
mapFiles."valias" = valiases_file;
|
||||
mapFiles."regex_valias" = regex_valiases_file;
|
||||
mapFiles."vaccounts" = vaccounts_file;
|
||||
mapFiles."regex_vaccounts" = regex_vaccounts_file;
|
||||
mapFiles."denied_recipients" = denied_recipients_file;
|
||||
mapFiles."reject_senders" = reject_senders_file;
|
||||
mapFiles."reject_recipients" = reject_recipients_file;
|
||||
sslCert = certificatePath;
|
||||
sslKey = keyPath;
|
||||
enableSubmission = cfg.enableSubmission;
|
||||
enableSubmissions = cfg.enableSubmissionSsl;
|
||||
virtual = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix forwards]);
|
||||
enableSubmission = true;
|
||||
virtual =
|
||||
(lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix));
|
||||
|
||||
config = {
|
||||
# Extra Config
|
||||
mydestination = "";
|
||||
recipient_delimiter = cfg.recipientDelimiter;
|
||||
recipient_delimiter = "+";
|
||||
smtpd_banner = "${fqdn} ESMTP NO UCE";
|
||||
disable_vrfy_command = true;
|
||||
message_size_limit = toString cfg.messageSizeLimit;
|
||||
|
@ -233,19 +151,8 @@ in
|
|||
virtual_gid_maps = "static:5000";
|
||||
virtual_mailbox_base = mailDirectory;
|
||||
virtual_mailbox_domains = vhosts_file;
|
||||
virtual_mailbox_maps = [
|
||||
(mappedFile "valias")
|
||||
] ++ lib.optionals (cfg.ldap.enable) [
|
||||
"ldap:${ldapVirtualMailboxMapFile}"
|
||||
] ++ lib.optionals (regex_valiases_postfix != {}) [
|
||||
(mappedRegexFile "regex_valias")
|
||||
];
|
||||
virtual_alias_maps = lib.mkAfter (lib.optionals (regex_valiases_postfix != {}) [
|
||||
(mappedRegexFile "regex_valias")
|
||||
]);
|
||||
virtual_mailbox_maps = mappedFile "valias";
|
||||
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||
# Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
|
||||
lmtp_destination_recipient_limit = "1";
|
||||
|
||||
# sasl with dovecot
|
||||
smtpd_sasl_type = "dovecot";
|
||||
|
@ -274,6 +181,9 @@ in
|
|||
# Submission by mail clients is handled in submissionOptions
|
||||
smtpd_tls_security_level = "may";
|
||||
|
||||
# strong might suffice and is computationally less expensive
|
||||
smtpd_tls_eecdh_grade = "ultra";
|
||||
|
||||
# Disable obselete protocols
|
||||
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
||||
smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
||||
|
@ -306,26 +216,28 @@ in
|
|||
milter_protocol = "6";
|
||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
|
||||
|
||||
# Fix for https://www.postfix.org/smtp-smuggling.html
|
||||
smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
|
||||
smtpd_forbid_bare_newline_exclusions = "$mynetworks";
|
||||
};
|
||||
|
||||
submissionOptions = submissionOptions;
|
||||
submissionsOptions = submissionOptions;
|
||||
|
||||
submissionOptions =
|
||||
{
|
||||
smtpd_tls_security_level = "encrypt";
|
||||
smtpd_sasl_auth_enable = "yes";
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
smtpd_sasl_security_options = "noanonymous";
|
||||
smtpd_sasl_local_domain = "$myhostname";
|
||||
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
|
||||
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
|
||||
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||
cleanup_service_name = "submission-header-cleanup";
|
||||
};
|
||||
masterConfig = {
|
||||
"lmtp" = {
|
||||
# Add headers when delivering, see http://www.postfix.org/smtp.8.html
|
||||
# D => Delivered-To, O => X-Original-To, R => Return-Path
|
||||
args = [ "flags=O" ];
|
||||
};
|
||||
"policy-spf" = {
|
||||
type = "unix";
|
||||
privileged = true;
|
||||
chroot = false;
|
||||
command = "spawn";
|
||||
args = [ "user=nobody" "argv=${pkgs.spf-engine}/bin/policyd-spf" "${policyd-spf}"];
|
||||
args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
|
||||
};
|
||||
"submission-header-cleanup" = {
|
||||
type = "unix";
|
||||
|
|
|
@ -30,7 +30,7 @@ in
|
|||
inherit debug;
|
||||
locals = {
|
||||
"milter_headers.conf" = { text = ''
|
||||
extended_spam_headers = true;
|
||||
extended_spam_headers = yes;
|
||||
''; };
|
||||
"redis.conf" = { text = ''
|
||||
servers = "${cfg.redis.address}:${toString cfg.redis.port}";
|
||||
|
@ -52,21 +52,14 @@ in
|
|||
scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all
|
||||
}
|
||||
''; };
|
||||
"dkim_signing.conf" = { text = ''
|
||||
# Disable outbound email signing, we use opendkim for this
|
||||
enabled = false;
|
||||
''; };
|
||||
"dmarc.conf" = { text = ''
|
||||
${lib.optionalString cfg.dmarcReporting.enable ''
|
||||
reporting {
|
||||
enabled = true;
|
||||
email = "${cfg.dmarcReporting.email}";
|
||||
domain = "${cfg.dmarcReporting.domain}";
|
||||
org_name = "${cfg.dmarcReporting.organizationName}";
|
||||
from_name = "${cfg.dmarcReporting.fromName}";
|
||||
msgid_from = "dmarc-rua";
|
||||
}''}
|
||||
''; };
|
||||
};
|
||||
|
||||
overrides = {
|
||||
"milter_headers.conf" = {
|
||||
text = ''
|
||||
extended_spam_headers = true;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
workers.rspamd_proxy = {
|
||||
|
@ -94,79 +87,15 @@ in
|
|||
mode = "0666";
|
||||
}];
|
||||
includes = [];
|
||||
extraConfig = ''
|
||||
static_dir = "''${WWWDIR}"; # Serve the web UI static assets
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
services.redis.servers.rspamd = {
|
||||
enable = lib.mkDefault true;
|
||||
port = lib.mkDefault 6380;
|
||||
};
|
||||
services.redis.enable = true;
|
||||
|
||||
systemd.services.rspamd = {
|
||||
requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
};
|
||||
|
||||
systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
|
||||
# Explicitly select yesterday's date to work around broken
|
||||
# default behaviour when called without a date.
|
||||
# https://github.com/rspamd/rspamd/issues/4062
|
||||
script = ''
|
||||
${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "${config.services.rspamd.user}";
|
||||
Group = "${config.services.rspamd.group}";
|
||||
|
||||
AmbientCapabilities = [];
|
||||
CapabilityBoundingSet = "";
|
||||
DevicePolicy = "closed";
|
||||
IPAddressAllow = "localhost";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
|
||||
description = "Daily delivery of aggregated DMARC reports";
|
||||
wantedBy = [
|
||||
"timers.target"
|
||||
];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
RandomizedDelaySec = 86400;
|
||||
FixedRandomDelay = true;
|
||||
};
|
||||
requires = [ "redis.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
after = [ "redis.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||
};
|
||||
|
||||
systemd.services.postfix = {
|
||||
|
|
|
@ -18,32 +18,40 @@
|
|||
|
||||
let
|
||||
cfg = config.mailserver;
|
||||
certificatesDeps =
|
||||
if cfg.certificateScheme == "manual" then
|
||||
[]
|
||||
else if cfg.certificateScheme == "selfsigned" then
|
||||
[ "mailserver-selfsigned-certificate.service" ]
|
||||
else
|
||||
[ "acme-finished-${cfg.fqdn}.target" ];
|
||||
preliminarySelfsigned = config.security.acme.preliminarySelfsigned;
|
||||
acmeWantsTarget = [ "acme-certificates.target" ]
|
||||
++ (lib.optional preliminarySelfsigned "acme-selfsigned-certificates.target");
|
||||
acmeAfterTarget = if preliminarySelfsigned
|
||||
then [ "acme-selfsigned-certificates.target" ]
|
||||
else [ "acme-certificates.target" ];
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
# Add target for when certificates are available
|
||||
systemd.targets."mailserver-certificates" = {
|
||||
wants = lib.mkIf (cfg.certificateScheme == 3) acmeWantsTarget;
|
||||
after = lib.mkIf (cfg.certificateScheme == 3) acmeAfterTarget;
|
||||
};
|
||||
|
||||
# Create self signed certificate
|
||||
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == "selfsigned") {
|
||||
after = [ "local-fs.target" ];
|
||||
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == 2) {
|
||||
wantedBy = [ "mailserver-certificates.target" ];
|
||||
after = [ "local-fs.target" ];
|
||||
before = [ "mailserver-certificates.target" ];
|
||||
script = ''
|
||||
# Create certificates if they do not exist yet
|
||||
dir="${cfg.certificateDirectory}"
|
||||
fqdn="${cfg.fqdn}"
|
||||
[[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
|
||||
key="$dir/key-${cfg.fqdn}.pem";
|
||||
cert="$dir/cert-${cfg.fqdn}.pem";
|
||||
case $fqdn in /*) fqdn=$(cat "$fqdn");; esac
|
||||
key="''${dir}/key-${cfg.fqdn}.pem";
|
||||
cert="''${dir}/cert-${cfg.fqdn}.pem";
|
||||
|
||||
if [[ ! -f $key || ! -f $cert ]]; then
|
||||
if [ ! -f "''${key}" ] || [ ! -f "''${cert}" ]
|
||||
then
|
||||
mkdir -p "${cfg.certificateDirectory}"
|
||||
(umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 2048) &&
|
||||
"${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" \
|
||||
-days 3650 -out "$cert"
|
||||
(umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "''${key}" 2048) &&
|
||||
"${pkgs.openssl}/bin/openssl" req -new -key "''${key}" -x509 -subj "/CN=''${fqdn}" \
|
||||
-days 3650 -out "''${cert}"
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
|
@ -54,32 +62,24 @@ in
|
|||
|
||||
# Create maildir folder before dovecot startup
|
||||
systemd.services.dovecot2 = {
|
||||
wants = certificatesDeps;
|
||||
after = certificatesDeps;
|
||||
preStart = let
|
||||
directories = lib.strings.escapeShellArgs (
|
||||
[ mailDirectory ]
|
||||
++ lib.optional (cfg.indexDir != null) cfg.indexDir
|
||||
);
|
||||
in ''
|
||||
after = [ "mailserver-certificates.target" ];
|
||||
wants = [ "mailserver-certificates.target" ];
|
||||
preStart = ''
