From 1906b2cd26339ff9e3e5253073042777278322e9 Mon Sep 17 00:00:00 2001 From: Nguyễn Gia Phong Date: Thu, 22 Jun 2023 04:49:24 +0900 Subject: Set up Maddy mail server --- configuration.nix | 1 + mail.nix | 103 ++++++++++++++++++++++++------------------------------ 2 files changed, 46 insertions(+), 58 deletions(-) diff --git a/configuration.nix b/configuration.nix index efd16f4..850024b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -35,6 +35,7 @@ ./dns.nix ./irc.nix ./git.nix + ./mail.nix ./matrix.nix ./push.nix ./static.nix diff --git a/mail.nix b/mail.nix index fc10aa6..a76cd40 100644 --- a/mail.nix +++ b/mail.nix @@ -1,5 +1,5 @@ # Email server configuration -# Copyright (C) 2022 Nguyễn Gia Phong +# Copyright (C) 2023 Nguyễn Gia Phong # # This file is part of loang configuration. # @@ -16,11 +16,11 @@ # You should have received a copy of the GNU Affero General Public License # along with loang configuration. If not, see . -{ config, ... }: +{ config, options, ... }: let - certDir = config.security.acme.certs.${domain}.directory; + certDir = config.security.acme.certs.${hostname}.directory; domain = config.networking.domain; - lmtp = "private/lmtp"; + hostname = "tem.${domain}"; in { networking.firewall.allowedTCPPorts = [ 25 # SMTP-MTA @@ -28,63 +28,50 @@ in { 993 # IMAPS ]; - services = { - dovecot2 = { - enable = true; - extraConfig = let - postfix = config.services.postfix; - queue = postfix.config.queue_directory; - in '' - service auth { - unix_listener ${queue}/${postfix.submissionsOptions.smtpd_sasl_path} { - group = ${postfix.group} - mode = 0660 - user = ${postfix.user} + security = { + acme.certs.${hostname} = { + group = config.services.maddy.group; + webroot = "/var/lib/acme/acme-challenge"; + }; + pam.services.maddy = { }; + }; + + services.maddy = { + config = '' + auth_map email_localpart + '' + (builtins.replaceStrings [ + '' + auth.pass_table local_authdb { + table sql_table { + driver sqlite3 + dsn credentials.db + table_name passwords } } - service lmtp { - unix_listener ${queue}/${lmtp} { - group = ${postfix.group} - mode = 0600 - user = ${postfix.user} - } + '' + "imap tcp://0.0.0.0:143" + "submission tcp://0.0.0.0:587" + ] [ + '' + auth.shadow local_authdb { + debug yes + use_helper no } - ''; - mailboxes = { - Archive.specialUse = "Archive"; - Drafts.specialUse = "Drafts"; - Junk.specialUse = "Junk"; - Sent.specialUse = "Sent"; - Trash.specialUse = "Trash"; - }; - sslServerCert = "${certDir}/cert.pem"; - sslServerKey = "${certDir}/key.pem"; - sslCACert = "${certDir}/chain.pem"; - }; - - postfix = { - config = { - virtual_transport = "lmtp:unix:${lmtp}"; - mailbox_transport = "lmtp:unix:${lmtp}"; - }; - enable = true; - enableSubmissions = true; - domain = domain; - hostname = domain; - submissionsOptions = { - cleanup_service_name = "ascleanup"; - milter_macro_daemon_name = "ORIGINATING"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; - smtpd_sasl_auth_enable = "yes"; - smtpd_sasl_local_domain = domain; - smtpd_sasl_path = "private/auth"; - smtpd_sasl_security_options = "noanonymous"; - smtpd_sasl_type = "dovecot"; - smtpd_tls_security_level = "encrypt"; - }; - sslCert = "${certDir}/cert.pem"; - sslKey = "${certDir}/key.pem"; + '' + "imap tls://0.0.0.0:993" + "submission tls://0.0.0.0:465" + ] options.services.maddy.config.default); + enable = true; + hostname = hostname; + primaryDomain = domain; + tls = { + loader = "file"; + certificates = [{ + certPath = "${certDir}/cert.pem"; + keyPath = "${certDir}/key.pem"; + }]; }; }; + + users.extraUsers.maddy.extraGroups = [ "shadow" ]; } -- cgit 1.4.1