Allow TLSv1 for compatibility with older devices

Merge branch 'release-25.05' into 'master'
Release 25.05 See merge request simple-nixos-mailserver/nixos-mailserver!399
2025-05-25 21:06:21 +02:00 · 2025-05-23 01:53:51 +00:00 · 2025-05-22 01:31:46 +02:00 · 2025-05-21 00:58:06 +02:00 · 2025-05-21 00:56:01 +02:00 · 2025-05-19 22:44:15 +00:00
48 changed files with 1100 additions and 919 deletions
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1,3 @@
 # shellcheck shell=bash
 use flake
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 result
 .direnv
 .pre-commit-config.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,13 +1,18 @@
 .hydra-cli:
  image: docker.nix-community.org/nixpkgs/nix-flakes
  script:
    - nix run --inputs-from ./. nixpkgs#hydra-cli -- -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver "${jobset}"
 hydra-pr:
  extends: .hydra-cli
  only:
    - merge_requests
-  image: nixos/nix
+  variables:
-  script:
+    jobset: $CI_MERGE_REQUEST_IID
    - nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver ${CI_MERGE_REQUEST_IID}'
 hydra-master:
  extends: .hydra-cli
  only:
    - master
-  image: nixos/nix
+  variables:
-  script:
+    jobset: master
    - nix-shell -I nixpkgs=channel:nixos-22.05 -p hydra-cli --run 'hydra-cli -H https://hydra.nix-community.org jobset-wait simple-nixos-mailserver master'
--- a/.hydra/declarative-jobsets.nix
+++ b/.hydra/declarative-jobsets.nix
@@ -8,7 +8,7 @@ let
    { enabled = 1;
      hidden = false;
      description = "PR ${num}: ${info.title}";
-      checkinterval = 30;
+      checkinterval = 300;
      schedulingshares = 20;
      enableemail = false;
      emailoverride = "";
@@ -19,7 +19,7 @@ let
  ) prs;
  mkFlakeJobset = branch: {
    description = "Build ${branch} branch of Simple NixOS MailServer";
-    checkinterval = "60";
+    checkinterval = 300;
    enabled = "1";
    schedulingshares = 100;
    enableemail = false;
@@ -32,8 +32,8 @@ let
  desc = prJobsets // {
    "master" = mkFlakeJobset "master";
-    "nixos-22.11" = mkFlakeJobset "nixos-22.11";
+    "nixos-24.11" = mkFlakeJobset "nixos-24.11";
-    "nixos-23.05" = mkFlakeJobset "nixos-23.05";
+    "nixos-25.05" = mkFlakeJobset "nixos-25.05";
  };
  log = {
--- a/README.md
+++ b/README.md
@@ -1,75 +1,82 @@
 # ![Simple Nixos MailServer][logo]
 ![license](https://img.shields.io/badge/license-GPL3-brightgreen.svg)
 [![pipeline status](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/badges/master/pipeline.svg)](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/commits/master)
 ## Release branches
 For each NixOS release, we publish a branch. You then have to use the
 SNM branch corresponding to your NixOS version.
-* For NixOS 23.05
+* For NixOS 25.05
-   - Use the [SNM branch `nixos-23.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.05)
+  * Use the [SNM branch `nixos-25.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-25.05)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/)
+  * [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-25.05/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/release-notes.html#nixos-23-05)
+  * [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-25.05/release-notes.html#nixos-25-05)
-* For NixOS 22.11
+* For NixOS 24.11
-   - Use the [SNM branch `nixos-22.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-22.11)
+  * Use the [SNM branch `nixos-24.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-24.11)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/)
+  * [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-24.11/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/release-notes.html#nixos-22-11)
+  * [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-24.11/release-notes.html#nixos-24-11)
 * For NixOS unstable
-   - Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
+  * Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
+  * [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)
 [Subscribe to SNM Announcement List](https://www.freelists.org/list/snm)
 This is a very low volume list where new releases of SNM are announced, so you
 can stay up to date with bug fixes and updates.
