nixos-mailserver/README.md

388 lines
11 KiB
Markdown
Raw Normal View History

2017-09-13 17:03:04 +05:00
# ![Simple Nixos MailServer][logo]
2016-07-21 21:55:01 +05:00
![license](https://img.shields.io/badge/license-GPL3-brightgreen.svg)
2017-09-21 19:32:01 +05:00
![status](https://travis-ci.org/r-raymond/nixos-mailserver.svg?branch=master)
2016-07-21 21:11:43 +05:00
2017-09-13 17:03:04 +05:00
2017-09-13 16:16:17 +05:00
## Stable Releases
2018-02-22 17:39:13 +05:00
* [SNM v2.1.1](https://github.com/r-raymond/nixos-mailserver/releases/v2.1.1)
2017-09-13 16:16:17 +05:00
2017-11-20 11:27:28 +05:00
[Latest Release (Candidate)](https://github.com/r-raymond/nixos-mailserver/releases/latest)
2017-09-20 19:27:52 +05:00
2017-12-14 21:12:30 +05:00
[Subscribe to SNM Announcement List](https://www.freelists.org/list/snm)
This is a very low volume list where new releases of SNM are announced, so you
can stay up to date with bug fixes and updates. All announcements are signed by
the gpg key with fingerprint
```
D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A
```
2017-12-22 22:51:57 +05:00
2017-09-13 16:16:17 +05:00
## Features
2017-11-11 20:15:30 +05:00
### v2.0
2017-11-21 12:52:54 +05:00
* [x] Continous Integration Testing
2017-11-11 20:15:30 +05:00
* [x] Multiple Domains
2017-09-13 16:16:17 +05:00
* Postfix MTA
- [x] smtp on port 25
- [x] submission port 587
2017-08-13 15:58:00 +05:00
- [x] lmtp with dovecot
* Dovecot
2017-09-13 16:16:17 +05:00
- [x] maildir folders
- [x] imap starttls on port 143
- [x] pop3 starttls on port 110
2017-08-13 15:58:00 +05:00
* Certificates
- [x] manual certificates
- [x] on the fly creation
2017-11-11 20:15:30 +05:00
- [x] Let's Encrypt
2017-08-13 15:58:00 +05:00
* Spam Filtering
2017-09-13 16:16:17 +05:00
- [x] via rspamd
2017-08-13 15:58:00 +05:00
* Virus Scanning
2017-09-13 16:16:17 +05:00
- [x] via clamav
2017-08-13 15:58:00 +05:00
* DKIM Signing
2017-09-13 16:16:17 +05:00
- [x] via opendkim
2017-08-13 15:58:00 +05:00
* User Management
2017-09-13 16:16:17 +05:00
- [x] declarative user management
- [x] declarative password management
2017-11-20 11:16:08 +05:00
* Sieves
- [x] A simple standard script that moves spam
- [x] Allow user defined sieve scripts
2018-01-07 17:15:36 +05:00
- [x] ManageSieve support
2017-12-20 12:40:58 +05:00
* User Aliases
- [x] Regular aliases
- [x] Catch all aliases
2017-09-13 16:16:17 +05:00
2017-11-11 20:15:30 +05:00
### In the future
2017-11-20 11:16:08 +05:00
2017-11-11 20:15:30 +05:00
* DKIM Signing
- [ ] Allow a per domain selector
2017-09-13 13:17:04 +05:00
### Changelog
#### v1.0 -> v1.1
* Changed structure to Nix Modules
2017-09-13 16:16:17 +05:00
* Adds Sieve support
2017-08-13 15:58:00 +05:00
2017-11-11 20:15:30 +05:00
#### v1.1 -> v2.0
* rename domain to fqdn, seperate fqdn from domains
* multi domain support
2017-11-13 18:59:25 +05:00
### Quick Start
2017-10-17 14:52:47 +05:00
2017-10-17 14:53:53 +05:00
```nix
2017-10-17 14:52:47 +05:00
{ config, pkgs, ... }:
{
imports = [
2018-02-22 17:39:13 +05:00
(builtins.fetchTarball "https://github.com/r-raymond/nixos-mailserver/archive/v2.1.1.tar.gz")
2017-10-17 14:52:47 +05:00
];
2017-11-05 14:57:26 +05:00
2017-10-17 14:52:47 +05:00
mailserver = {
enable = true;
2017-11-11 20:15:30 +05:00
fqdn = "mail.example.com";
domains = [ "example.com" "example2.com" ];
loginAccounts = {
"user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
2017-11-21 16:07:07 +05:00
2017-11-22 12:22:43 +05:00
aliases = [
"info@example.com"
"postmaster@example.com"
"postmaster@example2.com"
2017-11-21 16:07:07 +05:00
];
2017-11-21 16:09:29 +05:00
};
2017-10-17 14:52:47 +05:00
};
};
}
```
For a complete list of options, see `default.nix`.
