Set up Maddy mail server

1 files changed, 45 insertions, 58 deletions

diff --git a/mail.nix b/mail.nix
index fc10aa6..a76cd40 100644
--- a/mail.nix
+++ b/mail.nix
@@ -1,5 +1,5 @@
 # Email server configuration
-# Copyright (C) 2022  Nguyễn Gia Phong
+# Copyright (C) 2023  Nguyễn Gia Phong
 #
 # This file is part of loang configuration.
 #
@@ -16,11 +16,11 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
 
-{ config, ... }:
+{ config, options, ... }:
 let
-  certDir = config.security.acme.certs.${domain}.directory;
+  certDir = config.security.acme.certs.${hostname}.directory;
   domain = config.networking.domain;
-  lmtp = "private/lmtp";
+  hostname = "tem.${domain}";
 in {
   networking.firewall.allowedTCPPorts = [
     25 # SMTP-MTA
@@ -28,63 +28,50 @@ in {
     993 # IMAPS
   ];
 
-  services = {
-    dovecot2 = {
-      enable = true;
-      extraConfig = let
-        postfix = config.services.postfix;
-        queue = postfix.config.queue_directory;
-      in ''
-        service auth {
-          unix_listener ${queue}/${postfix.submissionsOptions.smtpd_sasl_path} {
-            group = ${postfix.group}
-            mode = 0660
-            user = ${postfix.user}
+  security = {
+    acme.certs.${hostname} = {
+      group = config.services.maddy.group;
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+    pam.services.maddy = { };
+  };
+
+  services.maddy = {
+    config = ''
+      auth_map email_localpart
+    '' + (builtins.replaceStrings [
+      ''
+        auth.pass_table local_authdb {
+          table sql_table {
+            driver sqlite3
+            dsn credentials.db
+            table_name passwords
           }
         }
-        service lmtp {
-          unix_listener ${queue}/${lmtp} {
-            group = ${postfix.group}
-            mode = 0600
-            user = ${postfix.user}
-          }
+      ''
+      "imap tcp://0.0.0.0:143"
+      "submission tcp://0.0.0.0:587"
+    ] [
+      ''
+        auth.shadow local_authdb {
+          debug yes
+          use_helper no
         }
-      '';
-      mailboxes = {
-        Archive.specialUse = "Archive";
-        Drafts.specialUse = "Drafts";
-        Junk.specialUse = "Junk";
-        Sent.specialUse = "Sent";
-        Trash.specialUse = "Trash";
-      };
-      sslServerCert = "${certDir}/cert.pem";
-      sslServerKey = "${certDir}/key.pem";
-      sslCACert = "${certDir}/chain.pem";
-    };
-
-    postfix = {
-      config = {
-        virtual_transport = "lmtp:unix:${lmtp}";
-        mailbox_transport = "lmtp:unix:${lmtp}";
-      };
-      enable = true;
-      enableSubmissions = true;
-      domain = domain;
-      hostname = domain;
-      submissionsOptions = {
-        cleanup_service_name = "ascleanup";
-        milter_macro_daemon_name = "ORIGINATING";
-        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
-        smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
-        smtpd_sasl_auth_enable = "yes";
-        smtpd_sasl_local_domain = domain;
-        smtpd_sasl_path = "private/auth";
-        smtpd_sasl_security_options = "noanonymous";
-        smtpd_sasl_type = "dovecot";
-        smtpd_tls_security_level = "encrypt";
-      };
-      sslCert = "${certDir}/cert.pem";
-      sslKey = "${certDir}/key.pem";
+      ''
+      "imap tls://0.0.0.0:993"
+      "submission tls://0.0.0.0:465"
+    ] options.services.maddy.config.default);
+    enable = true;
+    hostname = hostname;
+    primaryDomain = domain;
+    tls = {
+      loader = "file";
+      certificates = [{
+        certPath = "${certDir}/cert.pem";
+        keyPath = "${certDir}/key.pem";
+      }];
     };
   };
+
+  users.extraUsers.maddy.extraGroups = [ "shadow" ];
 }