|
||||
# Create mail directory and set permissions. See
|
||||
# <http://wiki2.dovecot.org/SharedMailboxes/Permissions>.
|
||||
# Prevent world-readable paths, even temporarily.
|
||||
umask 007
|
||||
mkdir -p ${directories}
|
||||
chgrp "${vmailGroupName}" ${directories}
|
||||
chmod 02770 ${directories}
|
||||
mkdir -p "${mailDirectory}"
|
||||
chgrp "${vmailGroupName}" "${mailDirectory}"
|
||||
chmod 02770 "${mailDirectory}"
|
||||
'';
|
||||
};
|
||||
|
||||
# Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
|
||||
systemd.services.postfix = {
|
||||
wants = certificatesDeps;
|
||||
after = [ "dovecot2.service" ]
|
||||
++ lib.optional cfg.dkimSigning "opendkim.service"
|
||||
++ certificatesDeps;
|
||||
after = [ "dovecot2.service" "mailserver-certificates.target" ]
|
||||
++ (lib.optional cfg.dkimSigning "opendkim.service");
|
||||
wants = [ "mailserver-certificates.target" ];
|
||||
requires = [ "dovecot2.service" ]
|
||||
++ lib.optional cfg.dkimSigning "opendkim.service";
|
||||
++ (lib.optional cfg.dkimSigning "opendkim.service");
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -21,7 +21,7 @@ with config.mailserver;
|
|||
let
|
||||
vmail_user = {
|
||||
name = vmailUserName;
|
||||
isSystemUser = true;
|
||||
isNormalUser = false;
|
||||
uid = vmailUID;
|
||||
home = mailDirectory;
|
||||
createHome = true;
|
||||
|
@ -34,35 +34,32 @@ let
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
# Prevent world-readable paths, even temporarily.
|
||||
umask 007
|
||||
|
||||
# Create directory to store user sieve scripts if it doesn't exist
|
||||
if (! test -d "${sieveDirectory}"); then
|
||||
mkdir "${sieveDirectory}"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}"
|
||||
chmod 770 "${sieveDirectory}"
|
||||
if (! test -d "/var/sieve"); then
|
||||
mkdir "/var/sieve"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "/var/sieve"
|
||||
chmod 770 "/var/sieve"
|
||||
fi
|
||||
|
||||
# Copy user's sieve script to the correct location (if it exists). If it
|
||||
# is null, remove the file.
|
||||
${lib.concatMapStringsSep "\n" ({ name, sieveScript }:
|
||||
if lib.isString sieveScript then ''
|
||||
if (! test -d "${sieveDirectory}/${name}"); then
|
||||
mkdir -p "${sieveDirectory}/${name}"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}/${name}"
|
||||
chmod 770 "${sieveDirectory}/${name}"
|
||||
if (! test -d "/var/sieve/${name}"); then
|
||||
mkdir -p "/var/sieve/${name}"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "/var/sieve/${name}"
|
||||
chmod 770 "/var/sieve/${name}"
|
||||
fi
|
||||
cat << 'EOF' > "${sieveDirectory}/${name}/default.sieve"
|
||||
cat << 'EOF' > "/var/sieve/${name}/default.sieve"
|
||||
${sieveScript}
|
||||
EOF
|
||||
chown "${vmailUserName}:${vmailGroupName}" "${sieveDirectory}/${name}/default.sieve"
|
||||
chown "${vmailUserName}:${vmailGroupName}" "/var/sieve/${name}/default.sieve"
|
||||
'' else ''
|
||||
if (test -f "${sieveDirectory}/${name}/default.sieve"); then
|
||||
rm "${sieveDirectory}/${name}/default.sieve"
|
||||
if (test -f "/var/sieve/${name}/default.sieve"); then
|
||||
rm "/var/sieve/${name}/default.sieve"
|
||||
fi
|
||||
if (test -f "${sieveDirectory}/${name}.svbin"); then
|
||||
rm "${sieveDirectory}/${name}/default.svbin"
|
||||
if (test -f "/var/sieve/${name}.svbin"); then
|
||||
rm "/var/sieve/${name}/default.svbin"
|
||||
fi
|
||||
'') (map (user: { inherit (user) name sieveScript; })
|
||||
(lib.attrValues loginAccounts))}
|
||||
|
|
14
nix/sources.json
Normal file
14
nix/sources.json
Normal file
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"nixpkgs-20.03": {
|
||||
"branch": "nixos-20.03",
|
||||
"description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
|
||||
"homepage": "https://github.com/NixOS/nixpkgs",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs-channels",
|
||||
"rev": "aaa66d8d887c73f643246ac1a684fcb1521543b8",
|
||||
"sha256": "0qvrhc7hv8h4yqa4jh64y6v5j3nza53ivkbq6j72g434c3yp2h50",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs-channels/archive/aaa66d8d887c73f643246ac1a684fcb1521543b8.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
}
|
||||
}
|
134
nix/sources.nix
Normal file
134
nix/sources.nix
Normal file
|
@ -0,0 +1,134 @@
|
|||
# This file has been generated by Niv.
|
||||
|
||||
let
|
||||
|
||||
#
|
||||
# The fetchers. fetch_<type> fetches specs of type <type>.
|
||||
#
|
||||
|
||||
fetch_file = pkgs: spec:
|
||||
if spec.builtin or true then
|
||||
builtins_fetchurl { inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchurl { inherit (spec) url sha256; };
|
||||
|
||||
fetch_tarball = pkgs: spec:
|
||||
if spec.builtin or true then
|
||||
builtins_fetchTarball { inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchzip { inherit (spec) url sha256; };
|
||||
|
||||
fetch_git = spec:
|
||||
builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; };
|
||||
|
||||
fetch_builtin-tarball = spec:
|
||||
builtins.trace
|
||||
''
|
||||
WARNING:
|
||||
The niv type "builtin-tarball" will soon be deprecated. You should
|
||||
instead use `builtin = true`.
|
||||
|
||||
$ niv modify <package> -a type=tarball -a builtin=true
|
||||
''
|
||||
builtins_fetchTarball { inherit (spec) url sha256; };
|
||||
|
||||
fetch_builtin-url = spec:
|
||||
builtins.trace
|
||||
''
|
||||
WARNING:
|
||||
The niv type "builtin-url" will soon be deprecated. You should
|
||||
instead use `builtin = true`.
|
||||
|
||||
$ niv modify <package> -a type=file -a builtin=true
|
||||
''
|
||||
(builtins_fetchurl { inherit (spec) url sha256; });
|
||||
|
||||
#
|
||||
# Various helpers
|
||||
#
|
||||
|
||||
# The set of packages used when specs are fetched using non-builtins.
|
||||
mkPkgs = sources:
|
||||
let
|
||||
sourcesNixpkgs =
|
||||
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) {};
|
||||
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
|
||||
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
|
||||
in
|
||||
if builtins.hasAttr "nixpkgs" sources
|
||||
then sourcesNixpkgs
|
||||
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
|
||||
import <nixpkgs> {}
|
||||
else
|
||||
abort
|
||||
''
|
||||
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
|
||||
add a package called "nixpkgs" to your sources.json.