2017-08-12 14:52:01 +05:00
2017-11-13 18:59:25 +05:00
## How to Set Up a 10/10 Mail Server Guide
Mail servers can be a tricky thing to set up. This guide is supposed to run you
through the most important steps to achieve a 10/10 score on `mail-tester.com`.
2017-08-12 14:52:01 +05:00
2017-11-13 18:59:25 +05:00
What you need:
* A server with a public IP (referred to as `server-IP`)
2017-12-12 16:50:37 +05:00
* A Fully Qualified Domain Name (`FQDN`) where your server is reachable,
2017-11-13 18:59:25 +05:00
so that other servers can find yours. Common FQDN include `mx.example.com`
(where `example.com` is a domain you own) or `mail.example.com`. The domain
is referred to as `server-domain` (`example.com` in the above example) and
the `FQDN` is referred to by `server-FQDN` (`mx.example.com` above).
* A list of domains you want to your email server to serve. (Note that this
does not have to include `server-domain`, but may of course). These will be
referred to as `domains`. As an example, `domains = [ example1.com,
example2.com ]`.
### A) Setup server
The following describes a server setup that is fairly complete. Even though
there are more possible options (see `default.nix`), these should be the most
common ones.
```nix
{ config, pkgs, ... }:
{
imports = [
2018-02-22 17:39:13 +05:00
(builtins.fetchTarball "https://github.com/r-raymond/nixos-mailserver/archive/v2.1.1.tar.gz")
2017-11-13 18:59:25 +05:00
];
mailserver = {
enable = true;
fqdn = <server-FQDN>;
domains = [ <domains> ];
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
"user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
2017-11-21 16:07:07 +05:00
aliases = [
"postmaster@example.com"
"postmaster@example2.com"
];
2017-12-19 02:02:58 +05:00
# Make this user the catchAll address for domains example.com and
# example2.com
catchAll = [
"example.com"
"example2.com"
];
2017-11-13 18:59:25 +05:00
};
"user2@example.com" = { ... };
};
2017-11-21 16:07:07 +05:00
# Extra virtual aliases. These are email addresses that are forwarded to
2017-11-13 18:59:25 +05:00
# loginAccounts addresses.
2017-11-21 16:07:07 +05:00
extraVirtualAliases = {
2017-11-13 18:59:25 +05:00
# address = forward address;
"abuse@example.com" = "user1@example.com";
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
2017-11-25 00:39:08 +05:00
certificateScheme = 3;
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
2018-01-07 17:15:36 +05:00
# Enable the ManageSieve protocol
enableManageSieve = true;
2017-11-25 00:39:08 +05:00
# whether to scan inbound emails for viruses (note that this requires at least
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
virusScanning = false;
2017-11-13 18:59:25 +05:00
};
}
2017-08-12 14:52:01 +05:00
```
2017-11-25 00:39:08 +05:00
After a `nixos-rebuild switch --upgrade` your server should be good to go. If
2017-11-13 18:59:25 +05:00
you want to use `nixops` to deploy the server, look in the subfolder `nixops`
for some inspiration.
