# Email server configuration
# Copyright (C) 2022  Nguyễn Gia Phong
#
# This file is part of loang configuration.
#
# Loang configuration is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Loang configuration is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.

{ config, ... }:
let
  certDir = config.security.acme.certs.${domain}.directory;
  domain = config.networking.domain;
in {
  networking.firewall.allowedTCPPorts = [
    25 # SMTP-MTA
    110 # POP3
    465 # SMTP-MSA
    993 # IMAPS
  ];

  services = {
    dovecot2 = {
      enable = true;
      sslServerCert = "${certDir}/cert.pem";
      sslServerKey = "${certDir}/key.pem";
      sslCACert = "${certDir}/chain.pem";
    };

    postfix = {
      enable = true;
      enableSubmissions = true;
      domain = domain;
      hostname = domain;
      submissionsOptions = {
        cleanup_service_name = "ascleanup";
        milter_macro_daemon_name = "ORIGINATING";
        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
        smtpd_sasl_auth_enable = "yes";
        smtpd_sasl_local_domain = domain;
        smtpd_sasl_path = "private/auth";
        smtpd_sasl_security_options = "noanonymous";
        smtpd_sasl_type = "dovecot";
        smtpd_tls_security_level = "encrypt";
      };
      sslCert = "${certDir}/cert.pem";
      sslKey = "${certDir}/key.pem";    };
  };
}