|
||||
'';
|
||||
|
||||
# The actual fetching function.
|
||||
fetch = pkgs: name: spec:
|
||||
|
||||
if ! builtins.hasAttr "type" spec then
|
||||
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
|
||||
else if spec.type == "file" then fetch_file pkgs spec
|
||||
else if spec.type == "tarball" then fetch_tarball pkgs spec
|
||||
else if spec.type == "git" then fetch_git spec
|
||||
else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec
|
||||
else if spec.type == "builtin-url" then fetch_builtin-url spec
|
||||
else
|
||||
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
|
||||
|
||||
# Ports of functions for older nix versions
|
||||
|
||||
# a Nix version of mapAttrs if the built-in doesn't exist
|
||||
mapAttrs = builtins.mapAttrs or (
|
||||
f: set: with builtins;
|
||||
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
|
||||
);
|
||||
|
||||
# fetchTarball version that is compatible between all the versions of Nix
|
||||
builtins_fetchTarball = { url, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchTarball;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchTarball { inherit url; }
|
||||
else
|
||||
fetchTarball attrs;
|
||||
|
||||
# fetchurl version that is compatible between all the versions of Nix
|
||||
builtins_fetchurl = { url, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchurl;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchurl { inherit url; }
|
||||
else
|
||||
fetchurl attrs;
|
||||
|
||||
# Create the final "sources" from the config
|
||||
mkSources = config:
|
||||
mapAttrs (
|
||||
name: spec:
|
||||
if builtins.hasAttr "outPath" spec
|
||||
then abort
|
||||
"The values in sources.json should not have an 'outPath' attribute"
|
||||
else
|
||||
spec // { outPath = fetch config.pkgs name spec; }
|
||||
) config.sources;
|
||||
|
||||
# The "config" used by the fetchers
|
||||
mkConfig =
|
||||
{ sourcesFile ? ./sources.json
|
||||
, sources ? builtins.fromJSON (builtins.readFile sourcesFile)
|
||||
, pkgs ? mkPkgs sources
|
||||
}: rec {
|
||||
# The sources, i.e. the attribute set of spec name to spec
|
||||
inherit sources;
|
||||
|
||||
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
|
||||
inherit pkgs;
|
||||
};
|
||||
in
|
||||
mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
|
|
@ -5,7 +5,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
./../default.nix
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
|
|
|
@ -1,82 +0,0 @@
|
|||
import json
|
||||
import sys
|
||||
|
||||
header = """
|
||||
# Mailserver options
|
||||
|
||||
## `mailserver`
|
||||
|
||||
"""
|
||||
|
||||
template = """
|
||||
`````{{option}} {key}
|
||||
{description}
|
||||
|
||||
{type}
|
||||
{default}
|
||||
{example}
|
||||
`````
|
||||
"""
|
||||
|
||||
f = open(sys.argv[1])
|
||||
options = json.load(f)
|
||||
|
||||
groups = ["mailserver.loginAccounts",
|
||||
"mailserver.certificate",
|
||||
"mailserver.dkim",
|
||||
"mailserver.dmarcReporting",
|
||||
"mailserver.fullTextSearch",
|
||||
"mailserver.redis",
|
||||
"mailserver.ldap",
|
||||
"mailserver.monitoring",
|
||||
"mailserver.backup",
|
||||
"mailserver.borgbackup"]
|
||||
|
||||
def render_option_value(opt, attr):
|
||||
if attr in opt:
|
||||
if isinstance(opt[attr], dict) and '_type' in opt[attr]:
|
||||
if opt[attr]['_type'] == 'literalExpression':
|
||||
if '\n' in opt[attr]['text']:
|
||||
res = '\n```nix\n' + opt[attr]['text'].rstrip('\n') + '\n```'
|
||||
else:
|
||||
res = '```{}```'.format(opt[attr]['text'])
|
||||
elif opt[attr]['_type'] == 'literalMD':
|
||||
res = opt[attr]['text']
|
||||
else:
|
||||
s = str(opt[attr])
|
||||
if s == "":
|
||||
res = '`""`'
|
||||
elif '\n' in s:
|
||||
res = '\n```\n' + s.rstrip('\n') + '\n```'
|
||||
else:
|
||||
res = '```{}```'.format(s)
|
||||
res = '- ' + attr + ': ' + res
|
||||
else:
|
||||
res = ""
|
||||
return res
|
||||
|
||||
def print_option(opt):
|
||||
if isinstance(opt['description'], dict) and '_type' in opt['description']: # mdDoc
|
||||
description = opt['description']['text']
|
||||
else:
|
||||
description = opt['description']
|
||||
print(template.format(
|
||||
key=opt['name'],
|
||||
description=description or "",
|
||||
type="- type: ```{}```".format(opt['type']),
|
||||
default=render_option_value(opt, 'default'),
|
||||
example=render_option_value(opt, 'example')))
|
||||
|
||||
|
||||
print(header)
|
||||
for opt in options:
|
||||
if any([opt['name'].startswith(c) for c in groups]):
|
||||
continue
|
||||
print_option(opt)
|
||||
|
||||
for c in groups:
|
||||
print('## `{}`'.format(c))
|
||||
print()
|
||||
for opt in options:
|
||||
if opt['name'].startswith(c):
|
||||
print_option(opt)
|
|
@ -1,197 +0,0 @@
|
|||
import smtplib, sys
|
||||
import argparse
|
||||
import os
|
||||
import uuid
|
||||
import imaplib
|
||||
from datetime import datetime, timedelta
|
||||
import email
|
||||
import time
|
||||
|
||||
RETRY = 100
|
||||
|
||||
def _send_mail(smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr, subject, starttls):
|
||||
print("Sending mail with subject '{}'".format(subject))
|
||||
message = "\n".join([
|
||||
"From: {from_addr}",
|
||||
"To: {to_addr}",
|
||||
"Subject: {subject}",
|
||||
"",
|
||||
"This validates our mail server can send to Gmail :/"]).format(
|
||||
from_addr=from_addr,
|
||||
to_addr=to_addr,
|
||||
subject=subject)
|
||||
|
||||
|
||||
retry = RETRY
|
||||
while True:
|
||||
try:
|
||||
with smtplib.SMTP(smtp_host, port=smtp_port) as smtp:
|
||||
try:
|
||||
if starttls:
|
||||
smtp.starttls()
|
||||
if from_pwd is not None:
|
||||
smtp.login(smtp_username or from_addr, from_pwd)
|
||||
|
||||
smtp.sendmail(from_addr, [to_addr], message)
|
||||
return
|
||||
except smtplib.SMTPResponseException as e:
|
||||
if e.smtp_code == 451: # service unavailable error
|
||||
print(e)
|
||||
elif e.smtp_code == 454: # smtplib.SMTPResponseException: (454, b'4.3.0 Try again later')
|
||||
print(e)
|
||||
else:
|
||||
raise
|
||||
except OSError as e:
|
||||
if e.errno in [16, -2]:
|
||||
print("OSError exception message: ", e)
|
||||
else:
|
||||
raise
|
||||
|
||||
if retry > 0:
|
||||
retry = retry - 1
|
||||
time.sleep(1)
|
||||
print("Retrying")
|
||||
else:
|
||||
print("Retry attempts exhausted")
|
||||
exit(5)
|
||||
|
||||
def _read_mail(
|
||||
imap_host,
|
||||
imap_port,
|
||||
imap_username,
|
||||
to_pwd,
|
||||
subject,
|
||||
ignore_dkim_spf,
|
||||
show_body=False,
|
||||
delete=True):
|
||||
print("Reading mail from %s" % imap_username)
|
||||
|
||||
message = None
|
||||
|
||||
obj = imaplib.IMAP4_SSL(imap_host, imap_port)
|
||||
obj.login(imap_username, to_pwd)
|
||||
obj.select()
|
||||
|
||||
today = datetime.today()
|
||||
cutoff = today - timedelta(days=1)
|
||||
dt = cutoff.strftime('%d-%b-%Y')
|
||||
for _ in range(0, RETRY):
|
||||
print("Retrying")
|
||||
obj.select()
|
||||
typ, data = obj.search(None, '(SINCE %s) (SUBJECT "%s")'%(dt, subject))
|
||||
if data == [b'']:
|
||||
time.sleep(1)
|
||||
continue
|
||||
|
||||
uids = data[0].decode("utf-8").split(" ")
|
||||
if len(uids) != 1:
|
||||
print("Warning: %d messages have been found with subject containing %s " % (len(uids), subject))