 ## Features
-### v2.0
+
 * [x] Continous Integration Testing
 * [x] Multiple Domains
- * Postfix MTA
+* Postfix
-    - [x] smtp on port 25
+  * [x] SMTP on port 25
-    - [x] submission tls on port 465
+  * [x] Submission TLS on port 465
-    - [x] submission starttls on port 587
+  * [x] Submission StartTLS on port 587
-    - [x] lmtp with dovecot
+  * [x] LMTP with Dovecot
 * Dovecot
-    - [x] maildir folders
+  * [x] Maildir folders
-    - [x] imap with tls on port 993
+  * [x] IMAP with TLS on port 993
-    - [x] pop3 with tls on port 995
+  * [x] POP3 with TLS on port 995
-    - [x] imap with starttls on port 143
+  * [x] IMAP with StartTLS on port 143
-    - [x] pop3 with starttls on port 110
+  * [x] POP3 with StartTLS on port 110
 * Certificates
-    - [x] manual certificates
+  * [x] ACME
-    - [x] on the fly creation
+  * [x] Custom certificates
    - [x] Let's Encrypt
 * Spam Filtering
-    - [x] via rspamd
+  * [x] Via Rspamd
 * Virus Scanning
-    - [x] via clamav
+  * [x] Via ClamAV
 * DKIM Signing
-    - [x] via opendkim
+  * [x] Via Rspamd
 * User Management
-    - [x] declarative user management
+  * [x] Declarative user management
-    - [x] declarative password management
+  * [x] Declarative password management
- * Sieves
+  * [x] LDAP users
-    - [x] A simple standard script that moves spam
+* Sieve
-    - [x] Allow user defined sieve scripts
+  * [x] Allow user defined sieve scripts
-    - [x] ManageSieve support
+  * [x] Moving mails from/to junk trains the Bayes filter
  * [x] ManageSieve support
 * User Aliases
-    - [x] Regular aliases
+  * [x] Regular aliases
-    - [x] Catch all aliases
+  * [x] Catch all aliases
 ### In the future
 * Automatic client configuration
  * [ ] [Autoconfig](https://web.archive.org/web/20210624004729/https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration)
  * [ ] [Autodiscovery](https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019)
  * [ ] [Mobileconfig](https://support.apple.com/guide/profile-manager/distribute-profiles-manually-pmdbd71ebc9/mac)
 * DKIM Signing
-    - [ ] Allow a per domain selector
+  * [ ] Allow per domain selectors
  * [ ] Allow passing DKIM signing keys
 * Improve the Forwarding Experience
  * [ ] Support [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) signing with [Rspamd](https://rspamd.com/doc/modules/arc.html)
  * [ ] Support [SRS](https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) with [postsrsd](https://github.com/roehling/postsrsd)
 * User management
  * [ ] Allow local and LDAP user to coexist
 * OpenID Connect
  * Depends on relevant clients adding support, e.g. [Thunderbird](https://bugzilla.mozilla.org/show_bug.cgi?id=1602166)
 ### Get in touch
- Subscribe to the [mailing list](https://www.freelists.org/archive/snm/)
+* Matrix: [#nixos-mailserver:nixos.org](https://matrix.to/#/#nixos-mailserver:nixos.org)
- Join the Libera Chat IRC channel `#nixos-mailserver`
+* IRC: `#nixos-mailserver` on [Libera Chat](https://libera.chat/guides/connect)
 ## How to Set Up a 10/10 Mail Server Guide
@@ -82,16 +89,18 @@ For a complete list of options, [see in readthedocs](https://nixos-mailserver.re
 See the [How to Develop SNM](https://nixos-mailserver.readthedocs.io/en/latest/howto-develop.html) documentation page.
 ## Contributors
 See the [contributor tab](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/graphs/master)
 ### Alternative Implementations
 * [NixCloud Webservices](https://github.com/nixcloud/nixcloud-webservices)
 ### Credits
 * send mail graphic by [tnp_dreamingmao](https://thenounproject.com/dreamingmao)
   from [TheNounProject](https://thenounproject.com/) is licensed under
   [CC BY 3.0](http://creativecommons.org/~/3.0/)
 * Logo made with [Logomakr.com](https://logomakr.com)
 [logo]: docs/logo.png
--- a/default.nix
+++ b/default.nix
@@ -277,8 +277,8 @@ in
      dovecot = {
        userAttrs = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
-          default = "";
+          default = null;
          description = ''
            LDAP attributes to be retrieved during userdb lookups.
@@ -290,8 +290,8 @@ in
        userFilter = mkOption {
          type = types.str;
-          default = "mail=%u";
+          default = "mail=%{user}";
-          example = "(&(objectClass=inetOrgPerson)(mail=%u))";
+          example = "(&(objectClass=inetOrgPerson)(mail=%{user}))";
          description = ''
            Filter for user lookups in Dovecot.
@@ -315,8 +315,8 @@ in
        passFilter = mkOption {
          type = types.nullOr types.str;
-          default = "mail=%u";
+          default = "mail=%{user}";
-          example = "(&(objectClass=inetOrgPerson)(mail=%u))";
+          example = "(&(objectClass=inetOrgPerson)(mail=%{user}))";
          description = ''
            Filter for password lookups in Dovecot.
