655 Commits

Author SHA1 Message Date
Martin Weinelt
1feca02008 Merge branch 'drop-nixops' into 'master'
treewide: drop nixops docs and examples

Closes #320

See merge request simple-nixos-mailserver/nixos-mailserver!393
2025-05-08 21:36:38 +00:00
Martin Weinelt
b92870c240 treewide: drop nixops docs and examples
This is not a deployment system we recommend using anymore in 2025.

Closes: #320
2025-05-08 23:22:29 +02:00
Martin Weinelt
a7d2b05a99 Merge branch 'quota-status-uds' into 'master'
dovecot: migrate queue-status to UNIX domain socket

See merge request simple-nixos-mailserver/nixos-mailserver!392
2025-05-07 17:05:15 +00:00
Martin Weinelt
4a09d6460a Merge branch 'tests-remove-broken-escape-sequences' into 'master'
tests: remove invalid escape sequences

See merge request simple-nixos-mailserver/nixos-mailserver!391
2025-05-07 16:38:00 +00:00
Martin Weinelt
a1ff289bf9
dovecot: migrate queue-status to UNIX domain socket 2025-05-07 18:00:53 +02:00
lewo
7bb0f43503 Merge branch 'dane-lookups' into 'master'
postfix: Support opportunistic DANE TLS

See merge request simple-nixos-mailserver/nixos-mailserver!389
2025-05-07 07:02:02 +00:00
Martin Weinelt
86b48f368f
tests: remove invalid escape sequences
>>> "\@"
<stdin>:1: SyntaxWarning: invalid escape sequence '\@'
'\\@'
2025-05-07 03:56:41 +02:00
Martin Weinelt
e488e3639a Merge branch 'postfix-comments' into 'master'
postfix: adjust comments around smtpd_recipient_restrictions

See merge request simple-nixos-mailserver/nixos-mailserver!390
2025-05-07 00:59:11 +00:00
Martin Weinelt
2e254b4b5e
postfix: adjust comments around smtpd_recipient_restrictions 2025-05-07 02:52:28 +02:00
Martin Weinelt
1471e54b92 Merge branch 'no-tls-1.1' into 'master'
postfix: disable TLSv1.1

See merge request simple-nixos-mailserver/nixos-mailserver!234
2025-05-07 00:48:13 +00:00
Martin Weinelt
fac7efe946
postfix: Support opportunistic DANE TLS
This migrates the security level for outgoing SMTP connections to
dane[1]. Either a server is configured for DANE or it now uses mandatory
unauthenticated TLS.

If DANE validation fails, the delivery will be tempfailed.

If DANE is invalid or unusable the connection will fall back to
unauthenticated mandatory TLS

This has been the default in various mail distributions:
- Mailcow since December 2016[2]
- mailinabox since July 2014[3]

[1] https://www.postfix.org/TLS_README.html#client_tls_dane
[2] 47a5166383
[3] e713af5f5a
2025-05-07 02:23:32 +02:00
Martin Weinelt
155ba08be7 Merge branch 'readme' into 'master'
README updates (Matrix, Automatic client configuration)

See merge request simple-nixos-mailserver/nixos-mailserver!388
2025-05-06 15:25:37 +00:00
Robert Schütz
71c5fe04f1 postfix: disable TLSv1.1
In accordance with https://ssl-config.mozilla.org/#server=postfix.
2025-05-06 02:42:13 -07:00
Martin Weinelt
8b4990905c Merge branch 'feature/ldap_forwards' into 'master'
ldap: Allow mailserver.forwards

See merge request simple-nixos-mailserver/nixos-mailserver!313
2025-05-06 03:38:48 +00:00
Martin Weinelt
f6a64f713c
docs/release-notes: advertise mailserver.forwards with ldap 2025-05-06 05:32:59 +02:00
Elian Doran
b343c5e8fa
assertions: Allow mailserver.forwards with LDAP set up 2025-05-06 05:32:45 +02:00
Martin Weinelt
776162c162 Merge branch 'dev/check-quota-is-null' into 'master'
mail-server/dovecot: check if quota is non-null instead of string

See merge request simple-nixos-mailserver/nixos-mailserver!362
2025-05-06 02:27:36 +00:00
Leon Schuermann
6f3ece9181 mail-server/dovecot: check if quota is non-null instead of string 2025-05-06 02:27:36 +00:00
Martin Weinelt
2d0b3fdeb0
README: Add automatic client configuration support to the roadmap 2025-05-06 03:37:23 +02:00
Martin Weinelt
4320259e34
README: add matrix room, reference libera connection information 2025-05-06 03:29:35 +02:00
Martin Weinelt
7091fad860 Merge branch 'rspamd-dkim-signing' into 'master'
Use rspamd for DKIM signing, drop OpenDKIM