|
||||
|
||||
# FIXME: we only consider the first matching message...
|
||||
uid = uids[0]
|
||||
_, raw = obj.fetch(uid, '(RFC822)')
|
||||
if delete:
|
||||
obj.store(uid, '+FLAGS', '\\Deleted')
|
||||
obj.expunge()
|
||||
message = email.message_from_bytes(raw[0][1])
|
||||
print("Message with subject '%s' has been found" % message['subject'])
|
||||
if show_body:
|
||||
for m in message.get_payload():
|
||||
if m.get_content_type() == 'text/plain':
|
||||
print("Body:\n%s" % m.get_payload(decode=True).decode('utf-8'))
|
||||
break
|
||||
|
||||
if message is None:
|
||||
print("Error: no message with subject '%s' has been found in INBOX of %s" % (subject, imap_username))
|
||||
exit(1)
|
||||
|
||||
if ignore_dkim_spf:
|
||||
return
|
||||
|
||||
# gmail set this standardized header
|
||||
if 'ARC-Authentication-Results' in message:
|
||||
if "dkim=pass" in message['ARC-Authentication-Results']:
|
||||
print("DKIM ok")
|
||||
else:
|
||||
print("Error: no DKIM validation found in message:")
|
||||
print(message.as_string())
|
||||
exit(2)
|
||||
if "spf=pass" in message['ARC-Authentication-Results']:
|
||||
print("SPF ok")
|
||||
else:
|
||||
print("Error: no SPF validation found in message:")
|
||||
print(message.as_string())
|
||||
exit(3)
|
||||
else:
|
||||
print("DKIM and SPF verification failed")
|
||||
exit(4)
|
||||
|
||||
def send_and_read(args):
|
||||
src_pwd = None
|
||||
if args.src_password_file is not None:
|
||||
src_pwd = args.src_password_file.readline().rstrip()
|
||||
dst_pwd = args.dst_password_file.readline().rstrip()
|
||||
|
||||
if args.imap_username != '':
|
||||
imap_username = args.imap_username
|
||||
else:
|
||||
imap_username = args.to_addr
|
||||
|
||||
subject = "{}".format(uuid.uuid4())
|
||||
|
||||
_send_mail(smtp_host=args.smtp_host,
|
||||
smtp_port=args.smtp_port,
|
||||
smtp_username=args.smtp_username,
|
||||
from_addr=args.from_addr,
|
||||
from_pwd=src_pwd,
|
||||
to_addr=args.to_addr,
|
||||
subject=subject,
|
||||
starttls=args.smtp_starttls)
|
||||
|
||||
_read_mail(imap_host=args.imap_host,
|
||||
imap_port=args.imap_port,
|
||||
imap_username=imap_username,
|
||||
to_pwd=dst_pwd,
|
||||
subject=subject,
|
||||
ignore_dkim_spf=args.ignore_dkim_spf)
|
||||
|
||||
def read(args):
|
||||
_read_mail(imap_host=args.imap_host,
|
||||
imap_port=args.imap_port,
|
||||
to_addr=args.imap_username,
|
||||
to_pwd=args.imap_password,
|
||||
subject=args.subject,
|
||||
ignore_dkim_spf=args.ignore_dkim_spf,
|
||||
show_body=args.show_body,
|
||||
delete=False)
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
subparsers = parser.add_subparsers()
|
||||
|
||||
parser_send_and_read = subparsers.add_parser('send-and-read', description="Send a email with a subject containing a random UUID and then try to read this email from the recipient INBOX.")
|
||||
parser_send_and_read.add_argument('--smtp-host', type=str)
|
||||
parser_send_and_read.add_argument('--smtp-port', type=str, default=25)
|
||||
parser_send_and_read.add_argument('--smtp-starttls', action='store_true')
|
||||
parser_send_and_read.add_argument('--smtp-username', type=str, default='', help="username used for smtp login. If not specified, the from-addr value is used")
|
||||
parser_send_and_read.add_argument('--from-addr', type=str)
|
||||
parser_send_and_read.add_argument('--imap-host', required=True, type=str)
|
||||
parser_send_and_read.add_argument('--imap-port', type=str, default=993)
|
||||
parser_send_and_read.add_argument('--to-addr', type=str, required=True)
|
||||
parser_send_and_read.add_argument('--imap-username', type=str, default='', help="username used for imap login. If not specified, the to-addr value is used")
|
||||
parser_send_and_read.add_argument('--src-password-file', type=argparse.FileType('r'))
|
||||
parser_send_and_read.add_argument('--dst-password-file', required=True, type=argparse.FileType('r'))
|
||||
parser_send_and_read.add_argument('--ignore-dkim-spf', action='store_true', help="to ignore the dkim and spf verification on the read mail")
|
||||
parser_send_and_read.set_defaults(func=send_and_read)
|
||||
|
||||
parser_read = subparsers.add_parser('read', description="Search for an email with a subject containing 'subject' in the INBOX.")
|
||||
parser_read.add_argument('--imap-host', type=str, default="localhost")
|
||||
parser_read.add_argument('--imap-port', type=str, default=993)
|
||||
parser_read.add_argument('--imap-username', required=True, type=str)
|
||||
parser_read.add_argument('--imap-password', required=True, type=str)
|
||||
parser_read.add_argument('--ignore-dkim-spf', action='store_true', help="to ignore the dkim and spf verification on the read mail")
|
||||
parser_read.add_argument('--show-body', action='store_true', help="print mail text/plain payload")
|
||||
parser_read.add_argument('subject', type=str)
|
||||
parser_read.set_defaults(func=read)
|
||||
|
||||
args = parser.parse_args()
|
||||
args.func(args)
|
19
shell.nix
19
shell.nix
|
@ -1,10 +1,9 @@
|
|||
(import
|
||||
(
|
||||
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
|
||||
fetchTarball {
|
||||
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
|
||||
sha256 = lock.nodes.flake-compat.locked.narHash;
|
||||
}
|
||||
)
|
||||
{ src = ./.; }
|
||||
).shellNix
|
||||
{ nixpkgs ? <nixpkgs>, system ? builtins.currentSystem }:
|
||||
|
||||
with (import nixpkgs { inherit system; }); stdenv.mkDerivation rec {
|
||||
name = "nixos-mailserver-env";
|
||||
env = buildEnv { name = name; paths = buildInputs; };
|
||||
buildInputs = with pkgs; [
|
||||
jq clamav
|
||||
];
|
||||
}
|
||||
|
|
|
@ -14,12 +14,23 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ pkgs ? import <nixpkgs> {}, blobs}:
|
||||
{ pkgs ? import <nixpkgs> {}}:
|
||||
|
||||
import (pkgs.path + "/nixos/tests/make-test.nix") {
|
||||
|
||||
pkgs.nixosTest {
|
||||
name = "clamav";
|
||||
nodes = {
|
||||
server = { config, pkgs, lib, ... }:
|
||||
let
|
||||
clamav-db-files = pkgs.stdenv.mkDerivation rec {
|
||||
name = "clamav-db-files";
|
||||
src = lib.cleanSource ./clamav;
|
||||
dontUnpack = true;
|
||||
installPhase = ''
|
||||
mkdir $out
|
||||
cp -R $src/*.cvd $out/
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../default.nix
|
||||
|
@ -47,9 +58,9 @@ pkgs.nixosTest {
|
|||
'';
|
||||
|
||||
script = ''
|
||||
cp ${blobs}/clamav/main.cvd /var/lib/clamav/
|
||||
cp ${blobs}/clamav/daily.cvd /var/lib/clamav/
|
||||
cp ${blobs}/clamav/bytecode.cvd /var/lib/clamav/
|
||||
cp ${clamav-db-files}/main.cvd /var/lib/clamav/
|
||||
cp ${clamav-db-files}/daily.cvd /var/lib/clamav/
|
||||
cp ${clamav-db-files}/bytecode.cvd /var/lib/clamav/
|
||||
chown clamav:clamav /var/lib/clamav/*
|
||||
'';
|
||||
|
||||
|
@ -62,6 +73,7 @@ pkgs.nixosTest {
|
|||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
debug = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" "example2.com" ];
|
||||
virusScanning = true;
|
||||
|
@ -182,56 +194,52 @@ pkgs.nixosTest {
|
|||
|
||||
testScript = { nodes, ... }:
|
||||
''
|
||||
start_all()
|
||||
startAll;
|
||||
|
||||
server.wait_for_unit("multi-user.target")
|
||||
client.wait_for_unit("multi-user.target")
|
||||
$server->waitForUnit("multi-user.target");
|
||||
$client->waitForUnit("multi-user.target");
