Commit Graph

244 Commits

Author SHA1 Message Date
RoastedCheese 0d51a32e47 acme: test acmeCertificateName if module is enabled 2024-06-04 15:31:28 +00:00
Martin Weinelt ed80b589d3
postfix: remove deprecated smtpd_tls_eecdh_grade
Causes a warning that suggests to just leave it at its default.
2024-06-03 12:34:43 +02:00
Matthew Leach 46a0829aa8 acme: Add new option acmeCertificateName
Allow the user to specify the name of the ACME configuration that the
mailserver should use. This allows users that request certificates that
aren't the FQDN of the mailserver, for example a wildcard certificate.
2024-05-31 09:53:32 +01:00
Sandro Jäckel ef4756bcfc Quote ldap password
Otherwise special characters like # do not work
2024-04-28 10:02:48 +00:00
Sandro 9f6635a035 Drop default acmeRoot 2024-04-13 12:42:45 +00:00
Gaetan Lepage d507bd9c95 dovecot: no longer need to copy sieve scripts 2024-03-14 21:50:46 +01:00
Raito Bezarius fe6d325397 dovecot: support new `sieve` API in nixpkgs
Since https://github.com/NixOS/nixpkgs/pull/275031 things have became more structured
when it comes to the sieve plugin.

Relies on https://github.com/NixOS/nixpkgs/pull/281001 for full
features.
2024-03-09 23:23:17 +01:00
Christian Theune 572c1b4d69 rspamd: fix duplicate and syntactically wrong header settings
Fixes #280
2024-03-08 14:52:52 +01:00
Antoine Eiche b5023b36a1 postfix: exclude $mynetwork from smtpd_forbid_bare_newline 2023-12-27 09:46:26 +01:00
Alvar Penning 3f526c08e8
postfix: SMTP Smuggling Protection
Enable Postfix SMTP Smuggling protection, introduced in Postfix 3.8.4,
which is, currently, only available within the nixpkgs' master branch.

- https://github.com/NixOS/nixpkgs/pull/276104
- https://github.com/NixOS/nixpkgs/pull/276264

For information about SMTP Smuggling:

- https://www.postfix.org/smtp-smuggling.html
- https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
2023-12-23 20:15:16 +01:00
Lafiel 008d78cc21
dovecot: add support store mailbox names on disk using UTF-8 2023-11-16 01:02:33 +03:00
Jean-Baptiste Giraudeau 93221e4b25
Add support for regex (PCRE) aliases. 2023-09-05 14:58:10 +02:00
Bjørn Forsman a3b03d1b5a Use umask for race-free permission setting
Without using umask there's a small time window where paths are world
readable. That is a bad idea to do for secret files (e.g. the dovecot
code path).
2023-07-17 18:22:16 +02:00
Antoine Eiche 71b4c62d85 dovecot: fix a typo on userAttrs 2023-07-11 19:31:20 +00:00
Antoine Eiche 6775502be3 ldap: set assertions to forbid ldap and loginAccounts simultaneously 2023-07-11 19:31:20 +00:00
Antoine Eiche fb3210b932 ldap: do not write password to the Nix store 2023-07-11 19:31:20 +00:00
Antoine Eiche 33554e57ce Make the ldap test working
- The smtp/imap user name is now user@domain.tld
- Make the test_lookup function much more robust: it was now getting
  the correct file from the store.
2023-07-11 19:31:20 +00:00
Martin Weinelt 08f077c5ca Add support for LDAP users
Allow configuring lookups for users and their mail addresses from an
LDAP directory. The LDAP username will be used as an accountname as
opposed to the email address used as the `loginName` for declarative
accounts. Mailbox for LDAP users will be stored below
`/var/vmail/ldap/<account>`.

Configuring domains is out of scope, since domains require further
configuration within the NixOS mailserver construct to set up all
related services accordingly.

Aliases can already be configured using `mailserver.forwards` but could
be supported using LDAP at a later point.
2023-07-11 19:31:20 +00:00
Florian Klink 0c1801b489 dovecot: add dovecot_pigeonhole to system packages
`sieve-test` can be used to test sieve scripts.

It's annoying to nix-shell it in, because it reads the dovecot global
config and might stumble over incompatible .so files (as has happened
to me).

Simply providing it in $PATH is easier.
2023-06-29 20:54:57 +02:00
Naïm Favier a948c49ca7 Allow using existing ACME certificates
Add a certificate scheme for using an existing ACME certificate without
setting up Nginx.

Also use names instead of magic numbers for certificate schemes.
2023-05-24 21:10:02 +00:00
Lafiel d8131ffc61 dovecot: split passdb and userdb 2023-05-23 20:41:36 +00:00
Maximilian Bosch bd99079363 mail-server/dovecot: also learn spam/ham on APPEND
The current configuration doesn't work when moving spam from the INBOX
to Junk on a local maildir and then syncing the result to the IMAP
server with `mbsync(1)`. This is because `mbsync(1)` doesn't support a
mvoe-detection[1] (i.e. an IMAP MOVE which subsequently causes a Sieve
COPY according to RFC6851 which then triggers report{h,sp}am.sieve), but
instead sends `APPEND` (and removes the message in the src mailbox after
that).

Tested on my own mailserver that this fixes spam learning.

This doesn't work the other way round though because `APPEND` doesn't
have an origin. However, learning mails as spam happens more often than
learning spam as ham, so this is IMHO still useful.