Closes #203, #210, and #279

See merge request simple-nixos-mailserver/nixos-mailserver!374
2025-05-05 23:33:20 +00:00
Martin Weinelt
2520e662f7 tests/external: make DKIM signing test more explicit 2025-05-06 01:05:10 +02:00
Martin Weinelt
630b5c4fdd Use rspamd for DKIM signing, drop OpenDKIM
OpenDKIM has not been updated in the last 7 years and failed to adopt
RFC8463, which introduces Ed25519-SHA256 signatures.

It has thereby held back the DKIM ecosystem, which relies on the DNS
system to publish its public keys. The DNS system in turn does not handle
large record sizes well (see RFC8301), which is why Ed25519 public keys
would be preferable, but I'm not sure the ecosystem has caught up, so we
stay on the conservative side with RSA for now.

Fixes: #203 #210 #279
Obsoletes: !162 !338
Supersedes: !246
2025-05-06 01:05:10 +02:00
Martin Weinelt
2c37e563fd Merge branch 'cleanup' into 'master'
Various cleanups

See merge request simple-nixos-mailserver/nixos-mailserver!387
2025-05-05 20:58:25 +00:00
Martin Weinelt
8800bccab8
dovecot: fix config indent 2025-05-05 22:31:16 +02:00
Martin Weinelt
84bf0c0c07
README.md: remove mailing list information
Has been unused since 2019, so it is not a good recommendation to
subscribe there anymore.
2025-05-05 22:31:16 +02:00
Martin Weinelt
a071813b97
README: reword feature list
and remove the v2.0 release title.
2025-05-05 22:31:15 +02:00
Martin Weinelt
ca69f91f6b
update.sh: drop
The section it updates was removed in d460e9ff62ea1238fb3348a87326b743ae177902.
2025-05-05 21:21:58 +02:00
lewo
35185c023e Merge branch 'fix-rtd' into 'master'
Fix the readthedoc build

See merge request simple-nixos-mailserver/nixos-mailserver!386
2025-05-05 18:28:40 +00:00
Antoine Eiche
75b1908f24 Fix the RTD build 2025-05-05 20:22:45 +02:00
Martin Weinelt
95e2de368f Merge branch 'dovecot-prefer-client-ciphers' into 'master'
dovecot: prefer client cipher list

See merge request simple-nixos-mailserver/nixos-mailserver!383
2025-05-02 21:13:37 +00:00
Marcel
b859c910ab dmarc-reports: report mail message id with domain 2025-04-24 20:32:33 +00:00
Martin Weinelt
46fe2c25c8 dovecot: prefer client cipher list
All ciphers in TLSv1.2/TLSv1.3 are considered secure, so we can allow the
client to choose the most performant cipher according to their hardware
and software configuration.

This is in line with general recommendations, e.g. by Mozilla[1].

[1] https://wiki.mozilla.org/Security/Server_Side_TLS
2025-04-23 19:35:32 +00:00
Martin Weinelt
ab52efd622
ci: update to nixos-24.11 2025-04-23 16:02:07 +02:00
Martin Weinelt
42651ce2d3
docs: update release notes 2025-04-20 18:00:39 +02:00
Sandro Jäckel
bba070a1fe
Remove policy-spf
Rspamd can do the same as policy-spf, only better, with more settings, is well integrated and better maintained.
Other projects are going the same route [1].

[1]: https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/
2025-04-17 20:26:00 +02:00
Martin Weinelt
745c6ee861
rspamd: Use redis over a unix socket by default
Both rspamd and redis run on the same host by default, so a UNIX domain
socket is the cheapest way to facilitate that communication.

It also allows us to get rid of overly complicated IP adddress parsing
logic, that we can shift onto the user if they need it.
2025-04-15 16:17:30 +02:00
Jeremy Fleischman
7bdf5003c7 docs/dns: update DKIM TXT instructions
I recently went through this, and the generated file looks a bit
different than was previously documented.

I opted to be explicit about `k=rsa` (even though [the default is
"rsa"](https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.1)).

I also opted to be explicit about `s=email` ([the default is
"*"](https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.1)).
Honestly not sure what the consequences of this are, I don't know if
DKIM is used for anything besides email.
2025-04-14 06:22:32 +00:00
Martin Weinelt
1873ed0908
README: Update existing and future features
As the ecosystems around us evolve so should the NixOS mailserver
project.