|
||||
|
||||
# TODO put this blocking into the systemd units? I am not sure if rspamd already waits for the clamd socket.
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
$server->waitUntilSucceeds("timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ \$? -eq 124 ]");
|
||||
$server->waitUntilSucceeds("timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ \$? -eq 124 ]");
|
||||
|
||||
client.execute("cp -p /etc/root/.* ~/")
|
||||
client.succeed("mkdir -p ~/mail")
|
||||
client.succeed("ls -la ~/ >&2")
|
||||
client.succeed("cat ~/.fetchmailrc >&2")
|
||||
client.succeed("cat ~/.procmailrc >&2")
|
||||
client.succeed("cat ~/.msmtprc >&2")
|
||||
$client->execute("cp -p /etc/root/.* ~/");
|
||||
$client->succeed("mkdir -p ~/mail");
|
||||
$client->succeed("ls -la ~/ >&2");
|
||||
$client->succeed("cat ~/.fetchmailrc >&2");
|
||||
$client->succeed("cat ~/.procmailrc >&2");
|
||||
$client->succeed("cat ~/.msmtprc >&2");
|
||||
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
client.succeed("fetchmail --nosslcertck -v || [ $? -eq 1 ] >&2")
|
||||
$client->succeed("fetchmail --nosslcertck -v || [ \$? -eq 1 ] >&2");
|
||||
|
||||
# Verify that mail can be sent and received before testing virus scanner
|
||||
client.execute("rm ~/mail/*")
|
||||
client.succeed("msmtp -a user2 user1@example.com < /etc/root/safe-email >&2")
|
||||
$client->execute("rm ~/mail/*");
|
||||
$client->succeed("msmtp -a user2 user1\@example.com < /etc/root/safe-email >&2");
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
client.execute("rm ~/mail/*")
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
$client->execute("rm ~/mail/*");
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v >&2")
|
||||
client.execute("rm ~/mail/*")
|
||||
$client->succeed("fetchmail --nosslcertck -v >&2");
|
||||
$client->execute("rm ~/mail/*");
|
||||
|
||||
with subtest("virus scan file"):
|
||||
server.succeed(
|
||||
'set +o pipefail; clamdscan $(readlink -f /etc/root/eicar.com.txt) | grep "Txt\\.Malware\\.Agent-1787597 FOUND" >&2'
|
||||
)
|
||||
subtest "virus scan file", sub {
|
||||
$server->succeed("clamdscan \$(readlink -f /etc/root/eicar.com.txt) | grep \"Txt\\.Malware\\.Agent-1787597 FOUND\" >&2");
|
||||
};
|
||||
|
||||
with subtest("virus scan email"):
|
||||
client.succeed(
|
||||
'set +o pipefail; msmtp -a user2 user1\@example.com < /etc/root/virus-email 2>&1 | tee /dev/stderr | grep "server message: 554 5\\.7\\.1" >&2'
|
||||
)
|
||||
server.succeed("journalctl -u rspamd | grep -i eicar")
|
||||
subtest "virus scan email", sub {
|
||||
$client->succeed("msmtp -a user2 user1\@example.com < /etc/root/virus-email 2>&1 | tee /dev/stderr | grep \"server message: 554 5\\.7\\.1\" >&2");
|
||||
$server->succeed("journalctl -u rspamd | grep -i eicar");
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
};
|
||||
|
||||
subtest "no warnings or errors", sub {
|
||||
$server->fail("journalctl -u postfix | grep -i error >&2");
|
||||
$server->fail("journalctl -u postfix | grep -i warning >&2");
|
||||
$server->fail("journalctl -u dovecot2 | grep -i error >&2");
|
||||
$server->fail("journalctl -u dovecot2 | grep -i warning >&2");
|
||||
};
|
||||
|
||||
with subtest("no warnings or errors"):
|
||||
server.fail("journalctl -u postfix | grep -i error >&2")
|
||||
server.fail("journalctl -u postfix | grep -i warning >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i error >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i warning >&2")
|
||||
'';
|
||||
}
|
||||
|
|
1
tests/clamav/.gitattributes
vendored
Normal file
1
tests/clamav/.gitattributes
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
*cvd filter=lfs diff=lfs merge=lfs -text
|
1
tests/clamav/.gitignore
vendored
Normal file
1
tests/clamav/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
mirrors.dat
|
BIN
tests/clamav/bytecode.cvd
Normal file
BIN
tests/clamav/bytecode.cvd
Normal file
Binary file not shown.
BIN
tests/clamav/daily.cvd
Normal file
BIN
tests/clamav/daily.cvd
Normal file
Binary file not shown.
1
tests/clamav/freshclam.conf
Normal file
1
tests/clamav/freshclam.conf
Normal file
|
@ -0,0 +1 @@
|
|||
DatabaseMirror database.clamav.net
|
5
tests/clamav/hashes.json
Normal file
5
tests/clamav/hashes.json
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
"bytecode.cvd": "633d4f0a2054249e23df12db5a9e76bcaac23cadaef5ee8f644986f600d8d81e",
|
||||
"daily.cvd": "0b6798b54e490be168b873d39ebda41ff4a027720aed855f879779b88982838f",
|
||||
"main.cvd": "9694933f37148ec39c1f2ef7b97211ded9b03b140bb48a5eeb27270120844b24"
|
||||
}
|
BIN
tests/clamav/main.cvd
Normal file
BIN
tests/clamav/main.cvd
Normal file
Binary file not shown.
15
tests/clamav/update-clamav-database.sh
Executable file
15
tests/clamav/update-clamav-database.sh
Executable file
|
@ -0,0 +1,15 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
cd "$(dirname "${0}")"
|
||||
|
||||
rm ./*.cvd hashes.json || :
|
||||
|
||||
freshclam --datadir=. --config-file=freshclam.conf
|
||||
(for i in ./*.cvd;
|
||||
do echo '{}' |
|
||||
jq --arg path "$(basename "${i}")" \
|
||||
--arg sha256sum "$(sha256sum "${i}" | awk '{ print $1; }')" \
|
||||
'.[$path] = $sha256sum'; done) |
|
||||
jq -s add > hashes.json
|
45
tests/default.nix
Normal file
45
tests/default.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
# Generate an attribute sets containing all tests for all releaeses
|
||||
# It looks like:
|
||||
# - extern.nixpkgs_20.03
|
||||
# - extern.nixpkgs_unstable
|
||||
# - intern.nixpkgs_20.03
|
||||
# - intern.nixpkgs_unstable
|
||||
|
||||
with builtins;
|
||||
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
|
||||
releases = listToAttrs (map genRelease releaseNames);
|
||||
|
||||
genRelease = name: {
|
||||
name = name;
|
||||
value = import sources."${name}" {};
|
||||
};
|
||||
|
||||
genTest = testName: release:
|
||||
let
|
||||
pkgs = releases."${release}";
|
||||
test = pkgs.callPackage (./. + "/${testName}.nix") { };
|
||||
in {
|
||||
"name"= builtins.replaceStrings ["." "-"] ["_" "_"] release;
|
||||
"value"= test { inherit pkgs; };
|
||||
};
|
||||
|
||||
releaseNames = [
|
||||
"nixpkgs-20.03"
|
||||
];
|
||||
|
||||
testNames = [
|
||||
"intern"
|
||||
"extern"
|
||||
"clamav"
|
||||
];
|
||||
|
||||
# Generate an attribute set containing one test per releases
|
||||
genTests = testName: {
|
||||
name = testName;
|
||||
value = listToAttrs (map (genTest testName) (builtins.attrNames releases));
|
||||
};
|
||||
|
||||
in listToAttrs (map genTests testNames)
|
|
@ -14,10 +14,10 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ pkgs ? import <nixpkgs> {}, ...}:
|
||||
{ pkgs ? import <nixpkgs> {}}:
|
||||
|
||||
import (pkgs.path + "/nixos/tests/make-test.nix") {
|
||||
|
||||
pkgs.nixosTest {
|
||||
name = "external";
|
||||
nodes = {
|
||||
server = { config, pkgs, ... }:
|
||||
{
|
||||
|
@ -43,11 +43,6 @@ pkgs.nixosTest {
|
|||
domains = [ "example.com" "example2.com" ];
|
||||
rewriteMessageId = true;
|
||||
dkimKeyBits = 1535;
|
||||
dmarcReporting = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
organizationName = "ACME Corp";
|
||||
};
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
|
@ -75,15 +70,6 @@ pkgs.nixosTest {
|
|||
|
||||
enableImap = true;
|
||||
enableImapSsl = true;
|
||||
fullTextSearch = {
|
||||
enable = true;
|
||||
autoIndex = true;
|
||||
# special use depends on https://github.com/NixOS/nixpkgs/pull/93201
|
||||
autoIndexExclude = [ (if (pkgs.lib.versionAtLeast pkgs.lib.version "21") then "\\Junk" else "Junk") ];
|
||||
enforced = "yes";
|
||||
# fts-xapian warns when memory is low, which makes the test fail
|
||||
memoryLimit = 100000;
|
||||
};
|
||||
};
|
||||
};
|
||||
client = { nodes, config, pkgs, ... }: let
|
||||
|
@ -153,32 +139,12 @@ pkgs.nixosTest {
|
|||
|
||||
imap.close()
|
||||
'';
|
||||
search = pkgs.writeScriptBin "search" ''
|
||||
#!${pkgs.python3.interpreter}
|
||||
import imaplib
|
||||
import sys
|
||||
|
||||
[_, mailbox, needle] = sys.argv
|
||||
|
||||
with imaplib.IMAP4_SSL('${serverIP}') as imap:
|
||||
imap.login('user1@example.com', 'user1')
|
||||
imap.select(mailbox)
|
||||
status, [response] = imap.search(None, 'BODY', repr(needle))
|
||||
msg_ids = [ i for i in response.decode("utf-8").split(' ') if i ]
|
||||
print(msg_ids)
|
||||
assert status == 'OK'
|
||||
assert len(msg_ids) == 1
|
||||
status, response = imap.fetch(msg_ids[0], '(RFC822)')
|
||||
assert status == "OK"
|
||||
assert needle in repr(response)
|
||||
imap.close()
|
||||
'';
|
||||
in {
|
||||
imports = [
|
||||
./lib/config.nix
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
fetchmail msmtp procmail findutils grep-ip check-mail-id test-imap-spam test-imap-ham search
|
||||
fetchmail msmtp procmail findutils grep-ip check-mail-id test-imap-spam test-imap-ham
|
||||
];
|
||||
environment.etc = {
|
||||
"root/.fetchmailrc" = {
|
||||
|
@ -310,205 +276,143 @@ pkgs.nixosTest {
|
|||
|
||||
XOXO User1
|
||||
'';
|
||||
"root/email6".text = ''
|
||||
Message-ID: <123457qwerty@host.local.network>
|
||||
From: User2 <user2@example.com>
|
||||
To: User1 <user1@example.com>
|
||||
Cc:
|
||||
Bcc:
|
||||
Subject: This is a test Email from user2 to user1
|
||||
Reply-To:
|
||||
|
||||
Hello User1,
|
||||
|
||||
this email contains the needle:
|
||||
576a4565b70f5a4c1a0925cabdb587a6
|
||||
'';
|
||||
"root/email7".text = ''
|
||||
Message-ID: <1234578qwerty@host.local.network>
|
||||
From: User2 <user2@example.com>
|
||||
To: User1 <user1@example.com>
|
||||
Cc:
|
||||
Bcc:
|
||||
Subject: This is a test Email from user2 to user1
|
||||
Reply-To:
|
||||
|
||||
Hello User1,
|
||||
|
||||
this email does not contain the needle :(
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }:
|
||||
''
|
||||
start_all()
|
||||
startAll;
|
||||
|
||||
server.wait_for_unit("multi-user.target")
|
||||
client.wait_for_unit("multi-user.target")
|
||||
$server->waitForUnit("multi-user.target");
|
||||
$client->waitForUnit("multi-user.target");