### B) Setup everything else
#### Step 1: Set DNS entry for server
Add a DNS record to the domain `server-domain` with the following entries
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
| `server-FQDN` | 10800 | A | | `server-IP` |
This resolved DNS equries for `server-FQDN` to `server-IP`. You can test if your
setting is correct by
2017-08-12 14:52:01 +05:00
```
2017-11-13 18:59:25 +05:00
ping <server-FQDN>
64 bytes from <server-FQDN> (<server-IP>): icmp_seq=1 ttl=46 time=21.3 ms
...
2017-08-12 14:52:01 +05:00
```
2017-11-13 18:59:25 +05:00
Note that it can take a while until a DNS entry is propagated.
#### Step 2: Set rDNS (reverse DNS) entry for server
Wherever you have rented your server, you should be able to set reverse DNS
entries for the IP's you own. Add an entry resolving `server-IP` to
`server-FQDN`
You can test if your setting is correct by
2017-09-13 16:16:17 +05:00
```
2017-11-13 18:59:25 +05:00
host <server-IP>
<server-IP>.in-addr.arpa domain name pointer <server-FQDN>.
2017-09-13 16:16:17 +05:00
```
2017-11-13 18:59:25 +05:00
Note that it can take a while until a DNS entry is propagated.
2017-09-13 13:17:04 +05:00
2017-11-13 18:59:25 +05:00
#### Step 3: Set `MX` Records
2017-11-26 15:47:16 +05:00
For every `domain` in `domains` do:
2017-11-13 18:59:25 +05:00
* Add a `MX` record to the domain `domain`
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
2017-11-13 18:59:25 +05:00
| `domain` | | MX | 10 | `server-FQDN` |
2017-11-13 18:59:25 +05:00
You can test this via
```
2017-11-26 15:47:16 +05:00
dig -t MX <domain>
2017-11-13 18:59:25 +05:00
...
;; ANSWER SECTION:
<domain> 10800 IN MX 10 <server-FQDN>
...
```
2017-11-13 18:59:25 +05:00
Note that it can take a while until a DNS entry is propagated.
2017-11-13 18:59:25 +05:00
#### Step 4: Set `SPF` Records
2017-11-10 20:58:52 +05:00
2017-11-26 15:47:16 +05:00
For every `domain` in `domains` do:
2017-11-13 18:59:25 +05:00
* Add a `SPF` record to the domain `domain`
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
| `domain` | 10800 | TXT | | `v=spf1 ip4:<server-IP> -all` |
You can check this with `dig -t TXT <domain>` similar to the last section. Note
that `SPF` records are set as `TXT` records since RFC1035.
2017-11-13 18:59:25 +05:00
Note that it can take a while until a DNS entry is propagated. If you want to
use multiple servers for your email handling, don't forget to add all server
IP's to this list.
#### Step 5: Set `DKIM` signature
2017-12-01 13:40:18 +05:00
In this section we assume that your `dkimSelector` is set to `mail`. If you have a different selector, replace
2017-12-14 21:12:30 +05:00
all `mail`'s below accordingly.
2017-12-01 13:40:18 +05:00
2017-11-26 15:47:16 +05:00
For every `domain` in `domains` do:
2017-11-13 18:59:25 +05:00
* Go to your server and navigate to the dkim key directory (by default
2017-12-01 13:46:59 +05:00
`/var/dkim`). There you will find a public key for any domain in the
2017-11-13 18:59:25 +05:00
`domain.txt` file. It will look like
```
2017-11-16 01:50:48 +05:00
mail._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=<really-long-key>" ; ----- DKIM mail for domain.tld
2017-11-13 18:59:25 +05:00
```
* Add a `DKIM` record to the domain `domain`
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
| mail._domainkey.`domain` | 10800 | TXT | | `v=DKIM1; p=<really-long-key>` |
You can check this with `dig -t TXT mail._domainkey.<domain>` similar to the last section.
2017-11-13 18:59:25 +05:00
Note that it can take a while until a DNS entry is propagated.