DKIM signing could be improved by allowing users to treat DKIM keys like
a secret that they would commonly manage through agenix/sops/etc.

Forwarding mail these days requires SRS and possibly ARC. The latter has
already become a required feature for bulk message to iCloud[1] and
Google Mail[3]. I propose that we stay ahead of the curve by adding
support for these features.

LDAP user management was added, but one pain point is that we currently
prevent it from coexisting with declarative users.

And finally Oauth (via RFC7628[3]) is the new kid on the block that everyone
wants to try out, but most notably client support[4] for hosting this
yourself is not quite there yet.

[1] https://support.apple.com/en-us/102322
[2] https://support.google.com/a/answer/81126?hl=en#zippy=%2Crequirements-for-all-senders%2Crequirements-for-sending-or-more-messages-per-day
[3] https://www.rfc-editor.org/rfc/rfc7628.html
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1602166
2025-04-13 22:50:19 +02:00
Maximilian Bosch
efe77ce806 mail-server: add dmarcReporting.excludeDomains
The option `exclude_domains` for dmarc reporting in `rspamd`[1] allows
to configure a list of domains and/or eSLDs (external effective second level
domain) to be excluded from dmarc reports.

Helpful because e.g. dmarc reports to hotmail.com always fail for me
with the following undeliverable notification:

    The recipient's mailbox is full and can't accept messages now.

[1] https://www.rspamd.com/doc/modules/dmarc.html
2025-04-13 07:08:44 +00:00
Yureka
b4fbffe79c services.dovecot2.modules option has been removed 2025-03-19 20:52:57 +01:00
Michael Lohmann
0c40a0b2c6 dovecot: use expanded variable names
Since Dovecot 2.4 does not accept short notations for variables any more
https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html#variable-expansion
the long form needs to be used:
%u => %{user}
%n => %{username}
%d => %{domain}

This is backwards compatible with dovecot 2.3 as well:
https://doc.dovecot.org/2.3/configuration_manual/config_file/config_variables/#user-variables
2025-03-19 19:26:10 +00:00
Philipp Bartsch
9b5df96132 postfix: enable smtp tls logging
Log a summary message on TLS handshake completion.
2025-03-19 19:12:49 +00:00
Michael Lohmann
90539a1a99 Fix URLs for dovecot
The old wiki was deleted and so the new one has to be used
2025-03-14 21:16:26 +00:00
Michael Lohmann
c8ec4d5e43 remove rebootAfterKernelUpgrade option
This is not a feature specific to the mailserver. Indeed, the feature
was added to `system.autoUpgrade.allowReboot` with NixOS 19.09 and it
has better detection if a reboot is necessary.

For the system.autoUpgrade there is no kexec option, but the use was
discouraged.
2025-02-24 23:44:13 +01:00
Michael Lohmann
f23faf97d6 rebootAfterKernelUpgrade: document that this can be done from nixos
Since NixOS 19.09 autoUpgrade also has the ability to do automatic
reboots. Its detection on whether a reboot is necessary is a bit more
sophisticated. Having this option in the mail-server implied to me that
it did something additionally, though it was just a feature which was
not included in NixOS at the time it was introduced for the mail-server.

Mentioning the fact in the documentation might help people not to get
confused why they should turn the `system.autoUpgrade.allowReboot` off
and instead use the mail-servers reboot flag.
2025-02-24 16:11:59 +01:00
Antoine Eiche
8c1c4640b8 Increase the evaluation periodicity from 30s to 5m
This has been asked by the Nix community for debugging and maintenance
purposes.
2025-02-09 18:14:30 +01:00
euxane
6b425d13f5 tests: fix renamed options warnings 2025-01-24 17:40:48 +01:00
Guillaume Girol
ade37b2765 fts xapian: adapt to newer versions
fts xapian does not publish configuration changes in a changelog. As a
result, some options that nixos mailserver was setting for it have been
ignored for several years. New options (process_limit) are now
recommended. This adapts the module to these changes.

The default value of partial= is 2, but fts_xapian 1.8.3 now requires it
to be at least 3, and fails loudly in case it is 2. As a result, this
change is required to support fts_xapian 1.8.3 and later.
2025-01-18 12:00:00 +00:00
Ryan Trinkle
dc0569066e Make imap memory limit configurable 2024-12-26 16:25:46 +00:00