|
||||
|
||||
# TODO put this blocking into the systemd units?
|
||||
server.wait_until_succeeds(
|
||||
"set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
$server->waitUntilSucceeds("timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ \$? -eq 124 ]");
|
||||
|
||||
client.execute("cp -p /etc/root/.* ~/")
|
||||
client.succeed("mkdir -p ~/mail")
|
||||
client.succeed("ls -la ~/ >&2")
|
||||
client.succeed("cat ~/.fetchmailrc >&2")
|
||||
client.succeed("cat ~/.procmailrc >&2")
|
||||
client.succeed("cat ~/.msmtprc >&2")
|
||||
$client->execute("cp -p /etc/root/.* ~/");
|
||||
$client->succeed("mkdir -p ~/mail");
|
||||
$client->succeed("ls -la ~/ >&2");
|
||||
$client->succeed("cat ~/.fetchmailrc >&2");
|
||||
$client->succeed("cat ~/.procmailrc >&2");
|
||||
$client->succeed("cat ~/.msmtprc >&2");
|
||||
|
||||
with subtest("imap retrieving mail"):
|
||||
subtest "imap retrieving mail", sub {
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
client.succeed("fetchmail --nosslcertck -v || [ $? -eq 1 ] >&2")
|
||||
$client->succeed("fetchmail --nosslcertck -v || [ \$? -eq 1 ] >&2");
|
||||
};
|
||||
|
||||
with subtest("submission port send mail"):
|
||||
subtest "submission port send mail", sub {
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email1 >&2"
|
||||
)
|
||||
$client->succeed("msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email1 >&2");
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
};
|
||||
|
||||
with subtest("imap retrieving mail 2"):
|
||||
client.execute("rm ~/mail/*")
|
||||
subtest "imap retrieving mail 2", sub {
|
||||
$client->execute("rm ~/mail/*");
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v >&2")
|
||||
$client->succeed("fetchmail --nosslcertck -v >&2");
|
||||
};
|
||||
|
||||
with subtest("remove sensitive information on submission port"):
|
||||
client.succeed("cat ~/mail/* >&2")
|
||||
## make sure our IP is _not_ in the email header
|
||||
client.fail("grep-ip ~/mail/*")
|
||||
client.succeed("check-mail-id ~/mail/*")
|
||||
subtest "remove sensitive information on submission port", sub {
|
||||
$client->succeed("cat ~/mail/* >&2");
|
||||
## make sure our IP is _not_ in the email header
|
||||
$client->fail("grep-ip ~/mail/*");
|
||||
$client->succeed("check-mail-id ~/mail/*");
|
||||
};
|
||||
|
||||
with subtest("have correct fqdn as sender"):
|
||||
client.succeed("grep 'Received: from mail.example.com' ~/mail/*")
|
||||
subtest "have correct fqdn as sender", sub {
|
||||
$client->succeed("grep 'Received: from mail.example.com' ~/mail/*");
|
||||
};
|
||||
|
||||
with subtest("dkim has user-specified size"):
|
||||
server.succeed(
|
||||
"openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit'"
|
||||
)
|
||||
subtest "dkim has user-specified size", sub {
|
||||
$server->succeed("openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit'");
|
||||
};
|
||||
|
||||
with subtest("dkim singing, multiple domains"):
|
||||
client.execute("rm ~/mail/*")
|
||||
subtest "dkim singing, multiple domains", sub {
|
||||
$client->execute("rm ~/mail/*");
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email2 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
client.succeed("cat ~/mail/* >&2")
|
||||
$client->succeed("fetchmail --nosslcertck -v");
|
||||
$client->succeed("cat ~/mail/* >&2");
|
||||
# make sure it is dkim signed
|
||||
client.succeed("grep DKIM ~/mail/*")
|
||||
$client->succeed("grep DKIM ~/mail/*");
|
||||
};
|
||||
|
||||
with subtest("aliases"):
|
||||
client.execute("rm ~/mail/*")
|
||||
subtest "aliases", sub {
|
||||
$client->execute("rm ~/mail/*");
|
||||
# send email from chuck to postmaster
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on postmaster\@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test3 --tls=on --tls-certcheck=off --auth=on postmaster\@example.com < /etc/root/email2 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
$client->succeed("fetchmail --nosslcertck -v");
|
||||
};
|
||||
|
||||
with subtest("catchAlls"):
|
||||
client.execute("rm ~/mail/*")
|
||||
subtest "catchAlls", sub {
|
||||
$client->execute("rm ~/mail/*");
|
||||
# send email from chuck to non exsitent account
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lol\@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lol\@example.com < /etc/root/email2 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
$client->succeed("fetchmail --nosslcertck -v");
|
||||
|
||||
client.execute("rm ~/mail/*")
|
||||
$client->execute("rm ~/mail/*");
|
||||
# send email from user1 to chuck
|
||||
client.succeed(
|
||||
"msmtp -a test4 --tls=on --tls-certcheck=off --auth=on chuck\@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test4 --tls=on --tls-certcheck=off --auth=on chuck\@example.com < /etc/root/email2 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 1 when no new mail
|
||||
# if this succeeds, it means that user1 recieved the mail that was intended for chuck.
|
||||
client.fail("fetchmail --nosslcertck -v")
|
||||
$client->fail("fetchmail --nosslcertck -v");
|
||||
};
|
||||
|
||||
with subtest("extraVirtualAliases"):
|
||||
client.execute("rm ~/mail/*")
|
||||
subtest "extraVirtualAliases", sub {
|
||||
$client->execute("rm ~/mail/*");
|
||||
# send email from single-alias to user1
|
||||
client.succeed(
|
||||
"msmtp -a test5 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email4 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test5 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email4 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
$client->succeed("fetchmail --nosslcertck -v");
|
||||
|
||||
client.execute("rm ~/mail/*")
|
||||
$client->execute("rm ~/mail/*");
|
||||
# send email from user1 to multi-alias (user{1,2}@example.com)
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on multi-alias\@example.com < /etc/root/email5 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test --tls=on --tls-certcheck=off --auth=on multi-alias\@example.com < /etc/root/email5 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.succeed("fetchmail --nosslcertck -v")
|
||||
$client->succeed("fetchmail --nosslcertck -v");
|
||||
};
|
||||
|
||||
with subtest("quota"):
|
||||
client.execute("rm ~/mail/*")
|
||||
client.execute("mv ~/.fetchmailRcLowQuota ~/.fetchmailrc")
|
||||
subtest "quota", sub {
|
||||
$client->execute("rm ~/mail/*");
|
||||
$client->execute("mv ~/.fetchmailRcLowQuota ~/.fetchmailrc");
|
||||
|
||||
client.succeed(
|
||||
"msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota\@example.com < /etc/root/email2 >&2"
|
||||
)
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$client->succeed("msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota\@example.com < /etc/root/email2 >&2");
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
# fetchmail returns EXIT_CODE 0 when it retrieves mail
|
||||
client.fail("fetchmail --nosslcertck -v")
|
||||
$client->fail("fetchmail --nosslcertck -v");
|
||||
|
||||
with subtest("imap sieve junk trainer"):
|
||||
};
|
||||
|
||||
subtest "imap sieve junk trainer", sub {
|
||||
# send email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email1 >&2"
|
||||
)
|
||||
$client->succeed("msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email1 >&2");
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
$server->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]');
|
||||
|
||||
client.succeed("imap-mark-spam >&2")
|
||||
server.wait_until_succeeds("journalctl -u dovecot2 | grep -i sa-learn-spam.sh >&2")
|
||||
client.succeed("imap-mark-ham >&2")
|
||||
server.wait_until_succeeds("journalctl -u dovecot2 | grep -i sa-learn-ham.sh >&2")
|
||||
$client->succeed("imap-mark-spam >&2");
|
||||
$server->waitUntilSucceeds("journalctl -u dovecot2 | grep -i sa-learn-spam.sh >&2");
|
||||
$client->succeed("imap-mark-ham >&2");
|
||||
$server->waitUntilSucceeds("journalctl -u dovecot2 | grep -i sa-learn-ham.sh >&2");
|
||||
};
|
||||
|
||||
with subtest("full text search and indexation"):
|
||||
# send 2 email from user2 to user1
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email6 >&2"
|
||||
)
|
||||
client.succeed(
|
||||
"msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email7 >&2"
|
||||
)
|
||||
# give the mail server some time to process the mail
|
||||
server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||
subtest "no warnings or errors", sub {
|
||||
$server->fail("journalctl -u postfix | grep -i error >&2");
|
||||
