2016-07-25 20:40:58 +05:00
|
|
|
# nixos-mailserver: a simple mail server
|
2018-01-29 14:34:27 +05:00
|
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
2016-07-25 20:40:58 +05:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
2020-03-06 22:27:47 +05:00
|
|
|
with (import ./common.nix { inherit config pkgs lib; });
|
2017-08-13 14:51:07 +05:00
|
|
|
|
2017-08-12 15:28:46 +05:00
|
|
|
let
|
2017-09-03 14:13:34 +05:00
|
|
|
cfg = config.mailserver;
|
|
|
|
|
2020-03-06 22:27:47 +05:00
|
|
|
passwdDir = "/run/dovecot2";
|
|
|
|
passwdFile = "${passwdDir}/passwd";
|
|
|
|
|
2020-07-13 17:00:00 +05:00
|
|
|
bool2int = x: if x then "1" else "0";
|
|
|
|
|
2018-02-03 01:37:29 +05:00
|
|
|
maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
|
2017-08-12 21:27:22 +05:00
|
|
|
|
2018-02-03 01:37:29 +05:00
|
|
|
# maildir in format "/${domain}/${user}"
|
2020-07-13 17:00:00 +05:00
|
|
|
dovecotMaildir =
|
|
|
|
"maildir:${cfg.mailDirectory}/%d/%n${maildirLayoutAppendix}"
|
2021-03-12 00:53:38 +05:00
|
|
|
+ (lib.optionalString (cfg.indexDir != null)
|
|
|
|
":INDEX=${cfg.indexDir}/%d/%n"
|
2020-07-13 17:00:00 +05:00
|
|
|
);
|
2018-05-04 17:56:33 +05:00
|
|
|
|
|
|
|
postfixCfg = config.services.postfix;
|
2018-05-15 07:17:18 +05:00
|
|
|
dovecot2Cfg = config.services.dovecot2;
|
|
|
|
|
|
|
|
stateDir = "/var/lib/dovecot";
|
|
|
|
|
|
|
|
pipeBin = pkgs.stdenv.mkDerivation {
|
|
|
|
name = "pipe_bin";
|
|
|
|
src = ./dovecot/pipe_bin;
|
|
|
|
buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
|
|
|
|
buildCommand = ''
|
|
|
|
mkdir -p $out/pipe/bin
|
|
|
|
cp $src/* $out/pipe/bin/
|
|
|
|
chmod a+x $out/pipe/bin/*
|
|
|
|
patchShebangs $out/pipe/bin
|
|
|
|
|
|
|
|
for file in $out/pipe/bin/*; do
|
|
|
|
wrapProgram $file \
|
|
|
|
--set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
|
|
|
|
done
|
|
|
|
'';
|
|
|
|
};
|
2020-03-06 22:27:47 +05:00
|
|
|
|
|
|
|
genPasswdScript = pkgs.writeScript "generate-password-file" ''
|
|
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
if (! test -d "${passwdDir}"); then
|
|
|
|
mkdir "${passwdDir}"
|
|
|
|
chmod 755 "${passwdDir}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
|
|
|
|
if [ ! -f "$f" ]; then
|
|
|
|
echo "Expected password hash file $f does not exist!"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
cat <<EOF > ${passwdFile}
|
|
|
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
2020-11-29 14:58:16 +05:00
|
|
|
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
|
2020-03-06 22:27:47 +05:00
|
|
|
+ (if lib.isString value.quota
|
|
|
|
then "userdb_quota_rule=*:storage=${value.quota}"
|
|
|
|
else "")
|
|
|
|
) cfg.loginAccounts)}
|
|
|
|
EOF
|
|
|
|
|
|
|
|
chmod 600 ${passwdFile}
|
|
|
|
'';
|
2017-08-12 15:28:46 +05:00
|
|
|
in
|
2016-07-25 20:40:58 +05:00
|
|
|
{
|
2017-09-03 14:13:34 +05:00
|
|
|
config = with cfg; lib.mkIf enable {
|
|
|
|
services.dovecot2 = {
|
|
|
|
enable = true;
|
2020-07-06 13:38:12 +05:00
|
|
|
