aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
824 Commits 8 Branches 0 Tags
eeda8ba39e983f06e06226efa30247c8dac59af5
Commit Graph

824 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Martin Weinelt
eeda8ba39e Add support for sender rewriting using postsrsd 
With SRS we support forwarding of mails without (fully) breaking SPF
alignment.
 2025-11-11 13:45:03 +01:00
Martin Weinelt
b633223a33 Merge branch 'postfix-warnings' into 'master' 
postfix: resolve main/master option deprecation

See merge request simple-nixos-mailserver/nixos-mailserver!464
 2025-11-10 02:03:19 +00:00
Martin Weinelt
edb7b661e4 postfix: resolve main/master option deprecation 2025-11-10 02:56:51 +01:00
Martin Weinelt
b99f353ab8 postfix: unquote tls_config_file value 
This can now be a path type due to changes applied to nixos unstable.
 2025-11-10 02:51:46 +01:00
Martin Weinelt
5965fae920 Merge branch 'pq-support' into 'master' 
postfix: enable X5519MLKEM768 key exchange

See merge request simple-nixos-mailserver/nixos-mailserver!463
 2025-11-10 00:01:28 +00:00
Martin Weinelt
a1532a552f postfix: enable X25519MLKEM768 key exchange 
This migrates the key exchange curve group configuration into the OpenSSL
configuration format, which is the only path forward to configure these.

We now prefer a hybrid key exchange for TLS handshake and as a client
we'll send key shares for that and pure X25519, while keeping backwards-
compat for P256 and P384.

The statistics for my personal mail server over the last month show a
clear trend for X25519 key exchanges:

    156 secp384r1
    225 secp256r1
    19541 x25519
 2025-11-10 00:31:43 +01:00
Martin Weinelt
e3ee0fcceb flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8ea611305a7db12c49446f9c40c609614419ec4b' (2025-11-08)
  → 'github:NixOS/nixpkgs/e5d07586ec39f74b390308f2e00040c23bdef530' (2025-11-09)
 2025-11-10 00:31:42 +01:00
Martin Weinelt
44dd1778a0 Merge branch 'tlsrpt' into 'master' 
MTA-STS lookups, SMTP TLS  reports

See merge request simple-nixos-mailserver/nixos-mailserver!430
 2025-11-08 22:39:42 +00:00
Martin Weinelt
3555a546ab Add support for SMTP TLS reports 
When enabled the tlsrpt services will send out aggregated reports about
TLS connections the local Postfix made to interested parties, who set up
a `_smtp._tls` TXT record with a rua attribute.

Introduces mailserver.systemContact to specify an administrative contact
advertised in these automated reports.
 2025-11-08 22:39:29 +01:00
Martin Weinelt
bd56d97299 Merge branch 'update-flake-lock' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!462
 2025-11-08 17:04:04 +00:00
Martin Weinelt
6f17c29eb8 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ae814fd3904b621d8ab97418f1d0f2eb0d3716f4' (2025-11-05)
  → 'github:NixOS/nixpkgs/8ea611305a7db12c49446f9c40c609614419ec4b' (2025-11-08)
 2025-11-08 17:57:18 +01:00
Martin Weinelt
1cedddf425 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37' (2025-10-17)
  → 'github:cachix/git-hooks.nix/8e7576e79b88c16d7ee3bbd112c8d90070832885' (2025-11-06)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/b3d51a0365f6695e7dd5cdf3e180604530ed33b4' (2025-11-02)
  → 'github:NixOS/nixpkgs/ae814fd3904b621d8ab97418f1d0f2eb0d3716f4' (2025-11-05)
 2025-11-08 17:55:51 +01:00
Martin Weinelt
0812ca1e48 Use postfix-tlspol for DANE/MTA-STS policy lookups 
Postfix with plain DANE only secures domains that configure DNSSEC and
publish TLSA records. With postfix-tlspol we support MTA-STS protected
connections and get caching for its policy results.

Finally, we use this as a stepping stone to build TLSRPT support on top.
 2025-11-08 15:49:34 +01:00
Martin Weinelt
ed771e37f7 Merge branch 'release-check' into 'master' 
Check release version compat, stop testing stable NixOS

See merge request simple-nixos-mailserver/nixos-mailserver!440
 2025-11-08 12:57:49 +00:00
Martin Weinelt
619e35dce2 Stop testing stable nixos 
We only test and support matching nixpkgs versions to simpliy alignment
with breaking changes on nixos unstable.
 2025-11-08 13:40:56 +01:00
Martin Weinelt
6dbbac29f9 Check release version compat 
To move into a better position to align this project with nixpkgs
unstable breaking changes we now default to require a matching nixpkgs
release.
 2025-11-08 13:39:33 +01:00
Martin Weinelt
cc54c4fa85 Merge branch 'disable-submission' into 'master' 
Disable submission with explicit STARTTLS by default

