A complete and Simple Nixos Mailserver
Go to file
2017-11-10 17:16:21 +01:00
logo add logo 2017-09-13 14:03:04 +02:00
mail-server jbboehr's fix for #21 2017-11-09 08:23:13 +01:00
nixops flesh out nixops file a little 2017-09-13 10:16:47 +02:00
tests add test for vmail gid 2017-11-05 11:14:39 +01:00
.travis.yml Switch to nixpkgs-unstable channel. 2017-09-22 12:50:06 -05:00
default.nix fix vmail bug 2017-10-18 09:20:44 +02:00
LICENSE Initial commit 2016-07-21 18:09:04 +02:00
README.md give a rough overview of the steps 2017-11-10 17:16:21 +01:00

Simple Nixos MailServer

license status

Stable Releases

None so far.

Latest Release Candidate

Features

v1.1

  • Postfix MTA
    • smtp on port 25
    • submission port 587
    • lmtp with dovecot
  • Dovecot
    • maildir folders
    • imap starttls on port 143
    • pop3 starttls on port 110
  • Certificates
    • manual certificates
    • on the fly creation
  • Spam Filtering
    • via rspamd
    • hard coded sieve script to move spam into Junk folder
  • Virus Scanning
    • via clamav
  • DKIM Signing
    • via opendkim
  • User Management
    • declarative user management
    • declarative password management

v1.2

  • Certificates
    • Let's Encrypt
  • Sieves
    • Allow user defined sieve scripts
  • User Aliases
    • More complete alias support

v2.0

  • Multiple Domains

Changelog

v1.0 -> v1.1

  • Changed structure to Nix Modules
  • Adds Sieve support

How to Deploy

{ config, pkgs, ... }:
{
  imports = [
    (builtins.fetchTarball "https://github.com/r-raymond/nixos-mailserver/releases/tag/v1.1-rc3")
  ];

  mailserver = {
    enable = true;
    domain = "example.com";
    login_accounts = {
      user1 = {
        name = "test";
        hashedPassword = "$6$Mmmx1U68$Twd8acMxqHoqFyfz3SPz1pzjY/D36gayAdpUTFMvfrHQUwObF3acuLz2GYAGFzsjHLEK/dPIv3pCwj3kZ5T2u.";
      };
    };
    virtualAliases = {
      admin = "user1";
    };
  };
}

For a complete list of options, see default.nix.

How to Test

You can test the setup via nixops. After installation, do

nixops create nixops/single-server.nix nixops/vbox.nix -d mail
nixops deploy -d mail
nixops info -d mail

You can then test the server via e.g. telnet. To log into it, use

nixops ssh -d mail mailserver

To test imap manually use

openssl s_client -host mail.example.com -port 143 -starttls imap

How to Set Up a 10/10 Mail Server

Mail servers can be a tricky thing to set up. This guide is supposed to run you through the most important steps to achieve a 10/10 score on mail-tester.com.

Fully Qualified Domain Name

No matter how many domains you want to serve on your mail server, you need to settle on a Fully Qualified Domain Name (FQDN) where your server is reachable, so that other servers can find yours. Common FQDN include mx.example.com (where example.com is a domain you own) or mail.example.com.

After you settled on a FQDN (we will assume mx.example.com henceforth) you need to

  • Set a DNS entry on your domain to point to the IP of the server. For this add a DNS record such as

    Name (Subdomain) TTL Type Priority Value
    mx.example.com 10800 A xxx.xxx.xxx.xxx

    to your domain, where xxx.xxx.xxx.xxx is the IP of your server.

  • Set a rDNS (reverse DNS) entry for your FQDN. You need to do so wherever you have rented your server. Make sure that xxx.xxx.xxx.xxx resolves to mx.example.com.

MX Record

| Name (Subdomain) | TTL   | Type | Priority | Value             |
| ---------------- | ----- | ---- | -------- | ----------------- |
| domain1.com      |       | MX   | 10       | mx.exmaple.com    |

Spf record

| Name (Subdomain) | TTL   | Type | Priority | Value                             |
| ---------------- | ----- | ---- | -------- | -----------------                 |
| domain1.com      | 10800 | TXT  |          | `v=spf1 ip4:xxx.xxx.xxx.xxx -all` |

DKIM signature

| Name (Subdomain)            | TTL   | Type | Priority | Value                     |
| ----------------            | ----- | ---- | -------- | -----------------         |
| dkim._domainkey.domain1.com | 10800 | TXT  |          | `v=DKIM1; p=yyyyyyyyyyyy` |

where yyyyyyyyyyyy is the DKIM signature

A Complete Mail Server Without Moving Parts

Used Technologies

  • Nixos
  • Nixpkgs
  • Dovecot
  • Postfix
  • Rmilter
  • Rspamd
  • Clamav
  • Opendkim
  • Pam

Features

  • one domain
  • unlimited mail accounts
  • unlimited aliases for every mail account
  • spam and virus checking
  • dkim signing of outgoing emails
  • imap (optionally pop3)
  • startTLS

Nonfeatures

  • moving parts
  • SQL databases
  • configurations that need to be made after nixos-rebuild switch
  • complicated storage schemes
  • webclients / http-servers

Contributors

  • Special thanks to @Infinisil for the module rewrite
  • @danbst
  • @phdoerfler
  • @eqyiel

Credits