enableImap = enableImap || enableImapSsl;
|
|
|
|
enablePop3 = enablePop3 || enablePop3Ssl;
|
2017-12-22 20:08:42 +05:00
|
|
|
enablePAM = false;
|
2017-12-22 20:58:35 +05:00
|
|
|
enableQuota = true;
|
2017-09-03 14:13:34 +05:00
|
|
|
mailGroup = vmailGroupName;
|
|
|
|
mailUser = vmailUserName;
|
2018-02-03 01:37:29 +05:00
|
|
|
mailLocation = dovecotMaildir;
|
2017-09-03 14:13:34 +05:00
|
|
|
sslServerCert = certificatePath;
|
|
|
|
sslServerKey = keyPath;
|
|
|
|
enableLmtp = true;
|
2020-07-13 17:00:00 +05:00
|
|
|
modules = [ pkgs.dovecot_pigeonhole ] ++ (lib.optional cfg.fullTextSearch.enable pkgs.dovecot_fts_xapian );
|
|
|
|
mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
|
2020-07-06 13:38:12 +05:00
|
|
|
protocols = lib.optional cfg.enableManageSieve "sieve";
|
2017-09-13 16:06:44 +05:00
|
|
|
|
|
|
|
sieveScripts = {
|
2018-01-07 17:08:04 +05:00
|
|
|
after = builtins.toFile "spam.sieve" ''
|
2017-11-13 14:50:38 +05:00
|
|
|
require "fileinto";
|
|
|
|
|
|
|
|
if header :is "X-Spam" "Yes" {
|
|
|
|
fileinto "Junk";
|
|
|
|
stop;
|
|
|
|
}
|
|
|
|
'';
|
2017-09-13 16:06:44 +05:00
|
|
|
};
|
|
|
|
|
2018-02-03 01:37:29 +05:00
|
|
|
mailboxes = cfg.mailboxes;
|
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
extraConfig = ''
|
|
|
|
#Extra Config
|
2017-11-14 02:46:59 +05:00
|
|
|
${lib.optionalString debug ''
|
|
|
|
mail_debug = yes
|
|
|
|
auth_debug = yes
|
|
|
|
verbose_ssl = yes
|
|
|
|
''}
|
|
|
|
|
2020-07-06 13:38:12 +05:00
|
|
|
${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
|
|
|
|
service imap-login {
|
|
|
|
inet_listener imap {
|
|
|
|
${if cfg.enableImap then ''
|
|
|
|
port = 143
|
|
|
|
'' else ''
|
2020-10-06 00:18:36 +05:00
|
|
|
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
2020-07-06 13:38:12 +05:00
|
|
|
port = 0
|
|
|
|
''}
|
|
|
|
}
|
|
|
|
inet_listener imaps {
|
|
|
|
${if cfg.enableImapSsl then ''
|
|
|
|
port = 993
|
|
|
|
ssl = yes
|
|
|
|
'' else ''
|
2020-10-06 00:18:36 +05:00
|
|
|
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
2020-07-06 13:38:12 +05:00
|
|
|
port = 0
|
|
|
|
''}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
''}
|
|
|
|
${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
|
|
|
|
service pop3-login {
|
|
|
|
inet_listener pop3 {
|
|
|
|
${if cfg.enablePop3 then ''
|
|
|
|
port = 110
|
|
|
|
'' else ''
|
2020-10-06 00:18:36 +05:00
|
|
|
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
2020-07-06 13:38:12 +05:00
|
|
|
port = 0
|
|
|
|
''}
|
|
|
|
}
|
|
|
|
inet_listener pop3s {
|
|
|
|
${if cfg.enablePop3Ssl then ''
|
|
|
|
port = 995
|
|
|
|
ssl = yes
|
|
|
|
'' else ''
|
2020-10-06 00:18:36 +05:00
|
|
|
# see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
|
2020-07-06 13:38:12 +05:00
|
|
|
port = 0
|
|
|
|
''}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
''}
|
|
|
|
|
2018-03-13 15:43:30 +05:00
|
|
|
protocol imap {
|
|
|
|
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
2018-05-15 07:17:18 +05:00
|
|
