Dovecot's home directory is a user-specific state
directory, see https://doc.dovecot.org/2.3/configuration_manual/home_directories_for_virtual_users/.
It is recommendated
1. to never configure a userdb to return the same
home directory for multiple users
2. to store the mailbox under the home directory,
e.g. home = /var/vmail/domain/user and
mail = /var/vmail/domain/user/mail
This change implements these recommendations. The
mailboxes are now stored at
<mailDirectory>/<domain>/<user>/mail. Existing
mailboxes are moved automatically to the new
location as part of the ExecStartPre hook of
dovecot's systemd unit.
This allows overwriting the default values for user_attrs to be empty
which is required when using virtual mailboxes with ldap accounts
that have posixAccount attributes set. When user_attrs is empty string
those are ignored then.
Without using umask there's a small time window where paths are world
readable. That is a bad idea to do for secret files (e.g. the dovecot
code path).
Allow configuring lookups for users and their mail addresses from an
LDAP directory. The LDAP username will be used as an accountname as
opposed to the email address used as the `loginName` for declarative
accounts. Mailbox for LDAP users will be stored below
`/var/vmail/ldap/<account>`.
Configuring domains is out of scope, since domains require further
configuration within the NixOS mailserver construct to set up all
related services accordingly.
Aliases can already be configured using `mailserver.forwards` but could
be supported using LDAP at a later point.
`sieve-test` can be used to test sieve scripts.
It's annoying to nix-shell it in, because it reads the dovecot global
config and might stumble over incompatible .so files (as has happened
to me).
Simply providing it in $PATH is easier.
The current configuration doesn't work when moving spam from the INBOX
to Junk on a local maildir and then syncing the result to the IMAP
server with `mbsync(1)`. This is because `mbsync(1)` doesn't support a
mvoe-detection[1] (i.e. an IMAP MOVE which subsequently causes a Sieve
COPY according to RFC6851 which then triggers report{h,sp}am.sieve), but
instead sends `APPEND` (and removes the message in the src mailbox after
that).
Tested on my own mailserver that this fixes spam learning.
This doesn't work the other way round though because `APPEND` doesn't
have an origin. However, learning mails as spam happens more often than
learning spam as ham, so this is IMHO still useful.
[1] https://sourceforge.net/p/isync/mailman/isync-devel/thread/87y2p1tihz.fsf%40ericabrahamsen.net/#msg37030483
Previously, the static Junk mailbox was used in sieve script to move
spam messages. This patch gets the Junk mailbox defined in the dovecot
mailboxes attribute instead.
Fixes#224
This option has been initially in the mailserver.fullTextSearch
scope. However, this option modifies the location of all index files
of dovecot and not only those used by the full text search feature. It
is then more relevant to have this option in the mailserver top level
scope.
Moreover, the default option has been changed to null in order to keep
existing index files where they are: changing the index location means
recreating all index files. The fts documentation however recommend to
change this default location when enabling the fts feature.
Previously all the xapian files and logs would be stored in the same
folder for all users. This couid probably lead to weird situations where
all users get the same search results.
Currently oneshot services are not re-run on NixOS activate and that
meant that you needed to manually restart `gen-passwd-file` for new
users to be available.
This commit removes the `gen-passwd-file` service and instead simply
calls the same script in the dovecot2 preStart.
- Move the "create password hash file from hashed password" behavior to
a separate variable, since having it in the default field of config
would always cause the warning to trigger
- Change type of hashedPassword to `nullOr str`
It seemed weird to me that preStart on postfix was used to generate
files not needed directly by postfix and for the self-signed
certificate which is also needed by dovecot. nginx.service was also
used as a proxy for when ACME certificate generation was done.
So I have created mailserver-certificates.target for when certificates
are available for other services. For self-signed that means that a
new oneshot service called mailserver-selfsigned-certificate has been
run. And for ACME this means that the target
acme-selfsigned-certificates has been reached (which is when acme has
created the self-signed certificates used before the actual
certificates provided by LetsEncrypt are created). This setup has the
added bonus that if you want to run a service to provide your own
certificates you can set that to run before
mailserver-certificates.target.
DH Parameters are only needed by dovecot so generation of that file has
been moved to the dovecot2 preStart.
And lastly the only remaining reason to for dovecot to start before
postfix was that the auth and lmtp sockets where located in a directory
created by postfix. But since they could just as well be located in
/run/dovecot2 as long as postfix has access to them I have moved them
there.
Christian Ulrich
Sandro Jäckel