aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
837 Commits 8 Branches 0 Tags
faeb1b04d85693cb3804a4c2e96e7ef811bc2ed7
Commit Graph

837 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Martin Weinelt
faeb1b04d8 Switch nixpkgs to nixos-25.11-small 2025-11-25 13:59:14 +01:00
Martin Weinelt
8d35f004ee Release 25.11 2025-11-25 13:56:52 +01:00
Martin Weinelt
4987d275a9 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!468
 2025-11-19 15:06:18 +00:00
Martin Weinelt
a35a181671 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/8e7576e79b88c16d7ee3bbd112c8d90070832885' (2025-11-06)
  → 'github:cachix/git-hooks.nix/7275fa67fbbb75891c16d9dee7d88e58aea2d761' (2025-11-16)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e5d07586ec39f74b390308f2e00040c23bdef530' (2025-11-09)
  → 'github:NixOS/nixpkgs/094318ea16502a7a81ce90dd3638697020f030a2' (2025-11-19)
 2025-11-19 15:52:23 +01:00
Martin Weinelt
cbdf90f639 rspamd: fix DKIM signing for subdomains 
With the eSLD normalization feature in rspamd subdomains actually use the
DKIM key for their parent domain, which simplifies the setup if you serve
multiple subdomains.

We however currently create DKIM key pairs for every given domain
name, no matter if it is a second-level domain or subdomain for one, so
disabling eSLD normalization aligns with the current intent behind our
configuration.

In the future it would be nice if we could reuse the parent domain DKIM
key for all its subdomains, but that requires some thought on how to
achieve that normalization in nixos-mailserver first.

Reapplies 1a3a618a30 to the correct
configuration file.
 2025-11-16 19:29:16 +01:00
Martin Weinelt
b88e6182f0 Revert "rspamd: fix DKIM signing for subdomains" 
This reverts commit 1a3a618a30.

This went into the wrong configuration file unfortunately
 2025-11-16 19:26:22 +01:00
Martin Weinelt
b946f74261 mail-server/common: fix eval 
CI has a shitty failure mode where jobs that don't eval get removed and
hydra-cli will still exit cleanly.
 2025-11-16 18:41:47 +01:00
Martin Weinelt
345cbc11df Merge branch 'remove-dovecot-service-name-workaround' into 'master' 
Remove dovecot service name compat code

See merge request simple-nixos-mailserver/nixos-mailserver!467
 2025-11-16 17:29:57 +00:00
Martin Weinelt
1cb4295b74 Remove dovecot service name compat code 2025-11-16 18:18:22 +01:00
Martin Weinelt
db66559815 Merge branch 'srs' into 'master' 
Add support for sender rewriting for forwards using postsrsd

See merge request simple-nixos-mailserver/nixos-mailserver!431
 2025-11-16 14:00:07 +00:00
Martin Weinelt
17c6816f67 Merge branch 'rspamd-dmarc-no-esld' into 'master' 
rspamd: fix DKIM signing for subdomains

See merge request simple-nixos-mailserver/nixos-mailserver!465
 2025-11-16 13:57:30 +00:00
Martin Weinelt
1a3a618a30 rspamd: fix DKIM signing for subdomains 
With the eSLD normalization feature in rspamd subdomains actually use the
DKIM key for their parent domain, which simplifies the setup if you serve
multiple subdomains.

We however currently create DKIM key pairs for every given domain
name, no matter if it is a second-level domain or subdomain for one, so
disabling eSLD normalization aligns with the current intent behind our
configuration.

In the future it would be nice if we could reuse the parent domain DKIM
key for all its subdomains, but that requires some thought on how to
achieve that normalization in nixos-mailserver first.
 2025-11-16 14:55:41 +01:00
Martin Weinelt
61cff94a28 scripts/generate-options: prefer defaultText over default 2025-11-11 13:45:03 +01:00
Martin Weinelt
eeda8ba39e Add support for sender rewriting using postsrsd 
With SRS we support forwarding of mails without (fully) breaking SPF
alignment.
 2025-11-11 13:45:03 +01:00
Martin Weinelt
b633223a33 Merge branch 'postfix-warnings' into 'master' 
postfix: resolve main/master option deprecation

See merge request simple-nixos-mailserver/nixos-mailserver!464
 2025-11-10 02:03:19 +00:00
Martin Weinelt
edb7b661e4 postfix: resolve main/master option deprecation 2025-11-10 02:56:51 +01:00
Martin Weinelt
b99f353ab8 postfix: unquote tls_config_file value 
This can now be a path type due to changes applied to nixos unstable.
 2025-11-10 02:51:46 +01:00
Martin Weinelt
5965fae920 Merge branch 'pq-support' into 'master' 
postfix: enable X5519MLKEM768 key exchange

See merge request simple-nixos-mailserver/nixos-mailserver!463
 2025-11-10 00:01:28 +00:00
Martin Weinelt
a1532a552f postfix: enable X25519MLKEM768 key exchange 
This migrates the key exchange curve group configuration into the OpenSSL
configuration format, which is the only path forward to configure these.

We now prefer a hybrid key exchange for TLS handshake and as a client
we'll send key shares for that and pure X25519, while keeping backwards-
compat for P256 and P384.

The statistics for my personal mail server over the last month show a
clear trend for X25519 key exchanges:

    156 secp384r1
    225 secp256r1
    19541 x25519
 2025-11-10 00:31:43 +01:00
Martin Weinelt
e3ee0fcceb flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8ea611305a7db12c49446f9c40c609614419ec4b' (2025-11-08)
  → 'github:NixOS/nixpkgs/e5d07586ec39f74b390308f2e00040c23bdef530' (2025-11-09)
 2025-11-10 00:31:42 +01:00
Martin Weinelt
44dd1778a0 Merge branch 'tlsrpt' into 'master' 
MTA-STS lookups, SMTP TLS  reports

See merge request simple-nixos-mailserver/nixos-mailserver!430
 2025-11-08 22:39:42 +00:00
Martin Weinelt
3555a546ab Add support for SMTP TLS reports 
When enabled the tlsrpt services will send out aggregated reports about
TLS connections the local Postfix made to interested parties, who set up
a `_smtp._tls` TXT record with a rua attribute.

Introduces mailserver.systemContact to specify an administrative contact
advertised in these automated reports.
 2025-11-08 22:39:29 +01:00
Martin Weinelt
bd56d97299 Merge branch 'update-flake-lock' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!462
 2025-11-08 17:04:04 +00:00
Martin Weinelt
6f17c29eb8 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ae814fd3904b621d8ab97418f1d0f2eb0d3716f4' (2025-11-05)
  → 'github:NixOS/nixpkgs/8ea611305a7db12c49446f9c40c609614419ec4b' (2025-11-08)
 2025-11-08 17:57:18 +01:00
Martin Weinelt
1cedddf425 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37' (2025-10-17)
  → 'github:cachix/git-hooks.nix/8e7576e79b88c16d7ee3bbd112c8d90070832885' (2025-11-06)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/b3d51a0365f6695e7dd5cdf3e180604530ed33b4' (2025-11-02)
  → 'github:NixOS/nixpkgs/ae814fd3904b621d8ab97418f1d0f2eb0d3716f4' (2025-11-05)
 2025-11-08 17:55:51 +01:00
Martin Weinelt
0812ca1e48 Use postfix-tlspol for DANE/MTA-STS policy lookups 
Postfix with plain DANE only secures domains that configure DNSSEC and
publish TLSA records. With postfix-tlspol we support MTA-STS protected
connections and get caching for its policy results.

Finally, we use this as a stepping stone to build TLSRPT support on top.
 2025-11-08 15:49:34 +01:00
Martin Weinelt
ed771e37f7 Merge branch 'release-check' into 'master' 
Check release version compat, stop testing stable NixOS

See merge request simple-nixos-mailserver/nixos-mailserver!440
 2025-11-08 12:57:49 +00:00
Martin Weinelt
619e35dce2 Stop testing stable nixos 
We only test and support matching nixpkgs versions to simpliy alignment
with breaking changes on nixos unstable.
 2025-11-08 13:40:56 +01:00
Martin Weinelt
6dbbac29f9 Check release version compat 
To move into a better position to align this project with nixpkgs
unstable breaking changes we now default to require a matching nixpkgs
release.
 2025-11-08 13:39:33 +01:00
Martin Weinelt
cc54c4fa85 Merge branch 'disable-submission' into 'master' 
Disable submission with explicit STARTTLS by default

See merge request simple-nixos-mailserver/nixos-mailserver!461
 2025-11-08 11:56:16 +00:00
Martin Weinelt
1337e2eece Disable submission with explicit STARTTLS by default 
Deprecated, but not yet scheduled for removal pending user feedback.
 2025-11-08 12:50:50 +01:00
Martin Weinelt
58659fbdfd Merge branch 'hotfix-docs-build' into 'master' 
docs: fix Read the Docs by using portable-nix

See merge request simple-nixos-mailserver/nixos-mailserver!460
 2025-11-05 00:33:50 +00:00
emilylange
9f7291ce68 docs: fix Read the Docs by using portable-nix 
As of recently, Nix 2.6 from Ubuntu 22.04 became too old to evaluate
nixpkgs. A new-enough version of Nix is available as part of Ubuntu
24.04, but those newer versions of Nix aren't happy with our rather
primitive proot workaround anymore.

Thankfully, someone already made a version of Nix that does all the
heavy lifting for running in unprivileged environments like the one
Read the Docs provides. So we used that instead.
 2025-11-05 01:10:52 +01:00
Martin Weinelt
82c2225914 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!459
 2025-11-04 00:21:16 +00:00
Martin Weinelt
85f0a94466 flake.nix: update sphinx-rtd-theme package attribute 
'sphinx_rtd_theme' has been renamed to/replaced by 'sphinx-rtd-theme'
 2025-11-04 00:51:49 +01:00
Martin Weinelt
70256c7d6e flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-compat':
    'github:edolstra/flake-compat/9100a0f413b0c601e0533d1d94ffd501ce2e7885' (2025-05-12)
  → 'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27)
• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/54df955a695a84cd47d4a43e08e1feaf90b1fd9b' (2025-09-17)
  → 'github:cachix/git-hooks.nix/ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37' (2025-10-17)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e9f00bd893984bc8ce46c895c3bf7cac95331127' (2025-09-28)
  → 'github:NixOS/nixpkgs/b3d51a0365f6695e7dd5cdf3e180604530ed33b4' (2025-11-02)
• Updated input 'nixpkgs-25_05':
    'github:NixOS/nixpkgs/5ed4e25ab58fd4c028b59d5611e14ea64de51d23' (2025-09-29)
  → 'github:NixOS/nixpkgs/3de8f8d73e35724bf9abef41f1bdbedda1e14a31' (2025-11-01)
 2025-11-04 00:48:17 +01:00
Martin Weinelt
6005d88bed Merge branch 'fix-acme-extraDomain' into 'master' 
Only set acme.extraDomainNames when the certificate scheme is acme

See merge request simple-nixos-mailserver/nixos-mailserver!450
 2025-10-03 11:08:18 +00:00
Antoine Eiche
9b57654b31 Only set acme.extraDomainNames when the certificate scheme is acme 
Otherwise, certificate domains appear twice in the certificate, since
they are added by the acme module and the nginx module.
 2025-10-02 09:36:14 +02:00
lewo
4a05bb1911 Merge branch 'update-flake-lock' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!449
 2025-10-01 17:55:49 +00:00
Martin Weinelt
1e80fb2594 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/16ec914f6fb6f599ce988427d9d94efddf25fe6d' (2025-06-24)
  → 'github:cachix/git-hooks.nix/54df955a695a84cd47d4a43e08e1feaf90b1fd9b' (2025-09-17)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/94def634a20494ee057c76998843c015909d6311' (2025-07-31)
  → 'github:NixOS/nixpkgs/e9f00bd893984bc8ce46c895c3bf7cac95331127' (2025-09-28)
• Updated input 'nixpkgs-25_05':
    'github:NixOS/nixpkgs/1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a' (2025-07-29)
  → 'github:NixOS/nixpkgs/5ed4e25ab58fd4c028b59d5611e14ea64de51d23' (2025-09-29)
 2025-10-01 12:18:02 +02:00
lewo
0ab40d0575 Merge branch 'fix/acme-extra-domains' into 'master' 
fix(acme): request certificates for the extra domains too

See merge request simple-nixos-mailserver/nixos-mailserver!448
 2025-09-30 05:33:00 +00:00
Giel van Schijndel
bf2b313365 fix(acme): request certificates for the extra domains too 
Instead of just making it _possible_ to perform the name validation...
 2025-09-28 19:03:32 +02:00
Martin Weinelt
d2534fa431 Merge branch 'fix-jobset-generation' into 'master' 
ci: disable command execution in jobset generation

See merge request simple-nixos-mailserver/nixos-mailserver!447
 2025-09-22 13:27:17 +00:00
Martin Weinelt
39ead49eb4 ci: disable command execution in jobset generation 
When GitLab PR descriptions contain markdown inline code blocks they get
interpreted as command substitutions in bash.

This is because the here-doc string previously allowed for this behavior.
 2025-09-22 15:23:26 +02:00
Martin Weinelt
c709476ac5 Merge branch 'disable-plain-access' into 'master' 
Disable plaintext access per RFC 8314

See merge request simple-nixos-mailserver/nixos-mailserver!446
 2025-09-22 13:19:49 +00:00
Martin Weinelt
54f37811dd Disable plaintext access per RFC 8314 
This deprecates the `enableImap` and `enablePop` options and opens them
up for future removal.
 2025-09-22 03:46:43 +02:00
Martin Weinelt
b49ae46f22 Merge branch 'rspamd-local-networks' into 'master' 
rspamd: restrict addresses we disable checks for to localhost

Closes #326

See merge request simple-nixos-mailserver/nixos-mailserver!444
 2025-08-25 13:55:52 +00:00
Martin Weinelt
1a2d7a4bf5 rspamd: restrict addresses we disable checks for to localhost 
By default this includes private network subnets, but those should really
use authentication instead, if they want to skip checks.

Closes: #326
 2025-08-25 04:12:30 +02:00
Martin Weinelt
cc5f180427 Merge branch 'test-enableSubmissionSsl' into 'master' 
tests: also test client submission over `smtps://` instead of just `smtp://` with STARTTLS

See merge request simple-nixos-mailserver/nixos-mailserver!443
 2025-08-24 00:41:08 +00:00
emilylange
63b8e1615f tests: also test client submission over smtps:// 
instead of just smtp:// with STARTTLS.

Opted to call the flag --ssl and not --tls to keep it consistent with
the module option (mailserver.enableSubmissionSsl), dovecot internals
and smtplib in mail-check.py.
 2025-08-24 02:29:30 +02:00