Commit Graph

595 Commits

Author SHA1 Message Date
Christian Ulrich 93e2e9395c
fix Dovecot's home directory
Dovecot's home directory is a user-specific state
directory, see https://doc.dovecot.org/2.3/configuration_manual/home_directories_for_virtual_users/.

It is recommendated
1. to never configure a userdb to return the same
   home directory for multiple users
2. to store the mailbox under the home directory,
   e.g. home = /var/vmail/domain/user and
   mail = /var/vmail/domain/user/mail

This change implements these recommendations. The
mailboxes are now stored at
<mailDirectory>/<domain>/<user>/mail. Existing
mailboxes are moved automatically to the new
location as part of the ExecStartPre hook of
dovecot's systemd unit.
2024-11-10 23:42:16 +01:00
Christian Ulrich 85c7a13692
implement OAuth support 2024-10-31 16:58:53 +01:00
Sandro Jäckel af7d3bf5da
Wrap rspamc to avoid having to specific socket manually 2024-08-05 19:00:00 +02:00
Sandro Jäckel 059b50b2e7
Allow setting userAttrs to empty string
This allows overwriting the default values for user_attrs to be empty
which is required when using virtual mailboxes with ldap accounts
that have posixAccount attributes set. When user_attrs is empty string
those are ignored then.
2024-07-16 11:15:14 +02:00
Isabel 290a995de5
refactor: policyd-spf -> spf-engine 2024-06-18 09:03:27 +01:00
isabel 54cbacb6eb
chore: remove flake utils 2024-06-14 21:52:49 +01:00
Antoine Eiche 29916981e7 Release 24.05 2024-06-11 07:36:43 +02:00
RoastedCheese 0d51a32e47 acme: test acmeCertificateName if module is enabled 2024-06-04 15:31:28 +00:00
Martin Weinelt ed80b589d3
postfix: remove deprecated smtpd_tls_eecdh_grade
Causes a warning that suggests to just leave it at its default.
2024-06-03 12:34:43 +02:00
Matthew Leach 46a0829aa8 acme: Add new option acmeCertificateName
Allow the user to specify the name of the ACME configuration that the
mailserver should use. This allows users that request certificates that
aren't the FQDN of the mailserver, for example a wildcard certificate.
2024-05-31 09:53:32 +01:00
jopejoe1 41059fc548 docs: use settings instead of config in radicale 2024-05-03 09:14:16 +02:00
Sandro Jäckel ef4756bcfc Quote ldap password
Otherwise special characters like # do not work
2024-04-28 10:02:48 +00:00
Sandro 9f6635a035 Drop default acmeRoot 2024-04-13 12:42:45 +00:00
Antoine Eiche 79c8cfcd58 Remove the support of 23.05 and 23.11
This is because SNM now supports the new sieve nixpkgs interface,
which is not backward compatible with previous releases.
2024-03-14 21:51:05 +01:00
Gaetan Lepage 799fe34c12 Update nixpkgs 2024-03-14 21:51:05 +01:00
Gaetan Lepage d507bd9c95 dovecot: no longer need to copy sieve scripts 2024-03-14 21:50:46 +01:00
Raito Bezarius fe6d325397 dovecot: support new `sieve` API in nixpkgs
Since https://github.com/NixOS/nixpkgs/pull/275031 things have became more structured
when it comes to the sieve plugin.

Relies on https://github.com/NixOS/nixpkgs/pull/281001 for full
features.
2024-03-09 23:23:17 +01:00
Christian Theune 572c1b4d69 rspamd: fix duplicate and syntactically wrong header settings
Fixes #280
2024-03-08 14:52:52 +01:00
Sleepful 9e36323ae3 Update roundcube example configuration: smtp_server is deprecated
Related issue on GH: https://github.com/roundcube/roundcubemail/issues/8756
2024-01-31 17:08:06 -06:00
Antoine Eiche e47f3719f1 Release 23.11 2024-01-25 22:52:54 +01:00
Antoine Eiche b5023b36a1 postfix: exclude $mynetwork from smtpd_forbid_bare_newline 2023-12-27 09:46:26 +01:00
Alvar Penning 3f526c08e8
postfix: SMTP Smuggling Protection
Enable Postfix SMTP Smuggling protection, introduced in Postfix 3.8.4,
which is, currently, only available within the nixpkgs' master branch.

- https://github.com/NixOS/nixpkgs/pull/276104
- https://github.com/NixOS/nixpkgs/pull/276264

For information about SMTP Smuggling:

- https://www.postfix.org/smtp-smuggling.html
- https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
2023-12-23 20:15:16 +01:00
Lafiel 008d78cc21
dovecot: add support store mailbox names on disk using UTF-8 2023-11-16 01:02:33 +03:00
Jean-Baptiste Giraudeau 84783b661e
Add tests for regex (PCRE) aliases 2023-09-28 16:13:00 +02:00
Jean-Baptiste Giraudeau 93221e4b25
Add support for regex (PCRE) aliases. 2023-09-05 14:58:10 +02:00
Naïm Favier c63f6e7b05
docs: fix link 2023-07-21 23:55:54 +02:00
Bjørn Forsman a3b03d1b5a Use umask for race-free permission setting
Without using umask there's a small time window where paths are world
readable. That is a bad idea to do for secret files (e.g. the dovecot
code path).
2023-07-17 18:22:16 +02:00
Antoine Eiche 69a4b7ad67 ldap: add an entry in the doc 2023-07-11 19:31:20 +00:00
Antoine Eiche 71b4c62d85 dovecot: fix a typo on userAttrs 2023-07-11 19:31:20 +00:00
Antoine Eiche 6775502be3 ldap: set assertions to forbid ldap and loginAccounts simultaneously 2023-07-11 19:31:20 +00:00
Antoine Eiche 7695c856f1 ldap: improve the documentation 2023-07-11 19:31:20 +00:00
Antoine Eiche fb3210b932 ldap: do not write password to the Nix store 2023-07-11 19:31:20 +00:00
Antoine Eiche 33554e57ce Make the ldap test working
- The smtp/imap user name is now user@domain.tld
- Make the test_lookup function much more robust: it was now getting
  the correct file from the store.
2023-07-11 19:31:20 +00:00
Martin Weinelt 8b03ae5701 Create LDAP test
Sets up a declaratively configured OpenLDAP instance with users alice
and bob. They each own one email address,

First we test that postfix can communicate with LDAP and do the expected
lookups using the defined maps.

Then we use doveadm to make sure it can look up the two accounts.

Next we check the binding between account and mail address, by logging
in as alice and trying to send from bob@example.com, which alice is not
allowed to do. We expect postfix to reject the sender address here.

Finally we check mail delivery between alice and bob. Alice tries to
send a mail from alice@example.com to bob@example.com and bob then
checks whether it arrived in their mailbox.
2023-07-11 19:31:20 +00:00
Martin Weinelt 42e245b069 scripts/mail-check: allow passing the smtp username
Will be prefered over the from address when specified.
2023-07-11 19:31:20 +00:00
Martin Weinelt 08f077c5ca Add support for LDAP users
Allow configuring lookups for users and their mail addresses from an
LDAP directory. The LDAP username will be used as an accountname as
opposed to the email address used as the `loginName` for declarative
accounts. Mailbox for LDAP users will be stored below
`/var/vmail/ldap/<account>`.

Configuring domains is out of scope, since domains require further
configuration within the NixOS mailserver construct to set up all
related services accordingly.

Aliases can already be configured using `mailserver.forwards` but could
be supported using LDAP at a later point.
2023-07-11 19:31:20 +00:00
Nigel Bray d460e9ff62 Fix and improve the setup guide 2023-07-05 21:53:56 +02:00
Florian Klink 0c1801b489 dovecot: add dovecot_pigeonhole to system packages
`sieve-test` can be used to test sieve scripts.

It's annoying to nix-shell it in, because it reads the dovecot global
config and might stumble over incompatible .so files (as has happened
to me).

Simply providing it in $PATH is easier.
2023-06-29 20:54:57 +02:00
Antoine Eiche 24128c3052 Release 23.05 2023-06-22 21:31:07 +02:00
Antoine Eiche c4ec122aac readme: remove the announcement public key
Current maintainer no longer has it.
2023-06-11 17:10:19 +02:00
Antoine Eiche 131c48de9b Preserve the compatibility with nixos-22.11 2023-06-11 17:10:14 +02:00
Antoine Eiche 290d00f6db Improve the certificateScheme number deprecation warning message 2023-06-11 07:29:18 +00:00
Mynacol 7e09d8f537 docs: add submissions DNS record for autodiscovery
Add the submissions autodiscovery SRV DNS record for implicit TLS in
SMTP (submission) connections according to
[RFC 8314](https://www.rfc-editor.org/rfc/rfc8314#section-5.1).
2023-05-29 15:09:08 +02:00
Antoine Eiche 1bcfcf786b Remove the NixOS 22.11 support
Because the option `nodes.domain1.services.dnsmasq.settings' does not
exist.
2023-05-24 23:37:17 +02:00
Naïm Favier a948c49ca7 Allow using existing ACME certificates
Add a certificate scheme for using an existing ACME certificate without
setting up Nginx.

Also use names instead of magic numbers for certificate schemes.
2023-05-24 21:10:02 +00:00
Naïm Favier 42c5564791 tests: use `services.dnsmasq.settings`
Gets rid of the warning about `extraConfig` being deprecated.
2023-05-24 21:10:02 +00:00
Antoine Eiche fd605a419b Fix test names 2023-05-24 23:06:29 +02:00
Lafiel d8131ffc61 dovecot: split passdb and userdb 2023-05-23 20:41:36 +00:00
Maximilian Bosch bd99079363 mail-server/dovecot: also learn spam/ham on APPEND
The current configuration doesn't work when moving spam from the INBOX
to Junk on a local maildir and then syncing the result to the IMAP
server with `mbsync(1)`. This is because `mbsync(1)` doesn't support a
mvoe-detection[1] (i.e. an IMAP MOVE which subsequently causes a Sieve
COPY according to RFC6851 which then triggers report{h,sp}am.sieve), but
instead sends `APPEND` (and removes the message in the src mailbox after
that).

Tested on my own mailserver that this fixes spam learning.

This doesn't work the other way round though because `APPEND` doesn't
have an origin. However, learning mails as spam happens more often than
learning spam as ham, so this is IMHO still useful.

[1] https://sourceforge.net/p/isync/mailman/isync-devel/thread/87y2p1tihz.fsf%40ericabrahamsen.net/#msg37030483
2023-05-23 19:49:59 +00:00
Juergen Fitschen c04e4f22da opendkim: make public key world-readable 2023-05-14 07:11:48 +00:00