$server->fail("journalctl -u postfix | grep -i warning >&2");
|
||||
$server->fail("journalctl -u dovecot2 | grep -i error >&2");
|
||||
$server->fail("journalctl -u dovecot2 | grep -i warning >&2");
|
||||
};
|
||||
|
||||
# should find exactly one email containing this
|
||||
client.succeed("search INBOX 576a4565b70f5a4c1a0925cabdb587a6 >&2")
|
||||
# should fail because this folder is not indexed
|
||||
client.fail("search Junk a >&2")
|
||||
# check that search really goes through the indexer
|
||||
server.succeed(
|
||||
"journalctl -u dovecot2 | grep -E 'indexer-worker.* Done indexing .INBOX.' >&2"
|
||||
)
|
||||
# check that Junk is not indexed
|
||||
server.fail("journalctl -u dovecot2 | grep 'indexer-worker' | grep -i 'JUNK' >&2")
|
||||
|
||||
with subtest("dmarc reporting"):
|
||||
server.systemctl("start rspamd-dmarc-reporter.service")
|
||||
|
||||
with subtest("no warnings or errors"):
|
||||
server.fail("journalctl -u postfix | grep -i error >&2")
|
||||
server.fail("journalctl -u postfix | grep -i warning >&2")
|
||||
server.fail("journalctl -u dovecot2 | grep -i error >&2")
|
||||
# harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
|
||||
server.fail(
|
||||
"journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -v 'FTS Xapian: Box is empty' | grep -i warning >&2"
|
||||
)
|
||||
'';
|
||||
}
|
85
tests/intern.nix
Normal file
85
tests/intern.nix
Normal file
|
@ -0,0 +1,85 @@
|
|||
# nixos-mailserver: a simple mail server
|
||||
# Copyright (C) 2016-2018 Robin Raymond
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ pkgs ? import <nixpkgs> {}}:
|
||||
|
||||
let
|
||||
sendMail = pkgs.writeTextFile {
|
||||
"name" = "send-mail-to-send-only-account";
|
||||
"text" = ''
|
||||
EHLO mail.example.com
|
||||
MAIL FROM: none@example.com
|
||||
RCPT TO: send-only@example.com
|
||||
QUIT
|
||||
'';
|
||||
};
|
||||
|
||||
hashPassword = password: pkgs.runCommand
|
||||
"password-${password}-hashed"
|
||||
{ buildInputs = [ pkgs.mkpasswd ]; } ''
|
||||
mkpasswd -m sha-512 ${password} > $out
|
||||
'';
|
||||
|
||||
in
|
||||
import (pkgs.path + "/nixos/tests/make-test.nix") {
|
||||
|
||||
machine =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" ];
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||
};
|
||||
"send-only@example.com" = {
|
||||
hashedPasswordFile = hashPassword "send-only";
|
||||
sendOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
$machine->start;
|
||||
$machine->waitForUnit("multi-user.target");
|
||||
|
||||
subtest "vmail gid is set correctly", sub {
|
||||
$machine->succeed("getent group vmail | grep 5000");
|
||||
};
|
||||
|
||||
subtest "mail to send only accounts is rejected", sub {
|
||||
$machine->waitForOpenPort(25);
|
||||
# TODO put this blocking into the systemd units?
|
||||
$machine->waitUntilSucceeds("timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ \$? -eq 124 ]");
|
||||
$machine->succeed("cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q 'This account cannot receive emails'" );
|
||||
};
|
||||
'';
|
||||
}
|
|
@ -1,195 +0,0 @@
|
|||
# nixos-mailserver: a simple mail server
|
||||
# Copyright (C) 2016-2018 Robin Raymond
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ pkgs ? import <nixpkgs> {}, ...}:
|
||||
|
||||
let
|
||||
sendMail = pkgs.writeTextFile {
|
||||
"name" = "send-mail-to-send-only-account";
|
||||
"text" = ''
|
||||
EHLO mail.example.com
|
||||
MAIL FROM: none@example.com
|
||||
RCPT TO: send-only@example.com
|
||||
QUIT
|
||||
'';
|
||||
};
|
||||
|
||||
hashPassword = password: pkgs.runCommand
|
||||
"password-${password}-hashed"
|
||||
{ buildInputs = [ pkgs.mkpasswd ]; inherit password; } ''
|
||||
mkpasswd -sm bcrypt <<<"$password" > $out
|
||||
'';
|
||||
|
||||
hashedPasswordFile = hashPassword "my-password";
|
||||
passwordFile = pkgs.writeText "password" "my-password";
|
||||
in
|
||||
pkgs.nixosTest {
|
||||
name = "internal";
|
||||
nodes = {
|
||||
machine = { config, pkgs, ... }: {
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')];
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" "domain.com" ];
|
||||
localDnsResolver = false;
|
||||
|
||||
loginAccounts = {
|
||||
"user1@example.com" = {
|
||||
hashedPasswordFile = hashedPasswordFile;
|
||||
};
|
||||
"user2@example.com" = {
|
||||
hashedPasswordFile = hashedPasswordFile;
|
||||
aliasesRegexp = [''/^user2.*@domain\.com$/''];
|
||||
};
|
||||
"send-only@example.com" = {
|
||||
hashedPasswordFile = hashPassword "send-only";
|
||||
sendOnly = true;
|
||||
};
|
||||
};
|
||||
forwards = {
|
||||
# user2@example.com is a local account and its mails are
|
||||
# also forwarded to user1@example.com
|
||||
"user2@example.com" = "user1@example.com";
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
|
||||
enableImap = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
machine.start()
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
# Regression test for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/205
|
||||
with subtest("mail forwarded can are locally kept"):
|
||||
# A mail sent to user2@example.com is in the user1@example.com mailbox
|
||||
machine.succeed(
|
||||
" ".join(
|
||||
[
|
||||
"mail-check send-and-read",
|
||||
"--smtp-port 587",
|
||||
"--smtp-starttls",
|
||||
"--smtp-host localhost",
|
||||
"--imap-host localhost",
|
||||
"--imap-username user1@example.com",
|
||||
"--from-addr user1@example.com",
|
||||
"--to-addr user2@example.com",
|
||||
"--src-password-file ${passwordFile}",
|
||||
"--dst-password-file ${passwordFile}",
|
||||
"--ignore-dkim-spf",
|
||||
]
|
||||
)
|
||||
)
|
||||
# A mail sent to user2@example.com is in the user2@example.com mailbox
|
||||
machine.succeed(
|
||||
" ".join(
|
||||
[
|
||||
"mail-check send-and-read",
|
||||
"--smtp-port 587",
|
||||
"--smtp-starttls",
|
||||
"--smtp-host localhost",
|
||||
"--imap-host localhost",
|
||||
"--imap-username user2@example.com",
|
||||
"--from-addr user1@example.com",
|
||||
"--to-addr user2@example.com",
|
||||
"--src-password-file ${passwordFile}",
|
||||
"--dst-password-file ${passwordFile}",
|
||||
"--ignore-dkim-spf",
|
||||
]
|
||||
)
|
||||
)
|
||||
|
||||
with subtest("regex email alias are received"):
|
||||
# A mail sent to user2-regex-alias@domain.com is in the user2@example.com mailbox
|
||||
machine.succeed(
|
||||
" ".join(
|
||||
[
|
||||
"mail-check send-and-read",
|
||||
"--smtp-port 587",
|
||||
"--smtp-starttls",
|
||||
"--smtp-host localhost",
|
||||
"--imap-host localhost",
|
||||
"--imap-username user2@example.com",
|
||||
"--from-addr user1@example.com",
|
||||
"--to-addr user2-regex-alias@domain.com",
|
||||
"--src-password-file ${passwordFile}",
|
||||
"--dst-password-file ${passwordFile}",
|
||||
"--ignore-dkim-spf",
|
||||
]
|
||||
)
|
||||
)
|
||||
|
||||
with subtest("user can send from regex email alias"):
|
||||
# A mail sent from user2-regex-alias@domain.com, using user2@example.com credentials is received
|
||||
machine.succeed(
|
||||
" ".join(
|
||||
[
|
||||
"mail-check send-and-read",
|
||||
"--smtp-port 587",
|
||||
"--smtp-starttls",
|
||||
"--smtp-host localhost",
|
||||
"--imap-host localhost",
|
||||
"--smtp-username user2@example.com",
|
||||
"--from-addr user2-regex-alias@domain.com",
|
||||
"--to-addr user1@example.com",
|
||||
"--src-password-file ${passwordFile}",
|
||||
"--dst-password-file ${passwordFile}",
|
||||
"--ignore-dkim-spf",
|
||||
]
|
||||
)
|
||||
)
|
||||
|
||||
with subtest("vmail gid is set correctly"):
|
||||
machine.succeed("getent group vmail | grep 5000")
|
||||
|
||||
with subtest("mail to send only accounts is rejected"):
|
||||
machine.wait_for_open_port(25)
|
||||
# TODO put this blocking into the systemd units
|
||||
machine.wait_until_succeeds(
|
||||
"set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
machine.succeed(
|
||||
"cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q '554 5.5.0 Error'"
|
||||
)
|
||||
|
||||
with subtest("rspamd controller serves web ui"):
|
||||
machine.succeed(
|
||||
"set +o pipefail; ${pkgs.curl}/bin/curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
|
||||
)
|
||||
|
||||
with subtest("imap port 143 is closed and imaps is serving SSL"):
|
||||
machine.wait_for_closed_port(143)
|
||||
machine.wait_for_open_port(993)
|
||||
machine.succeed(
|
||||
"echo | ${pkgs.openssl}/bin/openssl s_client -connect localhost:993 | grep 'New, TLS'"
|
||||
)
|
||||
'';
|
||||
}
|
183
tests/ldap.nix
183
tests/ldap.nix
|
@ -1,183 +0,0 @@
|
|||
{ pkgs ? import <nixpkgs> {}
|
||||
, ...