See merge request simple-nixos-mailserver/nixos-mailserver!461
 2025-11-08 11:56:16 +00:00
Martin Weinelt
1337e2eece Disable submission with explicit STARTTLS by default 
Deprecated, but not yet scheduled for removal pending user feedback.
 2025-11-08 12:50:50 +01:00
Martin Weinelt
58659fbdfd Merge branch 'hotfix-docs-build' into 'master' 
docs: fix Read the Docs by using portable-nix

See merge request simple-nixos-mailserver/nixos-mailserver!460
 2025-11-05 00:33:50 +00:00
emilylange
9f7291ce68 docs: fix Read the Docs by using portable-nix 
As of recently, Nix 2.6 from Ubuntu 22.04 became too old to evaluate
nixpkgs. A new-enough version of Nix is available as part of Ubuntu
24.04, but those newer versions of Nix aren't happy with our rather
primitive proot workaround anymore.

Thankfully, someone already made a version of Nix that does all the
heavy lifting for running in unprivileged environments like the one
Read the Docs provides. So we used that instead.
 2025-11-05 01:10:52 +01:00
Martin Weinelt
82c2225914 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!459
 2025-11-04 00:21:16 +00:00
Martin Weinelt
85f0a94466 flake.nix: update sphinx-rtd-theme package attribute 
'sphinx_rtd_theme' has been renamed to/replaced by 'sphinx-rtd-theme'
 2025-11-04 00:51:49 +01:00
Martin Weinelt
70256c7d6e flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-compat':
    'github:edolstra/flake-compat/9100a0f413b0c601e0533d1d94ffd501ce2e7885' (2025-05-12)
  → 'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27)
• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/54df955a695a84cd47d4a43e08e1feaf90b1fd9b' (2025-09-17)
  → 'github:cachix/git-hooks.nix/ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37' (2025-10-17)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e9f00bd893984bc8ce46c895c3bf7cac95331127' (2025-09-28)
  → 'github:NixOS/nixpkgs/b3d51a0365f6695e7dd5cdf3e180604530ed33b4' (2025-11-02)
• Updated input 'nixpkgs-25_05':
    'github:NixOS/nixpkgs/5ed4e25ab58fd4c028b59d5611e14ea64de51d23' (2025-09-29)
  → 'github:NixOS/nixpkgs/3de8f8d73e35724bf9abef41f1bdbedda1e14a31' (2025-11-01)
 2025-11-04 00:48:17 +01:00
Martin Weinelt
6005d88bed Merge branch 'fix-acme-extraDomain' into 'master' 
Only set acme.extraDomainNames when the certificate scheme is acme

See merge request simple-nixos-mailserver/nixos-mailserver!450
 2025-10-03 11:08:18 +00:00
Antoine Eiche
9b57654b31 Only set acme.extraDomainNames when the certificate scheme is acme 
Otherwise, certificate domains appear twice in the certificate, since
they are added by the acme module and the nginx module.
 2025-10-02 09:36:14 +02:00
lewo
4a05bb1911 Merge branch 'update-flake-lock' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!449
 2025-10-01 17:55:49 +00:00
Martin Weinelt
1e80fb2594 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/16ec914f6fb6f599ce988427d9d94efddf25fe6d' (2025-06-24)
  → 'github:cachix/git-hooks.nix/54df955a695a84cd47d4a43e08e1feaf90b1fd9b' (2025-09-17)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/94def634a20494ee057c76998843c015909d6311' (2025-07-31)
  → 'github:NixOS/nixpkgs/e9f00bd893984bc8ce46c895c3bf7cac95331127' (2025-09-28)
• Updated input 'nixpkgs-25_05':
    'github:NixOS/nixpkgs/1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a' (2025-07-29)
  → 'github:NixOS/nixpkgs/5ed4e25ab58fd4c028b59d5611e14ea64de51d23' (2025-09-29)
 2025-10-01 12:18:02 +02:00
lewo
0ab40d0575 Merge branch 'fix/acme-extra-domains' into 'master' 
fix(acme): request certificates for the extra domains too

See merge request simple-nixos-mailserver/nixos-mailserver!448
 2025-09-30 05:33:00 +00:00
Giel van Schijndel
bf2b313365 fix(acme): request certificates for the extra domains too 
Instead of just making it _possible_ to perform the name validation...
 2025-09-28 19:03:32 +02:00
Martin Weinelt
d2534fa431 Merge branch 'fix-jobset-generation' into 'master' 
ci: disable command execution in jobset generation

See merge request simple-nixos-mailserver/nixos-mailserver!447
 2025-09-22 13:27:17 +00:00
Martin Weinelt
39ead49eb4 ci: disable command execution in jobset generation 
When GitLab PR descriptions contain markdown inline code blocks they get
interpreted as command substitutions in bash.

This is because the here-doc string previously allowed for this behavior.
 2025-09-22 15:23:26 +02:00
Martin Weinelt
c709476ac5 Merge branch 'disable-plain-access' into 'master' 
Disable plaintext access per RFC 8314

See merge request simple-nixos-mailserver/nixos-mailserver!446
 2025-09-22 13:19:49 +00:00
Martin Weinelt
54f37811dd Disable plaintext access per RFC 8314 
This deprecates the `enableImap` and `enablePop` options and opens them
up for future removal.
 2025-09-22 03:46:43 +02:00
Martin Weinelt
b49ae46f22 Merge branch 'rspamd-local-networks' into 'master' 
rspamd: restrict addresses we disable checks for to localhost

Closes #326

See merge request simple-nixos-mailserver/nixos-mailserver!444
 2025-08-25 13:55:52 +00:00
Martin Weinelt
1a2d7a4bf5 rspamd: restrict addresses we disable checks for to localhost 
By default this includes private network subnets, but those should really
use authentication instead, if they want to skip checks.

Closes: #326
 2025-08-25 04:12:30 +02:00
Martin Weinelt
cc5f180427 Merge branch 'test-enableSubmissionSsl' into 'master' 
tests: also test client submission over `smtps://` instead of just `smtp://` with STARTTLS

See merge request simple-nixos-mailserver/nixos-mailserver!443
 2025-08-24 00:41:08 +00:00
emilylange
63b8e1615f tests: also test client submission over smtps:// 
instead of just smtp:// with STARTTLS.

Opted to call the flag --ssl and not --tls to keep it consistent with
the module option (mailserver.enableSubmissionSsl), dovecot internals
and smtplib in mail-check.py.
 2025-08-24 02:29:30 +02:00
Martin Weinelt
958c112fba Merge branch 'dkim-rsa2048' into 'master' 
Increase default DKIM key bits to 2048

Closes #333

See merge request simple-nixos-mailserver/nixos-mailserver!442
 2025-08-22 20:42:21 +00:00
Martin Weinelt
2204f55329 Increase default DKIM key bits to 2048 
This is the current recommendation in RFC 8301 from early 2018.

Fixes: #333
 2025-08-22 22:38:31 +02:00
Martin Weinelt
2be40a9653 Merge branch 'docs-fix-dovecot-links' into 'master' 
docs/dovecot: fix dovecot URLs (again)

See merge request simple-nixos-mailserver/nixos-mailserver!441
 2025-08-22 20:34:21 +00:00
emilylange
b7d2f287f3 docs/dovecot: fix dovecot URLs (again) 
https://doc.dovecot.org/configuration_manual moved to
https://doc.dovecot.org/2.3/configuration_manual to make room for
https://doc.dovecot.org/:version/ where :version can be any one of 2.3,
2.4.0, 2.4.1 or main.

Unfortunately, there is no redirect for the 2.3 manual pages, rendering
a few of those dovecot links dead. I figured we want to keep the old
docs at /2.3/ for now until we eventually migrate to 2.4, as there are
some differences in the ldap interface between those versions.

Previously: 90539a1a99
 2025-08-22 22:06:29 +02:00
Martin Weinelt
57d9624c71 Merge branch 'dmarc-reporter' into 'master' 
Allow AF_UNIX sockets for dmarc reporter, tokenize commandline

Closes #331

See merge request simple-nixos-mailserver/nixos-mailserver!437
 2025-08-07 22:31:50 +00:00
Martin Weinelt
fc955088e3 Respect configureLocally flag for redis 2025-08-08 00:01:45 +02:00
Martin Weinelt
43f87f5520 Tokenize dmarc reporter commandline 2025-08-08 00:01:45 +02:00
Martin Weinelt
aa06b2f489 Allow AF_UNIX sockets for dmarc reporter and allow group access 
This is required to use redis over UNIX domain sockets.
 2025-08-08 00:01:45 +02:00
Martin Weinelt
eb656cd361 Merge branch 'flake-bump' into 'master' 
postfix: don't cast message_size_limit to string

See merge request simple-nixos-mailserver/nixos-mailserver!435
 2025-08-02 00:27:02 +00:00
Martin Weinelt
b76a547bec treewide: reformat with nixfmt 1.0.0 2025-08-02 02:19:15 +02:00
Martin Weinelt
cea6f25a40 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/1fd8bada0b6117e6c7eb54aad5813023eed37ccb' (2025-07-06)
  → 'github:NixOS/nixpkgs/94def634a20494ee057c76998843c015909d6311' (2025-07-31)
• Updated input 'nixpkgs-25_05':
    'github:NixOS/nixpkgs/29e290002bfff26af1db6f64d070698019460302' (2025-07-05)
  → 'github:NixOS/nixpkgs/1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a' (2025-07-29)
 2025-08-02 02:12:47 +02:00
Martin Weinelt
027e6bcd76 postfix: don't cast message_size_limit to string 
On unstable this will become a signed integer and there was never a good
reason for this to be a string.
 2025-08-02 02:11:11 +02:00
Martin Weinelt
ce87c8a977 Merge branch 'options' into 'master' 
acmeCertificateName: Set defaultText as the default is dynamic

See merge request simple-nixos-mailserver/nixos-mailserver!432
 2025-07-23 15:47:20 +00:00