### C) Test your Setup
2017-11-10 20:58:52 +05:00
2017-11-13 18:59:25 +05:00
Write an email to your aunt (who has been waiting for your reply far too long),
2017-12-14 21:12:30 +05:00
and sign up for some of the finest newsletters the Internet has. Maybe you want
to sign up for the [SNM Announcement List](https://www.freelists.org/list/snm)?
2017-11-26 15:47:16 +05:00
Besides that, you can send an email to [mail-tester.com](https://www.mail-tester.com/) and see how you score,
and let [mxtoolbox.com](http://mxtoolbox.com/) take a look at your setup, but if you followed
2017-11-13 18:59:25 +05:00
the steps closely then everything should be awesome!
2017-11-13 18:59:25 +05:00
## How to Backup
This is really easy. First off you should have a backup of your
`configuration.nix` file where you have the server config (but that is already
in a git repository right?)
Next you need to backup `/var/vmail` or whatever you have specified for the
option `mailDirectory`. This is where all the mails reside. Good options are a
cron job with `rsync` or `scp`. But really anything works, as it is simply a
folder with plenty of files in it. If your backup solution does not preserve the
owner of the files don't forget to `chown` them to `virtualMail:virtualMail` if you copy
them back (or whatever you specified as `vmailUserName`, and `vmailGoupName`).
Finally you can (optionally) make a backup of `/var/dkim` (or whatever you
specified as `dkimKeyDirectory`). If you should lose those don't worry, new ones
will be created on the fly. But you will need to repeat step `B)5` and correct
all the `dkim` keys.
## How to Test for Development
You can test the setup via `nixops`. After installation, do
```
nixops create nixops/single-server.nix nixops/vbox.nix -d mail
nixops deploy -d mail
nixops info -d mail
```
You can then test the server via e.g. `telnet`. To log into it, use
```
nixops ssh -d mail mailserver
```
To test imap manually use
```
openssl s_client -host mail.example.com -port 143 -starttls imap
```
2017-11-10 21:16:21 +05:00
2016-07-21 21:11:43 +05:00
## A Complete Mail Server Without Moving Parts
### Used Technologies
2017-08-12 14:37:54 +05:00
* Nixos
* Nixpkgs
* Dovecot
* Postfix
* Rmilter
* Rspamd
* Clamav
* Opendkim
* Pam
2016-07-21 21:20:56 +05:00
### Features
2017-11-11 20:15:30 +05:00
* unlimited domain
* unlimited mail accounts
2016-07-21 21:20:56 +05:00
* unlimited aliases for every mail account
* spam and virus checking
* dkim signing of outgoing emails
2016-07-21 21:42:14 +05:00
* imap (optionally pop3)
* startTLS
2016-07-21 21:20:56 +05:00
### Nonfeatures
* moving parts
* SQL databases
* configurations that need to be made after `nixos-rebuild switch`
* complicated storage schemes
* webclients / http-servers
2017-08-13 17:05:40 +05:00
2017-09-03 18:43:37 +05:00
## Contributors
* Special thanks to @Infinisil for the module rewrite
2017-11-11 20:15:30 +05:00
* Special thanks to @jbboehr for multidomain implementation
2017-09-03 18:43:37 +05:00
* @danbst
2017-09-13 13:17:04 +05:00
* @phdoerfler
2017-11-05 14:57:26 +05:00
* @eqyiel
2017-11-21 16:07:07 +05:00
2017-11-21 13:45:59 +05:00
### Alternative Implementations
* [NixCloud Webservices](https://github.com/nixcloud/nixcloud-webservices)
2017-09-13 17:03:04 +05:00
### Credits
* send mail graphic by [tnp_dreamingmao](https://thenounproject.com/dreamingmao)
from [TheNounProject](https://thenounproject.com/) is licensed under
[CC BY 3.0](http://creativecommons.org/~/3.0/)
* Logo made with [Logomakr.com](https://logomakr.com)
2017-11-21 13:45:59 +05:00
2017-11-21 13:44:42 +05:00
2017-09-13 17:03:04 +05:00
[logo]: logo/logo.png