[1] https://sourceforge.net/p/isync/mailman/isync-devel/thread/87y2p1tihz.fsf%40ericabrahamsen.net/#msg37030483
2023-05-23 19:49:59 +00:00
Juergen Fitschen c04e4f22da opendkim: make public key world-readable 2023-05-14 07:11:48 +00:00
Martin Weinelt fe36e7ae0d rspamd: allow configuring dmarc reporting
Enabling collects DMARC results in Redis and sends out aggregated
reports (RUA) on a daily basis.
2022-11-27 20:34:38 +00:00
Niklas Hambüchen 6284a20f77 acme: Switch from `postRun` to `reloadServices` to fix hangs. Fixes #232 2022-05-24 20:11:52 +00:00
Naïm Favier 46ef908c91
rspamd: set default port for redis
Since we are now using services.redis.servers.rspamd, the port defaults
to 0 (i.e. do not bind a TCP socket). We still want rspamd to connect to
redis via TCP, so set a default port that is one above the default redis port.
2022-02-24 22:06:20 +01:00
Naïm Favier 4ed684481b Update nixos-unstable and drop 21.11 2022-02-24 20:51:40 +00:00
Izorkin f3d967f830
nginx: generate certificates for custom domains and subdomains 2021-12-05 20:53:21 +03:00
Kerstin Humm 7c7ed5ce06 Revert "rspamd: make sure redis is started over TCP socket"
This reverts commit 4f0f0128d8.

Redis does seem to run fine with both unixSocket and TCP enabled. This
broke people's setups.
2021-12-01 01:01:03 +01:00
Lionello Lunesu 822c5f22bd Fix fullTextSearch.enable=false 2021-11-26 04:57:43 +00:00
DwarfMaster 4f0f0128d8 rspamd: make sure redis is started over TCP socket 2021-11-17 17:59:32 +01:00
Lionello Lunesu 6e8142862f opendkim: don't recreate keys if private key is present 2021-11-07 19:57:12 +00:00
Guillaume Girol a13526a6e3 nginx.nix: don't reload nginx
Fixes #227

Reloading nginx manually is actually not needed (see
nginx-config-reload.service) and causes deadlocks.
2021-11-07 19:10:00 +00:00
Ero Sennin 0d9a880c0e Set DKIM policy to relaxed/relaxed
And make this policy configurable.
2021-10-14 18:45:21 +00:00
Steve Purcell fb85a3fe9e Ensure locally-delivered mails have the X-Original-To header
See #223
2021-08-11 12:20:16 +00:00
Antoine Eiche 72748d7b6d Use the Junk mailbox name defined in the mailboxes attrs
Previously, the static Junk mailbox was used in sieve script to move
spam messages. This patch gets the Junk mailbox defined in the dovecot
mailboxes attribute instead.

Fixes #224
2021-08-06 16:21:03 +00:00
Antoine Eiche 9578dbac69 Remove non longer supported configurations (<21.05) 2021-07-24 09:57:44 +02:00
Robert Schütz 49074b7835 kresd: no need to explicitly set nameserver
Since https://github.com/NixOS/nixpkgs/pull/124391, enabling kreasd also
sets `networking.resolvconf.useLocalResolver = true`.
2021-06-03 05:58:42 +00:00
Milan Pässler 9c80a66f57
Make vmail_user a system user
This is required since https://github.com/NixOS/nixpkgs/pull/115332
2021-04-18 15:41:05 +02:00
Antoine Eiche 93330c5453 Move indexDir option to the mailserver scope
This option has been initially in the mailserver.fullTextSearch
scope. However, this option modifies the location of all index files
of dovecot and not only those used by the full text search feature. It
is then more relevant to have this option in the mailserver top level
scope.

Moreover, the default option has been changed to null in order to keep
existing index files where they are: changing the index location means
recreating all index files. The fts documentation however recommend to
change this default location when enabling the fts feature.
2021-04-07 22:22:38 +02:00
Emmanouil Kampitakis d75614a653 Feature/configurable delimiter 2021-03-22 19:05:34 +00:00
Matt Votava d0a2e74574 Use services.clamav.daemon.settings if it is available 2021-03-21 14:32:54 +00:00
Andreas Rammhold 7627c29268
Store FTS index in directory per domain & user to avoid collisions
Previously all the xapian files and logs would be stored in the same
folder for all users. This couid probably lead to weird situations where
all users get the same search results.
2021-03-07 11:26:35 +01:00
Symphorien Gibol 06b989c1e7 add full text search support 2021-03-04 22:17:25 +01:00
Simon Žlender 0c4b9a8985 Make opening ports in the firewall optional 2021-02-09 21:09:36 +01:00
Antoine Eiche 5f431207b3 postfix: forwarding emails of login accounts with keeping local copy
When a local account address is forwarded, the mails were not locally
kept. This was due to the way lookup tables were internally managed.

Instead of using lists to represent Postfix lookup tables, we now use
attribute sets: they can then be easily merged.

A regression test for
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/
has been added: it sets a forward on a local address and ensure an
email sent to this address is locally kept.

Fixes #205
2021-02-06 08:17:43 +00:00
Izorkin 17eec31cae rspamd: disable dkim signing 2021-01-31 19:36:07 +00:00
Antoine Eiche ee3d38a157 Set mailserver.policydSPFExtraConfig in a debug module
The line type of this option make its concatenation cleaner: the user
doesn't have to manually add `\n` to its policydSPFExtraConfig value
when debug in set.
2020-12-23 09:39:55 +01:00
Naïm Favier 7c06f610f1 Update systemd.nix 2020-12-04 08:20:25 +00:00
Naïm Favier de84ba1aeb Do not hardcode paths to acme certificates 2020-11-30 19:49:48 +00:00