|
mail_plugins = $mail_plugins imap_sieve
|
2018-03-13 15:43:30 +05:00
|
|
|
}
|
|
|
|
|
|
|
|
protocol pop3 {
|
|
|
|
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
|
|
|
|
}
|
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
mail_access_groups = ${vmailGroupName}
|
|
|
|
ssl = required
|
2020-05-24 22:21:31 +05:00
|
|
|
ssl_min_protocol = TLSv1.2
|
2020-05-24 22:23:53 +05:00
|
|
|
ssl_prefer_server_ciphers = yes
|
2017-08-12 15:28:46 +05:00
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
service lmtp {
|
2018-05-04 19:52:58 +05:00
|
|
|
unix_listener dovecot-lmtp {
|
2018-05-04 17:56:33 +05:00
|
|
|
group = ${postfixCfg.group}
|
2017-11-13 14:50:38 +05:00
|
|
|
mode = 0600
|
2018-05-04 17:56:33 +05:00
|
|
|
user = ${postfixCfg.user}
|
2017-11-13 14:50:38 +05:00
|
|
|
}
|
2017-09-03 14:13:34 +05:00
|
|
|
}
|
2017-08-12 15:28:46 +05:00
|
|
|
|
2021-03-23 00:05:34 +05:00
|
|
|
recipient_delimiter = ${cfg.recipientDelimiter}
|
2020-05-20 02:58:09 +05:00
|
|
|
lmtp_save_to_detail_mailbox = ${cfg.lmtpSaveToDetailMailbox}
|
2019-07-26 22:00:32 +05:00
|
|
|
|
2017-09-13 16:06:44 +05:00
|
|
|
protocol lmtp {
|
2017-11-13 14:50:38 +05:00
|
|
|
mail_plugins = $mail_plugins sieve
|
2017-09-13 16:06:44 +05:00
|
|
|
}
|
|
|
|
|
2017-12-22 20:08:42 +05:00
|
|
|
passdb {
|
|
|
|
driver = passwd-file
|
|
|
|
args = ${passwdFile}
|
|
|
|
}
|
|
|
|
|
2017-12-22 20:58:35 +05:00
|
|
|
userdb {
|
|
|
|
driver = passwd-file
|
|
|
|
args = ${passwdFile}
|
|
|
|
}
|
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
service auth {
|
2018-05-04 19:52:58 +05:00
|
|
|
unix_listener auth {
|
2017-11-13 14:50:38 +05:00
|
|
|
mode = 0660
|
2018-05-04 17:56:33 +05:00
|
|
|
user = ${postfixCfg.user}
|
|
|
|
group = ${postfixCfg.group}
|
2017-11-13 14:50:38 +05:00
|
|
|
}
|
2017-09-03 14:13:34 +05:00
|
|
|
}
|
2017-08-12 15:28:46 +05:00
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
auth_mechanisms = plain login
|
2017-08-12 15:28:46 +05:00
|
|
|
|
2017-09-03 14:13:34 +05:00
|
|
|
namespace inbox {
|
2018-02-03 01:37:29 +05:00
|
|
|
separator = ${cfg.hierarchySeparator}
|
2017-11-13 14:50:38 +05:00
|
|
|
inbox = yes
|
2017-09-03 14:13:34 +05:00
|
|
|
}
|
2017-11-18 08:37:59 +05:00
|
|
|
|
|
|
|
plugin {
|
2018-05-15 07:17:18 +05:00
|
|
|
sieve_plugins = sieve_imapsieve sieve_extprograms
|
2020-11-21 18:18:40 +05:00
|
|
|
sieve = file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve
|
|
|
|
sieve_default = file:${cfg.sieveDirectory}/%u/default.sieve
|
2018-01-07 17:06:05 +05:00
|
|
|
sieve_default_name = default
|
2018-05-15 07:17:18 +05:00
|
|
|
|
|
|
|
# From elsewhere to Spam folder
|
|
|
|
imapsieve_mailbox1_name = Junk
|
|
|
|
imapsieve_mailbox1_causes = COPY
|
|
|
|
imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
|
|
|
|
|
|
|
|
# From Spam folder to elsewhere
|
|
|
|
imapsieve_mailbox2_name = *
|
|
|
|
imapsieve_mailbox2_from = Junk
|
|
|
|
imapsieve_mailbox2_causes = COPY
|
|
|
|
imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
|
|
|
|
|
|
|
|
sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
|
|
|
|
|
|
|
|
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
2017-11-18 08:37:59 +05:00
|
|
|
}
|
2017-11-21 02:51:57 +05:00
|
|
|
|
2020-07-13 17:00:00 +05:00
|
|
|
${lib.optionalString (cfg.fullTextSearch.enable != null) ''
|
|
|
|
plugin {
|
|
|
|
plugin = fts fts_xapian
|
|
|
|
fts = xapian
|
|
|
|
fts_xapian = partial=${toString cfg.fullTextSearch.minSize} full=${toString cfg.fullTextSearch.maxSize} attachments=${bool2int cfg.fullTextSearch.indexAttachments} verbose=${bool2int cfg.debug}
|
|
|
|
|
|
|
|
fts_autoindex = ${if cfg.fullTextSearch.autoIndex then "yes" else "no"}
|
|
|
|
|
|
|
|
${lib.strings.concatImapStringsSep "\n" (n: x: "fts_autoindex_exclude${if n==1 then "" else toString n} = ${x}") cfg.fullTextSearch.autoIndexExclude}
|
|
|
|
|
|
|
|
fts_enforced = ${cfg.fullTextSearch.enforced}
|
|
|
|
}
|
|
|
|
|
|
|
|
${lib.optionalString (cfg.fullTextSearch.memoryLimit != null) ''
|
|
|
|
service indexer-worker {
|
|
|
|
vsz_limit = ${toString (cfg.fullTextSearch.memoryLimit*1024*1024)}
|
|
|
|
}
|
|
|
|
''}
|
|
|
|
''}
|
|
|
|
|
2017-11-21 02:51:57 +05:00
|
|
|
lda_mailbox_autosubscribe = yes
|
|
|
|
lda_mailbox_autocreate = yes
|
2017-09-03 14:13:34 +05:00
|
|
|
'';
|
|
|
|
};
|
2018-05-15 07:17:18 +05:00
|
|
|
|
2020-03-06 22:27:47 +05:00
|
|
|
systemd.services.dovecot2 = {
|
|
|
|
preStart = ''
|
2020-06-19 19:02:21 +05:00
|
|
|
${genPasswdScript}
|
2020-03-06 22:27:47 +05:00
|
|
|
rm -rf '${stateDir}/imap_sieve'
|
|
|
|
mkdir '${stateDir}/imap_sieve'
|
|
|
|
cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
|
|
|
|
for k in "${stateDir}/imap_sieve"/*.sieve ; do
|
|
|
|
${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
|
|
|
|
done
|
|
|
|
chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
|
|
|
|
'';
|
|
|
|
};
|
2019-10-19 00:21:01 +05:00
|
|
|
|
2020-06-19 19:02:21 +05:00
|
|
|
systemd.services.postfix.restartTriggers = [ genPasswdScript ];
|
2020-07-13 17:00:00 +05:00
|
|
|
|
|
|
|
systemd.services.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable) {
|
|
|
|
description = "Optimize dovecot indices for fts_xapian";
|
|
|
|
requisite = [ "dovecot2.service" ];
|
|
|
|
after = [ "dovecot2.service" ];
|
|
|
|
startAt = cfg.fullTextSearch.maintenance.onCalendar;
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
|
|
|
|
PrivateDevices = true;
|
|
|
|
PrivateNetwork = true;
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
ProtectHome = true;
|
|
|
|
ProtectSystem = true;
|
|
|
|
PrivateTmp = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
systemd.timers.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable && cfg.fullTextSearch.maintenance.randomizedDelaySec != 0) {
|
|
|
|
timerConfig = {
|
|
|
|
RandomizedDelaySec = cfg.fullTextSearch.maintenance.randomizedDelaySec;
|
|
|
|
};
|
|
|
|
};
|
2017-09-03 14:13:34 +05:00
|
|
|
};
|
2016-07-25 20:40:58 +05:00
|
|
|
}
|