# Email server configuration
# Copyright (C) 2022  Nguyễn Gia Phong
#
# This file is part of loang configuration.
#
# Loang configuration is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Loang configuration is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.

{ config, ... }:
let
  certDir = config.security.acme.certs.${domain}.directory;
  domain = config.networking.domain;
  lmtp = "private/lmtp";
in {
  networking.firewall.allowedTCPPorts = [
    25 # SMTP-MTA
    465 # SMTP-MSA
    993 # IMAPS
  ];

  services = {
    dovecot2 = {
      enable = true;
      extraConfig = let
        postfix = config.services.postfix;
        queue = postfix.config.queue_directory;
      in ''
        service auth {
          unix_listener ${queue}/${postfix.submissionsOptions.smtpd_sasl_path} {
            group = ${postfix.group}
            mode = 0660
            user = ${postfix.user}
          }
        }
        service lmtp {
          unix_listener ${queue}/${lmtp} {
            group = ${postfix.group}
            mode = 0600
            user = ${postfix.user}
          }
        }
      '';
      mailboxes = {
        Archive.specialUse = "Archive";
        Drafts.specialUse = "Drafts";
        Junk.specialUse = "Junk";
        Sent.specialUse = "Sent";
        Trash.specialUse = "Trash";
      };
      sslServerCert = "${certDir}/cert.pem";
      sslServerKey = "${certDir}/key.pem";
      sslCACert = "${certDir}/chain.pem";
    };

    postfix = {
      config = {
        virtual_transport = "lmtp:unix:${lmtp}";
        mailbox_transport = "lmtp:unix:${lmtp}";
      };
      enable = true;
      enableSubmissions = true;
      domain = domain;
      hostname = domain;
      submissionsOptions = {
        cleanup_service_name = "ascleanup";
        milter_macro_daemon_name = "ORIGINATING";
        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
        smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
        smtpd_sasl_auth_enable = "yes";
        smtpd_sasl_local_domain = domain;
        smtpd_sasl_path = "private/auth";
        smtpd_sasl_security_options = "noanonymous";
        smtpd_sasl_type = "dovecot";
        smtpd_tls_security_level = "encrypt";
      };
      sslCert = "${certDir}/cert.pem";
      sslKey = "${certDir}/key.pem";
    };
  };
}