From be5d8c09d8e14e9fab6553a121fa8f53b4dd884f Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Sat, 12 Aug 2017 18:27:22 +0200 Subject: [PATCH] add rmilter and certificate files --- mail-config.nix | 6 ++++- mail-server/dovecot.nix | 18 ++++++++++--- mail-server/postfix.nix | 17 ++++++++++--- mail-server/rmilter.nix | 55 ++++++++++++++++++++++++++++++++++++++++ mail-server/services.nix | 11 +++++--- 5 files changed, 97 insertions(+), 10 deletions(-) create mode 100644 mail-server/rmilter.nix diff --git a/mail-config.nix b/mail-config.nix index f25ca5c..e812519 100644 --- a/mail-config.nix +++ b/mail-config.nix @@ -89,6 +89,9 @@ let cert_file = "/root/mail-server.crt"; key_file = "/root/mail-server.key"; + # Sceme 2) + cert_folder = "/root/certs"; + # # Whether to enable imap / pop3. Both variants are only supported in the # (sane) startTLS configuration. (TODO: Allow SSL ports). The ports are @@ -119,7 +122,8 @@ in { services = import ./mail-server/services.nix { inherit mail_dir vmail_user_name vmail_group_name valiases domain - enable_imap enable_pop3; + enable_imap enable_pop3 virus_scanning dkim_signing + certificate_scheme cert_file key_file; }; environment = import ./mail-server/environment.nix { diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 8f9c6b2..4b83d55 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -15,10 +15,22 @@ # along with this program. If not, see { vmail_group_name, vmail_user_name, mail_dir, enable_imap, enable_pop3, -... }: +certificate_scheme, cert_file, key_file }: let # maildir in format "/${domain}/${user}/" dovecot_maildir = "maildir:${mail_dir}/%d/%n/"; + + # cert :: PATH + cert = if certificate_scheme == 1 + then cert_file + else ""; + + # key :: PATH + key = if certificate_scheme == 1 + then key_file + else ""; + + in { enable = true; @@ -27,8 +39,8 @@ in mailGroup = vmail_group_name; mailUser = vmail_user_name; mailLocation = dovecot_maildir; - #sslServerCert = "/etc/nixos/cert/${cert_file}"; // TODO: Define - #sslServerKey = "/etc/nixos/cert/${key_file}"; // TODO: Define + sslServerCert = cert; + sslServerKey = key; enableLmtp = true; extraConfig = '' #Extra Config diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 54ef710..d132b24 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -14,7 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see -{ mail_dir, domain, valiases }: +{ mail_dir, domain, valiases, certificate_scheme, cert_file, key_file }: let # valiasToString :: { from = "..."; to = "..." } -> String @@ -33,14 +33,25 @@ let # vhosts_file :: Path vhosts_file = builtins.toFile "vhosts" domain; + + # cert :: PATH + cert = if certificate_scheme == 1 + then cert_file + else ""; + + # key :: PATH + key = if certificate_scheme == 1 + then key_file + else ""; + in { enable = true; networksStyle = "host"; mapFiles."valias" = valiases_file; # mapFiles."vaccounts" = vaccounts_file; - # sslCert = "/etc/nixos/cert/${cert_file}"; - # sslKey = "/etc/nixos/cert/${key_file}"; + sslCert = cert; + sslKey = key; extraConfig = '' diff --git a/mail-server/rmilter.nix b/mail-server/rmilter.nix new file mode 100644 index 0000000..ab35248 --- /dev/null +++ b/mail-server/rmilter.nix @@ -0,0 +1,55 @@ +# nixos-mailserver: a simple mail server +# Copyright (C) 2016-2017 Robin Raymond +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see + +{ domain, virus_scanning, dkim_signing }: + +let + clamav = if virus_scanning + then + '' + clamav { + servers = /var/run/clamav/clam.ctl; + }; + '' + else ""; + dkim = if dkim_signing + then + '' + dkim { + domain { + key = /etc/nixos/dkim/${domain}.pem; + domain = "${domain}"; + selector = "dkim"; + }; + sign_alg = sha256; + auth_only = yes; + } + '' + else ""; +in +{ + enable = true; + # debug = true; + postfix.enable = true; + rspamd.enable = true; + extraConfig = + '' + ${clamav} + + ${dkim} + ''; +} + diff --git a/mail-server/services.nix b/mail-server/services.nix index 07d6d18..b872586 100644 --- a/mail-server/services.nix +++ b/mail-server/services.nix @@ -15,7 +15,8 @@ # along with this program. If not, see { mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap, -enable_pop3 }: +enable_pop3, virus_scanning, dkim_signing, certificate_scheme, cert_file, +key_file }: { # rspamd @@ -23,12 +24,16 @@ enable_pop3 }: enable = true; }; + rmilter = import ./rmilter.nix { + inherit domain virus_scanning dkim_signing; + }; + postfix = import ./postfix.nix { - inherit mail_dir domain valiases; + inherit mail_dir domain valiases certificate_scheme cert_file key_file; }; dovecot2 = import ./dovecot.nix { inherit vmail_group_name vmail_user_name mail_dir enable_imap - enable_pop3; + enable_pop3 certificate_scheme cert_file key_file; }; }