|
||||
}:
|
||||
|
||||
let
|
||||
bindPassword = "unsafegibberish";
|
||||
alicePassword = "testalice";
|
||||
bobPassword = "testbob";
|
||||
in
|
||||
pkgs.nixosTest {
|
||||
name = "ldap";
|
||||
nodes = {
|
||||
machine = { config, pkgs, ... }: {
|
||||
imports = [
|
||||
./../default.nix
|
||||
./lib/config.nix
|
||||
];
|
||||
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "yes";
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')];
|
||||
|
||||
environment.etc.bind-password.text = bindPassword;
|
||||
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
settings = {
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||
];
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [
|
||||
"olcDatabaseConfig"
|
||||
"olcMdbConfig"
|
||||
];
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/example";
|
||||
olcSuffix = "dc=example";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
declarativeContents."dc=example" = ''
|
||||
dn: dc=example
|
||||
objectClass: domain
|
||||
dc: example
|
||||
|
||||
dn: cn=mail,dc=example
|
||||
objectClass: organizationalRole
|
||||
objectClass: simpleSecurityObject
|
||||
objectClass: top
|
||||
cn: mail
|
||||
userPassword: ${bindPassword}
|
||||
|
||||
dn: ou=users,dc=example
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
||||
|
||||
dn: cn=alice,ou=users,dc=example
|
||||
objectClass: inetOrgPerson
|
||||
cn: alice
|
||||
sn: Foo
|
||||
mail: alice@example.com
|
||||
userPassword: ${alicePassword}
|
||||
|
||||
dn: cn=bob,ou=users,dc=example
|
||||
objectClass: inetOrgPerson
|
||||
cn: bob
|
||||
sn: Bar
|
||||
mail: bob@example.com
|
||||
userPassword: ${bobPassword}
|
||||
'';
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.example.com";
|
||||
domains = [ "example.com" ];
|
||||
localDnsResolver = false;
|
||||
|
||||
ldap = {
|
||||
enable = true;
|
||||
uris = [
|
||||
"ldap://"
|
||||
];
|
||||
bind = {
|
||||
dn = "cn=mail,dc=example";
|
||||
passwordFile = "/etc/bind-password";
|
||||
};
|
||||
searchBase = "ou=users,dc=example";
|
||||
searchScope = "sub";
|
||||
};
|
||||
|
||||
vmailGroupName = "vmail";
|
||||
vmailUID = 5000;
|
||||
|
||||
enableImap = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
import sys
|
||||
import re
|
||||
|
||||
machine.start()
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
# This function retrieves the ldap table file from a postconf
|
||||
# command.
|
||||
# A key lookup is achived and the returned value is compared
|
||||
# to the expected value.
|
||||
def test_lookup(postconf_cmdline, key, expected):
|
||||
conf = machine.succeed(postconf_cmdline).rstrip()
|
||||
ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1)
|
||||
value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip()
|
||||
try:
|
||||
assert value == expected
|
||||
except AssertionError:
|
||||
print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr)
|
||||
raise
|
||||
|
||||
with subtest("Test postmap lookups"):
|
||||
test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com")
|
||||
test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com")
|
||||
|
||||
test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com")
|
||||
test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com")
|
||||
|
||||
with subtest("Test doveadm lookups"):
|
||||
machine.succeed("doveadm user -u alice@example.com")
|
||||
machine.succeed("doveadm user -u bob@example.com")
|
||||
|
||||
with subtest("Files containing secrets are only readable by root"):
|
||||
machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'")
|
||||
machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'")
|
||||
|
||||
with subtest("Test account/mail address binding"):
|
||||
machine.fail(" ".join([
|
||||
"mail-check send-and-read",
|
||||
"--smtp-port 587",
|
||||
"--smtp-starttls",
|
||||
"--smtp-host localhost",
|
||||
"--smtp-username alice@example.com",
|
||||
"--imap-host localhost",
|
||||
"--imap-username bob@example.com",
|
||||
"--from-addr bob@example.com",
|
||||
"--to-addr aliceb@example.com",
|
||||
"--src-password-file <(echo '${alicePassword}')",
|
||||
"--dst-password-file <(echo '${bobPassword}')",
|
||||
"--ignore-dkim-spf"
|
||||
]))
|
||||
machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'")
|
||||
|
||||
with subtest("Test mail delivery"):
|
||||
machine.succeed(" ".join([
|
||||
"mail-check send-and-read",
|
||||
"--smtp-port 587",
|
||||
"--smtp-starttls",
|
||||
"--smtp-host localhost",
|
||||
"--smtp-username alice@example.com",
|
||||
"--imap-host localhost",
|
||||
"--imap-username bob@example.com",
|
||||
"--from-addr alice@example.com",
|
||||
"--to-addr bob@example.com",
|
||||
"--src-password-file <(echo '${alicePassword}')",
|
||||
"--dst-password-file <(echo '${bobPassword}')",
|
||||
"--ignore-dkim-spf"
|
||||
]))
|
||||
'';
|
||||
}
|
|
@ -14,9 +14,9 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
import <nixpkgs/nixos/tests/make-test-python.nix> {
|
||||
import <nixpkgs/nixos/tests/make-test.nix> {
|
||||
|
||||
nodes.machine =
|
||||
machine =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
|
@ -26,6 +26,6 @@ import <nixpkgs/nixos/tests/make-test-python.nix> {
|
|||
|
||||
testScript =
|
||||
''
|
||||
machine.wait_for_unit("multi-user.target");
|
||||
$machine->waitForUnit("multi-user.target");
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -1,89 +0,0 @@
|
|||
# This tests is used to test features requiring several mail domains.
|
||||
|
||||
{ pkgs ? import <nixpkgs> {}, ...}:
|
||||
|
||||
let
|
||||
hashPassword = password: pkgs.runCommand
|
||||
"password-${password}-hashed"
|
||||
{ buildInputs = [ pkgs.mkpasswd ]; inherit password; }
|
||||
''
|
||||
mkpasswd -sm bcrypt <<<"$password" > $out
|
||||
'';
|
||||
|
||||
password = pkgs.writeText "password" "password";
|
||||
|
||||
domainGenerator = domain: { config, pkgs, ... }: {
|
||||
imports = [../default.nix];
|
||||
virtualisation.memorySize = 1024;
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.${domain}";
|
||||
domains = [ domain ];
|
||||
localDnsResolver = false;
|
||||
loginAccounts = {
|
||||
"user@${domain}" = {
|
||||
hashedPasswordFile = hashPassword "password";
|
||||
};
|
||||
};
|
||||
enableImap = true;
|
||||
enableImapSsl = true;
|
||||
};
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
# Fixme: once nixos-22.11 has been removed, could be replaced by
|
||||
# settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
|
||||
extraConfig = ''
|
||||
mx-host=domain1.com,domain1,10
|
||||
mx-host=domain2.com,domain2,10
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
pkgs.nixosTest {
|
||||
name = "multiple";
|
||||
nodes = {
|
||||
domain1 = {...}: {
|
||||
imports = [
|
||||
../default.nix
|
||||
(domainGenerator "domain1.com")
|
||||
];
|
||||
mailserver.forwards = {
|
||||
"non-local@domain1.com" = ["user@domain2.com" "user@domain1.com"];
|
||||
"non@domain1.com" = ["user@domain2.com" "user@domain1.com"];
|
||||
};
|
||||
};
|
||||
domain2 = domainGenerator "domain2.com";
|
||||
client = { config, pkgs, ... }: {
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeScriptBin "mail-check" ''
|
||||
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
|
||||
'')];
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
|
||||
domain1.wait_for_unit("multi-user.target")
|
||||
domain2.wait_for_unit("multi-user.target")
|
||||
|
||||
# TODO put this blocking into the systemd units?
|
||||
domain1.wait_until_succeeds(
|
||||
"set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
domain2.wait_until_succeeds(
|
||||
"set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
|
||||
)
|
||||
|
||||
# user@domain1.com sends a mail to user@domain2.com
|
||||
client.succeed(
|
||||
"mail-check send-and-read --smtp-port 587 --smtp-starttls --smtp-host domain1 --from-addr user@domain1.com --imap-host domain2 --to-addr user@domain2.com --src-password-file ${password} --dst-password-file ${password} --ignore-dkim-spf"
|
||||
)
|
||||
|
||||
# Send a mail to the address forwarded and check it is in the recipient mailbox
|
||||
client.succeed(
|
||||
"mail-check send-and-read --smtp-port 587 --smtp-starttls --smtp-host domain1 --from-addr user@domain1.com --imap-host domain2 --to-addr non-local@domain1.com --imap-username user@domain2.com --src-password-file ${password} --dst-password-file ${password} --ignore-dkim-spf"
|
||||
)
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue