aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: aither:havefun-22.05
Branches Tags
aither:havefun-22.05
aither:havefun-24.11
aither:havefun-24.05
aither:havefun-23.11
aither:havefun-23.05
aither:havefun-22.11
...
pull from: aither:havefun-23.05
Branches Tags
aither:havefun-24.11
aither:havefun-24.05
aither:havefun-23.11
aither:havefun-23.05
aither:havefun-22.11
aither:havefun-22.05

25 Commits
havefun-22 ... havefun-23

Author SHA1 Message Date
Jakub Skokan
478da2c67b Allow TLSv1 for compatibility with older devices 2023-06-01 16:53:35 +02:00
Antoine Eiche
acc7791ee9 readme: remove the announcement public key 
Current maintainer no longer has it.
 2023-05-30 23:37:31 +02:00
Antoine Eiche
758fa8f9bc Release 23.05 2023-05-30 23:37:31 +02:00
Antoine Eiche
811389e31b Preserve the compatibility with nixos-23.05 2023-05-30 23:37:31 +02:00
Antoine Eiche
1bcfcf786b Remove the NixOS 22.11 support 
Because the option `nodes.domain1.services.dnsmasq.settings' does not
exist.
 2023-05-24 23:37:17 +02:00
Naïm Favier
a948c49ca7 Allow using existing ACME certificates 
Add a certificate scheme for using an existing ACME certificate without
setting up Nginx.

Also use names instead of magic numbers for certificate schemes.
 2023-05-24 21:10:02 +00:00
Naïm Favier
42c5564791 tests: use services.dnsmasq.settings 
Gets rid of the warning about `extraConfig` being deprecated.
 2023-05-24 21:10:02 +00:00
Antoine Eiche
fd605a419b Fix test names 2023-05-24 23:06:29 +02:00
Lafiel
d8131ffc61 dovecot: split passdb and userdb 2023-05-23 20:41:36 +00:00
Maximilian Bosch
bd99079363 mail-server/dovecot: also learn spam/ham on APPEND 
The current configuration doesn't work when moving spam from the INBOX
to Junk on a local maildir and then syncing the result to the IMAP
server with `mbsync(1)`. This is because `mbsync(1)` doesn't support a
mvoe-detection[1] (i.e. an IMAP MOVE which subsequently causes a Sieve
COPY according to RFC6851 which then triggers report{h,sp}am.sieve), but
instead sends `APPEND` (and removes the message in the src mailbox after
that).

Tested on my own mailserver that this fixes spam learning.

This doesn't work the other way round though because `APPEND` doesn't
have an origin. However, learning mails as spam happens more often than
learning spam as ham, so this is IMHO still useful.

[1] https://sourceforge.net/p/isync/mailman/isync-devel/thread/87y2p1tihz.fsf%40ericabrahamsen.net/#msg37030483
 2023-05-23 19:49:59 +00:00
Juergen Fitschen
c04e4f22da opendkim: make public key world-readable 2023-05-14 07:11:48 +00:00
Maximilian Bosch
e2ca6e45f3 docs: add instructions for rfc6186-compliant setup 2023-05-14 07:08:27 +00:00
Naïm Favier
6d0d9fb966
Update nixpkgs 
Option values are now rendered correctly as Nix thanks to
https://github.com/NixOS/nixpkgs/pull/199363
 2022-12-22 20:45:03 +01:00
Naïm Favier
0bbb2ac74e
docs: drop options.md from the repository 
Generate the file on the readthedocs builder using Nix. Since there is
no root access or user namespaces, we have to use proot (see
https://nixos.wiki/wiki/Nix_Installation_Guide#PRoot).
 2022-12-22 20:45:03 +01:00
Naïm Favier
4fcab839d7
docs: use MarkDown for option docs 2022-12-22 20:45:01 +01:00
Antoine Eiche
bc667fb6af Release 22.11 2022-12-21 22:46:04 +01:00
Antoine Eiche
31eadb6388 doc: regenerate it 2022-11-30 21:03:13 +01:00
Antoine Eiche
033b3d2a45 Removing 22.05 release 
Because of some incompabilities with the 22.11 release.
 2022-11-30 20:59:39 +01:00
Naïm Favier
694e7d34f6
docs: option docs improvements 
- add missing description and defaultText fields
- add dmarcReporting option group
- render examples
 2022-11-30 12:30:29 +01:00
Martin Weinelt
fe36e7ae0d rspamd: allow configuring dmarc reporting 
Enabling collects DMARC results in Redis and sends out aggregated
reports (RUA) on a daily basis.
 2022-11-27 20:34:38 +00:00
Antoine Eiche
3f0b7a1b5c ci: pin nixpkgs to 22.05 
Because hydra-cli build is currently broken on unstable.
 2022-11-27 20:43:25 +01:00
Antoine Eiche
737eb4f398 docs: explicitly mention a reverse DNS entry is required 
Fixes https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/234
 2022-11-27 19:14:52 +00:00
Linus Heckemann
a40e9c3abb htpasswd -> mkpasswd 2022-11-27 19:14:22 +00:00
Martin Weinelt
004c229ca4
Convert minimal test to python test driver 2022-07-19 23:54:04 +02:00
Antoine Eiche
f535d8123c Release 22.05 2022-06-22 22:39:06 +02:00
34 changed files with 543 additions and 1415 deletions
Show Stats Expand all files Collapse all files

4
.gitlab-ci.yml
View File

@ -3,11 +3,11 @@ hydra-pr:
- merge_requests
image: nixos/nix
script:
- nix --extra-experimental-features nix-command run -f channel:nixos-unstable hydra-cli -- -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID}
- nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID}'
hydra-master:
only:
- master
image: nixos/nix
script:
- nix --extra-experimental-features nix-command run -f channel:nixos-unstable hydra-cli -- -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master
- nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master'

2
.hydra/declarative-jobsets.nix
View File

@ -32,6 +32,8 @@ let
desc = prJobsets // {
"master" = mkFlakeJobset "master";
"nixos-22.11" = mkFlakeJobset "nixos-22.11";
"nixos-23.05" = mkFlakeJobset "nixos-23.05";
};
log = {

12
.readthedocs.yaml
View File

@ -5,9 +5,17 @@
version: 2
build:
os: ubuntu-20.04
os: ubuntu-22.04
tools:
python: "3.9"
python: "3"
apt_packages:
- nix
- proot
jobs:
pre_install:
- mkdir -p ~/.nix ~/.config/nix
- echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
- proot -b ~/.nix:/nix /bin/sh -c "nix build -L .#optionsDoc && cp -v result docs/options.md"
sphinx:
configuration: docs/conf.py

50
README.md
View File

@ -8,26 +8,21 @@
For each NixOS release, we publish a branch. You then have to use the
SNM branch corresponding to your NixOS version.
* For NixOS 21.11
- Use the [SNM branch `nixos-21.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-21.11)
- [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-21.11/)
- [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-21.11/release-notes.html#nixos-21-11)
* For NixOS 21.05
- Use the [SNM branch `nixos-21.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-21.05)
- [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-21.05/)
- [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-21.05/release-notes.html#nixos-21-05)
* For NixOS 23.05
- Use the [SNM branch `nixos-23.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.05)
- [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/)
- [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/release-notes.html#nixos-23-05)
* For NixOS 22.11
- Use the [SNM branch `nixos-22.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-22.11)
- [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/)
- [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/release-notes.html#nixos-22-11)
* For NixOS unstable
- Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
- [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
[Subscribe to SNM Announcement List](https://www.freelists.org/list/snm)
This is a very low volume list where new releases of SNM are announced, so you
can stay up to date with bug fixes and updates. All announcements are signed by
the gpg key with fingerprint
```
D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A
```
can stay up to date with bug fixes and updates.
## Features
@ -96,7 +91,7 @@ D9FE 4119 F082 6F15 93BD BD36 6162 DBA5 635E A16A
domains = [ "example.com" "example2.com" ];
loginAccounts = {
"user1@example.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > /hashed/password/file/location
hashedPasswordFile = "/hashed/password/file/location";
aliases = [
@ -117,30 +112,9 @@ For a complete list of options, see `default.nix`.
## How to Set Up a 10/10 Mail Server Guide
Check out the [Complete Setup Guide](https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html) in the project's documentation.
## How to Backup
Checkout the [Complete Backup Guide](https://nixos-mailserver.readthedocs.io/en/latest/backup-guide.html). Backups are easy with `SNM`.
## Development
See the [How to Develop SNM](https://nixos-mailserver.readthedocs.io/en/latest/howto-develop.html) wiki page.
## Release notes
### nixos-20.03
- Rspamd is upgraded to 2.0 which deprecates the SQLite Bayes
backend. We then moved to the Redis backend (the default since
Rspamd 2.0). If you don't want to relearn the Redis backend from the
scratch, we could manually run
rspamadm statconvert --spam-db /var/lib/rspamd/bayes.spam.sqlite --ham-db /var/lib/rspamd/bayes.ham.sqlite -h 127.0.0.1:6379 --symbol-ham BAYES_HAM --symbol-spam BAYES_SPAM
See the [Rspamd migration
notes](https://rspamd.com/doc/migration.html#migration-to-rspamd-20)
and [this SNM Merge
Request](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/164)
for details.
See the [How to Develop SNM](https://nixos-mailserver.readthedocs.io/en/latest/howto-develop.html) documentation page.
## Contributors
See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/graphs/master)
@ -155,6 +129,4 @@ See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mails
* Logo made with [Logomakr.com](https://logomakr.com)
[logo]: docs/logo.png

170
default.nix
View File

@ -48,7 +48,11 @@ in
type = types.listOf types.str;
example = [ "imap.example.com" "pop3.example.com" ];
default = [];
description = "Secondary domains and subdomains for which it is necessary to generate a certificate.";
description = ''
({option}`mailserver.certificateScheme` == `acme-nginx`)
Secondary domains and subdomains for which it is necessary to generate a certificate.
'';
};
messageSizeLimit = mkOption {
@ -72,14 +76,14 @@ in
default = null;
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
description = ''
The user's hashed password. Use `htpasswd` as follows
The user's hashed password. Use `mkpasswd` as follows
```
nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
```
Warning: this is stored in plaintext in the Nix store!
Use `hashedPasswordFile` instead.
Use {option}`mailserver.loginAccounts.<name>.hashedPasswordFile` instead.
'';
};
@ -88,10 +92,10 @@ in
default = null;
example = "/run/keys/user1-passwordhash";
description = ''
A file containing the user's hashed password. Use `htpasswd` as follows
A file containing the user's hashed password. Use `mkpasswd` as follows
```
nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
```
'';
};
@ -156,7 +160,7 @@ in
description = ''
Specifies if the account should be a send-only account.
Emails sent to send-only accounts will be rejected from
unauthorized senders with the sendOnlyRejectMessage
unauthorized senders with the `sendOnlyRejectMessage`
stating the reason.
'';
};
@ -184,11 +188,11 @@ in
};
description = ''
The login account of the domain. Every account is mapped to a unix user,
e.g. `user1@example.com`. To generate the passwords use `htpasswd` as
e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as
follows
```
nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
```
'';
default = {};
@ -200,7 +204,7 @@ in
description = ''
Folder to store search indices. If null, indices are stored
along with email, which could not necessarily be desirable,
especially when the fullTextSearch option is enable since
especially when {option}`mailserver.fullTextSearch.enable` is `true` since
indices it creates are voluminous and do not need to be backed
up.
@ -242,8 +246,8 @@ in
default = "no";
description = ''
Fail searches when no index is available. If set to
<literal>body</literal>, then only body searches (as opposed to
header) are affected. If set to <literal>no</literal>, searches may
`body`, then only body searches (as opposed to
header) are affected. If set to `no`, searches may
fall back to a very slow brute force search.
'';
};
@ -281,7 +285,7 @@ in
randomizedDelaySec = mkOption {
type = types.int;
default = 1000;
description = "Run the maintenance job not exactly at the time specified with <literal>onCalendar</literal>, but plus or minus this many seconds.";
description = "Run the maintenance job not exactly at the time specified with `onCalendar`, but plus or minus this many seconds.";
};
};
};
@ -333,7 +337,7 @@ in
the value {`"user@example.com" = "user@elsewhere.com";}`
means that mails to `user@example.com` are forwarded to
`user@elsewhere.com`. The difference with the
`extraVirtualAliases` option is that `user@elsewhere.com`
{option}`mailserver.extraVirtualAliases` option is that `user@elsewhere.com`
can't send mail as `user@example.com`. Also, this option
allows to forward mails to external addresses.
'';
@ -367,7 +371,7 @@ in
description = ''
The unix UID of the virtual mail user. Be mindful that if this is
changed, you will need to manually adjust the permissions of
mailDirectory.
`mailDirectory`.
'';
};
@ -448,19 +452,26 @@ in
};
};
certificateScheme = mkOption {
type = types.enum [ 1 2 3 ];
default = 2;
certificateScheme = let
schemes = [ "manual" "selfsigned" "acme-nginx" "acme" ];
translate = i: warn "setting mailserver.certificateScheme by number is deprecated, please use names instead"
(builtins.elemAt schemes (i - 1));
in mkOption {
type = with types; coercedTo (enum [ 1 2 3 ]) translate (enum schemes);
default = "selfsigned";
description = ''
Certificate Files. There are three options for these.
The scheme to use for managing TLS certificates:
1) You specify locations and manually copy certificates there.
2) You let the server create new (self signed) certificates on the fly.
3) You let the server create a certificate via `Let's Encrypt`. Note that
this implies that a stripped down webserver has to be started. This also
implies that the FQDN must be set as an `A` record to point to the IP of
the server. In particular port 80 on the server will be opened. For details
on how to set up the domain records, see the guide in the readme.
1. `manual`: you specify locations via {option}`mailserver.certificateFile` and
{option}`mailserver.keyFile` and manually copy certificates there.
2. `selfsigned`: you let the server create new (self-signed) certificates on the fly.
3. `acme-nginx`: you let the server request certificates from [Let's Encrypt](https://letsencrypt.org)
via NixOS' ACME module. By default, this will set up a stripped-down Nginx server for
{option}`mailserver.fqdn` and open port 80. For this to work, the FQDN must be properly
configured to point to your server (see the [setup guide](setup-guide.rst) for more information).
4. `acme`: you already have an ACME certificate set up (for example, you're already running a TLS-enabled
Nginx server on the FQDN). This is better than `manual` because the appropriate services will be reloaded
when the certificate is renewed.
'';
};
@ -468,8 +479,9 @@ in
type = types.path;
example = "/root/mail-server.crt";
description = ''
Scheme 1)
Location of the certificate
({option}`mailserver.certificateScheme` == `manual`)
Location of the certificate.
'';
};
@ -477,8 +489,9 @@ in
type = types.path;
example = "/root/mail-server.key";
description = ''
Scheme 1)
Location of the key file
({option}`mailserver.certificateScheme` == `manual`)
Location of the key file.
'';
};
@ -486,8 +499,9 @@ in
type = types.path;
default = "/var/certs";
description = ''
Scheme 2)
This is the folder where the certificate will be created. The name is
({option}`mailserver.certificateScheme` == `selfsigned`)
This is the folder where the self-signed certificate will be created. The name is
hardcoded to "cert-DOMAIN.pem" and "key-DOMAIN.pem" and the
certificate is valid for 10 years.
'';
@ -582,7 +596,7 @@ in
type = types.str;
default = "mail";
description = ''
The DKIM selector.
'';
};
@ -590,7 +604,7 @@ in
type = types.path;
default = "/var/dkim";
description = ''
The DKIM directory.
'';
};
@ -601,7 +615,7 @@ in
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
If you have already deployed a key with a different number of bits than specified
here, then you should use a different selector (dkimSelector). In order to get
here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
this package to generate a key with the new number of bits, you will either have to
change the selector or delete the old key file.
'';
@ -627,6 +641,67 @@ in
'';
};
dmarcReporting = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to send out aggregated, daily DMARC reports in response to incoming
mail, when the sender domain defines a DMARC policy including the RUA tag.
This is helpful for the mail ecosystem, because it allows third parties to
get notified about SPF/DKIM violations originating from their sender domains.
See https://rspamd.com/doc/modules/dmarc.html#reporting
'';
};
localpart = mkOption {
type = types.str;
default = "dmarc-noreply";
example = "dmarc-report";
description = ''
The local part of the email address used for outgoing DMARC reports.
'';
};
domain = mkOption {
type = types.enum (cfg.domains);
example = "example.com";
description = ''
The domain from which outgoing DMARC reports are served.
'';
};
email = mkOption {
type = types.str;
default = with cfg.dmarcReporting; "${localpart}@${domain}";
defaultText = literalExpression ''"''${localpart}@''${domain}"'';
readOnly = true;
description = ''
The email address used for outgoing DMARC reports. Read-only.
'';
};
organizationName = mkOption {
type = types.str;
example = "ACME Corp.";
description = ''
The name of your organization used in the `org_name` attribute in
DMARC reports.
'';
};
fromName = mkOption {
type = types.str;
default = cfg.dmarcReporting.organizationName;
defaultText = literalMD "{option}`mailserver.dmarcReporting.organizationName`";
description = ''
The sender name for DMARC reports. Defaults to the organization name.
'';
};
};
debug = mkOption {
type = types.bool;
default = false;
@ -677,7 +752,7 @@ in
if (ip == "0.0.0.0" || ip == "::")
then "127.0.0.1"
else if isIpv6 ip then "[${ip}]" else ip;
defaultText = lib.literalDocBook "computed from <option>config.services.redis.servers.rspamd.bind</option>";
defaultText = lib.literalMD "computed from `config.services.redis.servers.rspamd.bind`";
description = ''
Address that rspamd should use to contact redis.
'';
@ -715,7 +790,7 @@ in
sendingFqdn = mkOption {
type = types.str;
default = cfg.fqdn;
defaultText = "config.mailserver.fqdn";
defaultText = lib.literalMD "{option}`mailserver.fqdn`";
example = "myserver.example.com";
description = ''
The fully qualified domain name of the mail server used to
@ -731,7 +806,7 @@ in
This setting allows the server to identify as
myserver.example.com when forwarding mail, independently of
`fqdn` (which, for SSL reasons, should generally be the name
{option}`mailserver.fqdn` (which, for SSL reasons, should generally be the name
to which the user connects).
Set this to the name to which the sending IP's reverse DNS
@ -803,7 +878,7 @@ in
start program = "${pkgs.systemd}/bin/systemctl start rspamd"
stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"
'';
defaultText = lib.literalDocBook "see source";
defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
description = ''
The configuration used for monitoring via monit.
Use a mail address that you actively check and set it via 'set alert ...'.
@ -820,7 +895,8 @@ in
description = ''
The location where borg saves the backups.
This can be a local path or a remote location such as user@host:/path/to/repo.
It is exported and thus available as an environment variable to cmdPreexec and cmdPostexec.
It is exported and thus available as an environment variable to
{option}`mailserver.borgbackup.cmdPreexec` and {option}`mailserver.borgbackup.cmdPostexec`.
'';
};
@ -880,7 +956,7 @@ in
default = "none";
description = ''
The backup can be encrypted by choosing any other value than 'none'.
When using encryption the password / passphrase must be provided in passphraseFile.
When using encryption the password/passphrase must be provided in `passphraseFile`.
'';
};
@ -903,6 +979,7 @@ in
locations = mkOption {
type = types.listOf types.path;
default = [cfg.mailDirectory];
defaultText = lib.literalExpression "[ config.mailserver.mailDirectory ]";
description = "The locations that are to be backed up by borg.";
};
@ -923,9 +1000,10 @@ in
default = null;
description = ''
The command to be executed before each backup operation.
This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.
Example:
export BORG_RSH="ssh -i /path/to/private/key"
This is called prior to borg init in the same script that runs borg init and create and `cmdPostexec`.
'';
example = ''
export BORG_RSH="ssh -i /path/to/private/key"
'';
};
@ -935,7 +1013,7 @@ in
description = ''
The command to be executed after each backup operation.
This is called after borg create completed successfully and in the same script that runs
cmdPreexec, borg init and create.
`cmdPreexec`, borg init and create.
'';
};
@ -948,7 +1026,7 @@ in
example = true;
description = ''
Whether to enable automatic reboot after kernel upgrades.
This is to be used in conjunction with system.autoUpgrade.enable = true"
This is to be used in conjunction with `system.autoUpgrade.enable = true;`
'';
};
method = mkOption {

4
docs/add-radicale.rst
View File

@ -4,8 +4,8 @@ Add Radicale
Configuration by @dotlambda
Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional
crypt passwords, as generated by `mkpasswd`, are no longer supported. Instead
bcrypt passwords have to be used which can be generated using `htpasswd`.
crypt passwords are no longer supported. Instead bcrypt passwords
have to be used. These can still be generated using `mkpasswd -m bcrypt`.
.. code:: nix

2
docs/add-roundcube.rst
View File

@ -1,5 +1,5 @@
Add Roundcube, a webmail
=======================
========================
The NixOS module for roundcube nearly works out of the box with SNM. By
default, it sets up a nginx virtual host to serve the webmail, other web

17
docs/autodiscovery.rst Normal file
View File

@ -0,0 +1,17 @@
Autodiscovery
=============
`RFC6186 <https://www.rfc-editor.org/rfc/rfc6186>`_ allows supporting email clients to automatically discover SMTP / IMAP addresses
of the mailserver. For that, the following records are required:
================ ==== ==== ======== ====== ==== =================
Record TTL Type Priority Weight Port Value
================ ==== ==== ======== ====== ==== =================
_submission._tcp 3600 SRV 5 0 587 mail.example.com.
_imap._tcp 3600 SRV 5 0 143 mail.example.com.
_imaps._tcp 3600 SRV 5 0 993 mail.example.com.
================ ==== ==== ======== ====== ==== =================
Please note that only a few MUAs currently implement this. For vendor-specific
discovery mechanisms `automx <https://github.com/rseichter/automx2>`_ can be used instead.

12
docs/conf.py
View File

@ -18,7 +18,7 @@
# -- Project information -----------------------------------------------------
project = 'NixOS Mailserver'
copyright = '2020, NixOS Mailserver Contributors'
copyright = '2022, NixOS Mailserver Contributors'
author = 'NixOS Mailserver Contributors'
@ -28,8 +28,16 @@ author = 'NixOS Mailserver Contributors'
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'myst_parser'
]
myst_enable_extensions = [
'colon_fence',
'linkify',
]
smartquotes = False
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
@ -50,4 +58,4 @@ html_theme = 'sphinx_rtd_theme'
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
html_static_path = []

28
docs/howto-develop.rst
View File

@ -10,7 +10,7 @@ Run NixOS tests
---------------
To run the test suite, you need to enable `Nix Flakes
<https://nixos.wiki/wiki/Flakes#Installing_flakes>`.
<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
You can then run the testsuite via
@ -30,28 +30,20 @@ run tests manually. For instance:
Contributing to the documentation
---------------------------------
The documentation is written in RST, build with Sphinx and published
by `Read the Docs <https://readthedocs.org/>`_.
The documentation is written in RST (except option documentation which is in CommonMark),
built with Sphinx and published by `Read the Docs <https://readthedocs.org/>`_.
For the syntax, see `RST/Sphinx Cheatsheet
<https://sphinx-tutorial.readthedocs.io/cheatsheet/>`_.
For the syntax, see the `RST/Sphinx primer
<https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html>`_.
To build the documentation, you need to enable `Nix Flakes
<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
The ``shell.nix`` provides all the tooling required to build the
documentation:
::
$ nix-shell
$ cd docs
$ make html
$ firefox ./_build/html/index.html
Note if you modify some NixOS mailserver options, you would also need
to regenerate the ``options.rst`` file:
::
$ nix-shell --run generate-rst-options
$ nix build .#documentation
$ xdg-open result/index.html
Nixops
------

1
docs/index.rst
View File

@ -29,6 +29,7 @@ Welcome to NixOS Mailserver's documentation!
rspamd-tuning
fts
flakes
autodiscovery
Indices and tables
==================

1123
docs/options.rst
View File

File diff suppressed because it is too large Load Diff

12
docs/release-notes.rst
View File

@ -1,6 +1,18 @@
Release Notes
=============
NixOS 22.11
-----------
- Allow Rspamd to send dmarc reporting
(`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/244>`__)
NixOS 22.05
-----------
- Make NixOS Mailserver options discoverable from search.nixos.org
- Add a roundcube setup guide in the documentation
NixOS 21.11
-----------

6
docs/requirements.txt
View File

@ -1,2 +1,4 @@
sphinx==4.0.2
sphinx_rtd_theme==0.5.2
sphinx ~= 5.3
sphinx_rtd_theme ~= 1.1
myst-parser ~= 0.18
linkify-it-py ~= 2.0

13
docs/setup-guide.rst
View File

@ -70,7 +70,7 @@ these should be the most common ones.
domains = [ "example.com" ];
# A list of all login accounts. To create the password hashes, use
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"user1@example.com" = {
hashedPasswordFile = "/a/file/containing/a/hashed/password";
@ -81,7 +81,7 @@ these should be the most common ones.
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 3;
certificateScheme = "acme-nginx";
};
}
@ -96,7 +96,14 @@ Set rDNS (reverse DNS) entry for server
Wherever you have rented your server, you should be able to set reverse
DNS entries for the IPs you own. Add an entry resolving ``1.2.3.4``
to ``mail.example.com``
to ``mail.example.com``.
.. warning::
We don't recommend setting up a mail server if you are not able to
set a reverse DNS on your public IP because sent emails would be
mostly marked as spam. Note that many residential ISP providers
don't allow you to set a reverse DNS entry.
You can check this with

55
flake.lock generated
View File

@ -16,13 +16,29 @@
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1642635915,
"narHash": "sha256-vabPA32j81xBO5m3+qXndWp5aqepe+vu96Wkd9UnngM=",
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6d8215281b2f87a5af9ed7425a26ac575da0438f",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
@ -31,10 +47,43 @@
"type": "indirect"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"root": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils"
}
},

112
flake.nix
View File

@ -2,15 +2,22 @@
description = "A complete and Simple Nixos Mailserver";
inputs = {
flake-compat = {
url = "github:edolstra/flake-compat";
flake = false;
};
utils.url = "github:numtide/flake-utils";
nixpkgs.url = "flake:nixpkgs/nixos-unstable";
nixpkgs-22_11.url = "flake:nixpkgs/nixos-22.11";
nixpkgs-23_05.url = "flake:nixpkgs/nixos-23.05";
blobs = {
url = "gitlab:simple-nixos-mailserver/blobs";
flake = false;
};
};
outputs = { self, utils, blobs, nixpkgs }: let
outputs = { self, utils, blobs, nixpkgs, nixpkgs-22_11, nixpkgs-23_05, ... }: let
lib = nixpkgs.lib;
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
releases = [
@ -18,6 +25,10 @@
name = "unstable";
pkgs = nixpkgs.legacyPackages.${system};
}
{
name = "23.05";
pkgs = nixpkgs-22_11.legacyPackages.${system};
}
];
testNames = [
"internal"
@ -26,7 +37,7 @@
"multiple"
];
genTest = testName: release: {
"name"= "${testName}-${release.name}";
"name"= "${testName}-${builtins.replaceStrings ["."] ["_"] release.name}";
"value"= import (./tests/. + "/${testName}.nix") {
pkgs = release.pkgs;
inherit blobs;
@ -38,90 +49,79 @@
# external-21_05 = <derivation>;
# ...
# }
allTests = pkgs.lib.listToAttrs (
pkgs.lib.flatten (map (t: map (r: genTest t r) releases) testNames));
allTests = lib.listToAttrs (
lib.flatten (map (t: map (r: genTest t r) releases) testNames));
mailserverModule = import ./.;
# Generate a rst file describing options of the NixOS mailserver module
generateRstOptions = let
eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {
inherit system;
# Generate a MarkDown file describing the options of the NixOS mailserver module
optionsDoc = let
eval = lib.evalModules {
modules = [
mailserverModule
{
# Because the blockbook package is currently broken (we
# don't care about this package but it is part of the
# NixOS module evaluation)
nixpkgs.config.allowBroken = true;
mailserver.fqdn = "mx.example.com";
_module.check = false;
mailserver = {
fqdn = "mx.example.com";
domains = [
"example.com"
];
dmarcReporting = {
organizationName = "Example Corp";
domain = "example.com";
};
};
}
];
};
options = pkgs.nixosOptionsDoc {
options = eval.options;
};
in pkgs.runCommand "options.rst" { buildInputs = [pkgs.python3]; } ''
echo Generating options.rst from ${options.optionsJSON}/share/doc/nixos/options.json
python ${./scripts/generate-rst-options.py} ${options.optionsJSON}/share/doc/nixos/options.json > $out
'';
# This is a script helping users to generate this file in the docs directory
generateRstOptionsScript = pkgs.writeScriptBin "generate-rst-options" ''
cp -v ${generateRstOptions} ./docs/options.rst
'';
# This is to ensure we don't forget to update the options.rst file
testRstOptions = pkgs.runCommand "test-rst-options" {} ''
if ! diff -q ${./docs/options.rst} ${generateRstOptions}
then
echo "The file ./docs/options.rst is not up-to-date and needs to be regenerated!"
echo " hint: run 'nix-shell --run generate-rst-options' to generate this file"
exit 1
fi
echo "test: ok" > $out
options = builtins.toFile "options.json" (builtins.toJSON
(lib.filter (opt: opt.visible && !opt.internal && lib.head opt.loc == "mailserver")
(lib.optionAttrSetToDocList eval.options)));
in pkgs.runCommand "options.md" { buildInputs = [pkgs.python3Minimal]; } ''
echo "Generating options.md from ${options}"
python ${./scripts/generate-options.py} ${options} > $out
'';
documentation = pkgs.stdenv.mkDerivation {
name = "documentation";
src = pkgs.lib.sourceByRegex ./docs ["logo.png" "conf.py" "Makefile" ".*rst$"];
src = lib.sourceByRegex ./docs ["logo\\.png" "conf\\.py" "Makefile" ".*\\.rst"];
buildInputs = [(
pkgs.python3.withPackages(p: [
p.sphinx
p.sphinx_rtd_theme
pkgs.python3.withPackages (p: with p; [
sphinx
sphinx_rtd_theme
myst-parser
])
)];
buildPhase = ''
cp ${generateRstOptions} options.rst
mkdir -p _static
cp ${optionsDoc} options.md
# Workaround for https://github.com/sphinx-doc/sphinx/issues/3451
export SOURCE_DATE_EPOCH=$(${pkgs.coreutils}/bin/date +%s)
unset SOURCE_DATE_EPOCH
make html
'';
installPhase = ''
cp -r _build/html $out
cp -Tr _build/html $out
'';
};
in rec {
nixosModules.mailserver = mailserverModule ;
nixosModule = self.nixosModules.mailserver;
in {
nixosModules = rec {
mailserver = mailserverModule;
default = mailserver;
};
nixosModule = self.nixosModules.default; # compatibility
hydraJobs.${system} = allTests // {
test-rst-options = testRstOptions;
inherit documentation;
};
checks.${system} = allTests;
devShell.${system} = pkgs.mkShell {
buildInputs = with pkgs; [
generateRstOptionsScript
(python3.withPackages (p: with p; [
sphinx
sphinx_rtd_theme
]))
jq
packages.${system} = {
inherit optionsDoc documentation;
};
devShells.${system}.default = pkgs.mkShell {
inputsFrom = [ documentation ];
packages = with pkgs; [
clamav
];
};
devShell.${system} = self.devShells.${system}.default; # compatibility
};
}

16
mail-server/common.nix
View File

@ -21,22 +21,22 @@ let
in
{
# cert :: PATH
certificatePath = if cfg.certificateScheme == 1
certificatePath = if cfg.certificateScheme == "manual"
then cfg.certificateFile
else if cfg.certificateScheme == 2
else if cfg.certificateScheme == "selfsigned"
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
else if cfg.certificateScheme == 3
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
else throw "unknown certificate scheme";
# key :: PATH
keyPath = if cfg.certificateScheme == 1
keyPath = if cfg.certificateScheme == "manual"
then cfg.keyFile
else if cfg.certificateScheme == 2
else if cfg.certificateScheme == "selfsigned"
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
else if cfg.certificateScheme == 3
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
else throw "unknown certificate scheme";
passwordFiles = let
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;

25
mail-server/dovecot.nix
View File

@ -22,7 +22,8 @@ let
cfg = config.mailserver;
passwdDir = "/run/dovecot2";
passwdFile = "${passwdDir}/passwd";
passdbFile = "${passwdDir}/passdb";
userdbFile = "${passwdDir}/userdb";
bool2int = x: if x then "1" else "0";
@ -74,16 +75,23 @@ let
fi
done
cat <<EOF > ${passwdFile}
cat <<EOF > ${passdbFile}
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
) cfg.loginAccounts)}
EOF
cat <<EOF > ${userdbFile}
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
"${name}:::::::"
+ (if lib.isString value.quota
then "userdb_quota_rule=*:storage=${value.quota}"
else "")
) cfg.loginAccounts)}
EOF
chmod 600 ${passwdFile}
chmod 600 ${passdbFile}
chmod 600 ${userdbFile}
'';
junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
@ -192,7 +200,7 @@ in
mail_access_groups = ${vmailGroupName}
ssl = required
ssl_min_protocol = TLSv1.2
ssl_min_protocol = TLSv1
ssl_prefer_server_ciphers = yes
service lmtp {
@ -212,12 +220,13 @@ in
passdb {
driver = passwd-file
args = ${passwdFile}
args = ${passdbFile}
}
userdb {
driver = passwd-file
args = ${passwdFile}
args = ${userdbFile}
default_fields = uid=${builtins.toString cfg.vmailUID} gid=${builtins.toString cfg.vmailUID} home=${cfg.mailDirectory}
}
service auth {
@ -243,7 +252,7 @@ in
# From elsewhere to Spam folder
imapsieve_mailbox1_name = ${junkMailboxName}
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_causes = COPY,APPEND
imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
# From Spam folder to elsewhere

2
mail-server/environment.nix
View File

@ -23,6 +23,6 @@ in
config = with cfg; lib.mkIf enable {
environment.systemPackages = with pkgs; [
dovecot opendkim openssh postfix rspamd
] ++ (if certificateScheme == 2 then [ openssl ] else []);
] ++ (if certificateScheme == "selfsigned" then [ openssl ] else []);
};
}

4
mail-server/networking.nix
View File

@ -14,7 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
{ config, pkgs, lib, ... }:
{ config, lib, ... }:
let
cfg = config.mailserver;
@ -31,7 +31,7 @@ in
++ lib.optional enablePop3 110
++ lib.optional enablePop3Ssl 995
++ lib.optional enableManageSieve 4190
++ lib.optional (certificateScheme == 3) 80;
++ lib.optional (certificateScheme == "acme-nginx") 80;
};
};
}

4
mail-server/nginx.nix
View File

@ -24,8 +24,8 @@ let
acmeRoot = "/var/lib/acme/acme-challenge";
in
{
config = lib.mkIf (cfg.enable && cfg.certificateScheme == 3) {
services.nginx = {
config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
services.nginx = lib.mkIf (cfg.certificateScheme == "acme-nginx") {
enable = true;
virtualHosts."${cfg.fqdn}" = {
serverName = cfg.fqdn;

1
mail-server/opendkim.nix
View File

@ -37,6 +37,7 @@ let
--directory="${cfg.dkimKeyDirectory}"
mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
chmod 644 "${dkim_txt}"
echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}"
fi
'';

8
mail-server/postfix.nix
View File

@ -206,10 +206,10 @@ in
smtpd_tls_eecdh_grade = "ultra";
# Disable obselete protocols
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
smtp_tls_ciphers = "high";
smtpd_tls_ciphers = "high";

69
mail-server/rspamd.nix
View File

@ -56,6 +56,17 @@ in
# Disable outbound email signing, we use opendkim for this
enabled = false;
''; };
"dmarc.conf" = { text = ''
${lib.optionalString cfg.dmarcReporting.enable ''
reporting {
enabled = true;
email = "${cfg.dmarcReporting.email}";
domain = "${cfg.dmarcReporting.domain}";
org_name = "${cfg.dmarcReporting.organizationName}";
from_name = "${cfg.dmarcReporting.fromName}";
msgid_from = "dmarc-rua";
}''}
''; };
};
overrides = {
@ -108,6 +119,64 @@ in
after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
};
systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
# Explicitly select yesterday's date to work around broken
# default behaviour when called without a date.
# https://github.com/rspamd/rspamd/issues/4062
script = ''
${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
'';
serviceConfig = {
User = "${config.services.rspamd.user}";
Group = "${config.services.rspamd.group}";
AmbientCapabilities = [];
CapabilityBoundingSet = "";
DevicePolicy = "closed";
IPAddressAllow = "localhost";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
};
systemd.timers.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
description = "Daily delivery of aggregated DMARC reports";
wantedBy = [
"timers.target"
];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
RandomizedDelaySec = 86400;
FixedRandomDelay = true;
};
};
systemd.services.postfix = {
after = [ rspamdSocket ];
requires = [ rspamdSocket ];

6
mail-server/systemd.nix
View File

@ -19,9 +19,9 @@
let
cfg = config.mailserver;
certificatesDeps =
if cfg.certificateScheme == 1 then
if cfg.certificateScheme == "manual" then
[]
else if cfg.certificateScheme == 2 then
else if cfg.certificateScheme == "selfsigned" then
[ "mailserver-selfsigned-certificate.service" ]
else
[ "acme-finished-${cfg.fqdn}.target" ];
@ -29,7 +29,7 @@ in
{
config = with cfg; lib.mkIf enable {
# Create self signed certificate
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == 2) {
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == "selfsigned") {
after = [ "local-fs.target" ];
script = ''
# Create certificates if they do not exist yet

81
scripts/generate-options.py Normal file
View File

@ -0,0 +1,81 @@
import json
import sys
header = """
# Mailserver options
## `mailserver`
"""
template = """
`````{{option}} {key}
{description}
{type}
{default}
{example}
`````
"""
f = open(sys.argv[1])
options = json.load(f)
groups = ["mailserver.loginAccounts",
"mailserver.certificate",
"mailserver.dkim",
"mailserver.dmarcReporting",
"mailserver.fullTextSearch",
"mailserver.redis",
"mailserver.monitoring",
"mailserver.backup",
"mailserver.borgbackup"]
def render_option_value(opt, attr):
if attr in opt:
if isinstance(opt[attr], dict) and '_type' in opt[attr]:
if opt[attr]['_type'] == 'literalExpression':
if '\n' in opt[attr]['text']:
res = '\n```nix\n' + opt[attr]['text'].rstrip('\n') + '\n```'
else:
res = '```{}```'.format(opt[attr]['text'])
elif opt[attr]['_type'] == 'literalMD':
res = opt[attr]['text']
else:
s = str(opt[attr])
if s == "":
res = '`""`'
elif '\n' in s:
res = '\n```\n' + s.rstrip('\n') + '\n```'
else:
res = '```{}```'.format(s)
res = '- ' + attr + ': ' + res
else:
res = ""
return res
def print_option(opt):
if isinstance(opt['description'], dict) and '_type' in opt['description']: # mdDoc
description = opt['description']['text']
else:
description = opt['description']
print(template.format(
key=opt['name'],
description=description or "",
type="- type: ```{}```".format(opt['type']),
default=render_option_value(opt, 'default'),
example=render_option_value(opt, 'example')))
print(header)
for opt in options:
if any([opt['name'].startswith(c) for c in groups]):
continue
print_option(opt)
for c in groups:
print('## `{}`'.format(c))
print()
for opt in options:
if opt['name'].startswith(c):
print_option(opt)

77
scripts/generate-rst-options.py
View File

@ -1,77 +0,0 @@
import json
import sys
import re
header = """
Mailserver Options
==================
mailserver
~~~~~~~~~~
"""
template = """
{key}
{line}
{description}
{type}
{default}
"""
f = open(sys.argv[1])
options = json.load(f)
options = {k: v for k, v in options.items()
if k.startswith("mailserver.")}
groups = ["mailserver.loginAccount",
"mailserver.certificate",
"mailserver.dkim",
"mailserver.fullTextSearch",
"mailserver.redis",
"mailserver.monitoring",
"mailserver.backup",
"mailserver.borg"]
def print_option(name, value):
if 'default' in value:
if value['default'] == "":
default = '``""``'
elif isinstance(value['default'], dict) and '_type' in value['default']:
if value['default']['_type'] == 'literalExpression':
default = '``{}``'.format(value['default']['text'])
if value['default']['_type'] == 'literalDocBook':
default = value['default']['text']
else:
default = '``{}``'.format(value['default'])
# Some default values contains OUTPUTPATHS which make the
# output not stable across nixpkgs updates.
default = re.sub('/nix/store/[\w.-]*/', '<OUTPUT-PATH>/', default) # noqa
default = '- Default: ' + default
else:
default = ""
print(template.format(
key=name,
line="-"*len(name),
description=value['description'],
type="- Type: ``{}``".format(value['type']),
default=default))
print(header)
for k, v in options.items():
if any([k.startswith(c) for c in groups]):
continue
print_option(k, v)
for c in groups:
print(c)
print("~"*len(c))
print()
for k, v in options.items():
if k.startswith(c):
print_option(k, v)

11
shell.nix
View File

@ -1 +1,10 @@
(import (builtins.fetchGit "https://github.com/edolstra/flake-compat") { src = ./.; }).shellNix
(import
(
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{ src = ./.; }
).shellNix

4
tests/clamav.nix
View File

@ -189,10 +189,10 @@ pkgs.nixosTest {
# TODO put this blocking into the systemd units? I am not sure if rspamd already waits for the clamd socket.
server.wait_until_succeeds(
"set +e; timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
"set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
)
server.wait_until_succeeds(
"set +e; timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
"set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
)
client.execute("cp -p /etc/root/.* ~/")

11
tests/external.nix
View File

@ -43,6 +43,11 @@ pkgs.nixosTest {
domains = [ "example.com" "example2.com" ];
rewriteMessageId = true;
dkimKeyBits = 1535;
dmarcReporting = {
enable = true;
domain = "example.com";
organizationName = "ACME Corp";
};
loginAccounts = {
"user1@example.com" = {
@ -345,7 +350,7 @@ pkgs.nixosTest {
# TODO put this blocking into the systemd units?
server.wait_until_succeeds(
"set +e; timeout 1 ${nodes.server.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
"set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
)
client.execute("cp -p /etc/root/.* ~/")
@ -494,6 +499,10 @@ pkgs.nixosTest {
# check that Junk is not indexed
server.fail("journalctl -u dovecot2 | grep 'indexer-worker' | grep -i 'JUNK' >&2")
with subtest("dmarc reporting"):
server.systemctl("start rspamd-dmarc-reporter.service")
server.wait_until_succeeds("journalctl -eu rspamd-dmarc-reporter.service -o cat | grep -q 'No reports for '")
with subtest("no warnings or errors"):
server.fail("journalctl -u postfix | grep -i error >&2")
server.fail("journalctl -u postfix | grep -i warning >&2")

4
tests/internal.nix
View File

@ -29,8 +29,8 @@ let
hashPassword = password: pkgs.runCommand
"password-${password}-hashed"
{ buildInputs = [ pkgs.apacheHttpd ]; } ''
htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
{ buildInputs = [ pkgs.mkpasswd ]; inherit password; } ''
mkpasswd -sm bcrypt <<<"$password" > $out
'';
hashedPasswordFile = hashPassword "my-password";

6
tests/minimal.nix
View File

@ -14,9 +14,9 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
import <nixpkgs/nixos/tests/make-test.nix> {
import <nixpkgs/nixos/tests/make-test-python.nix> {
machine =
nodes.machine =
{ config, pkgs, ... }:
{
imports = [
@ -26,6 +26,6 @@ import <nixpkgs/nixos/tests/make-test.nix> {
testScript =
''
$machine->waitForUnit("multi-user.target");
machine.wait_for_unit("multi-user.target");
'';
}

6
tests/multiple.nix
View File

@ -5,9 +5,9 @@
let
hashPassword = password: pkgs.runCommand
"password-${password}-hashed"
{ buildInputs = [ pkgs.apacheHttpd ]; }
{ buildInputs = [ pkgs.mkpasswd ]; inherit password; }
''
htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
mkpasswd -sm bcrypt <<<"$password" > $out
'';
password = pkgs.writeText "password" "password";
@ -30,6 +30,8 @@ let
};
services.dnsmasq = {
enable = true;
# Fixme: once nixos-23.05 hhas been removed, could be replaced by
# settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
extraConfig = ''
mx-host=domain1.com,domain1,10
mx-host=domain2.com,domain2,10