@@ -380,7 +380,21 @@ in
    };
    fullTextSearch = {
-      enable = mkEnableOption "Full text search indexing with xapian. This has significant performance and disk space cost.";
+      enable = mkEnableOption ''
        Full text search indexing with Xapian through the fts_flatcurve plugin.
        This has significant performance and disk space cost.
      '';
      memoryLimit = mkOption {
        type = types.nullOr types.int;
        default = null;
        example = 2000;
        description = ''
          Memory limit for the indexer process, in MiB.
          If null, leaves the default (which is rather low),
          and if 0, no limit.
        '';
      };
      autoIndex = mkOption {
        type = types.bool;
        default = true;
@@ -395,12 +409,6 @@ in
        '';
      };
      indexAttachments = mkOption {
        type = types.bool;
        default = false;
        description = "Also index text-only attachements. Binary attachements are never indexed.";
      };
      enforced = mkOption {
        type = types.enum [ "yes" "no" "body" ];
        default = "no";
@@ -412,41 +420,54 @@ in
        '';
      };
-      minSize = mkOption {
+      languages = mkOption {
-        type = types.int;
+        type = types.nonEmptyListOf types.str;
-        default = 2;
+        default = [ "en" ];
-        description = "Size of the smallest n-gram to index.";
+        example = [ "en" "de" ];
-      };
+        description = ''
-      maxSize = mkOption {
+          A list of languages that the full text search should detect.
-        type = types.int;
+          At least one language must be specified.
-        default = 20;
+          The language listed first is the default and is used when language recognition fails.
-        description = "Size of the largest n-gram to index.";
+          See <https://doc.dovecot.org/main/core/plugins/fts.html#fts_languages>.
-      };
+        '';
      memoryLimit = mkOption {
        type = types.nullOr types.int;
        default = null;
        example = 2000;
        description = "Memory limit for the indexer process, in MiB. If null, leaves the default (which is rather low), and if 0, no limit.";
      };
-      maintenance = {
+      substringSearch = mkOption {
        enable = mkOption {
        type = types.bool;
-          default = true;
+        default = false;
-          description = "Regularly optmize indices, as recommended by upstream.";
+        description = ''
          If enabled, allows substring searches.
          See <https://doc.dovecot.org/main/core/plugins/fts_flatcurve.html#fts_flatcurve_substring_search>.
          Enabling this requires significant additional storage space.
        '';
      };
-        onCalendar = mkOption {
+      headerExcludes = mkOption {
-          type = types.str;
+        type = types.listOf types.str;
-          default = "daily";
+        default = [
-          description = "When to run the maintenance job. See systemd.time(7) for more information about the format.";
+          "Received"
          "DKIM-*"
          "X-*"
          "Comments"
        ];
        description = ''
          The list of headers to exclude.
          See <https://doc.dovecot.org/main/core/plugins/fts.html#fts_header_excludes>.
        '';
      };
-        randomizedDelaySec = mkOption {
+      filters = mkOption {
-          type = types.int;
+        type = types.listOf types.str;
-          default = 1000;
+        default = [
-          description = "Run the maintenance job not exactly at the time specified with `onCalendar`, but plus or minus this many seconds.";
+          "normalizer-icu"
-        };
+          "snowball"
          "stopwords"
        ];
        description = ''
          The list of filters to apply.
          <https://doc.dovecot.org/main/core/plugins/fts.html#filter-configuration>.
        '';
      };
    };
@@ -460,6 +481,22 @@ in
      '';
    };
    lmtpMemoryLimit = mkOption {
      type = types.int;
      default = 256;
      description = ''
        The memory limit for the LMTP service, in megabytes.
      '';
    };
    quotaStatusMemoryLimit = mkOption {
      type = types.int;
      default = 256;
      description = ''
        The memory limit for the quota-status service, in megabytes.
      '';
    };
    extraVirtualAliases = mkOption {
      type = let
        loginAccount = mkOptionType {
@@ -506,7 +543,7 @@ in
    rejectSender = mkOption {
      type = types.listOf types.str;
-      example = [ "@example.com" "spammer@example.net" ];
+      example = [ "example.com" "spammer@example.net" ];
      description = ''
        Reject emails from these addresses from unauthorized senders.
        Use if a spammer is using the same domain or the same sender over and over.
@@ -570,7 +607,7 @@ in
        - /var/vmail/example.com/user/.folder.subfolder/ (default layout)
        - /var/vmail/example.com/user/folder/subfolder/  (FS layout)
-        See https://wiki2.dovecot.org/MailboxFormat/Maildir for details.
+        See https://doc.dovecot.org/main/core/config/mailbox_formats/maildir.html#maildir-mailbox-format for details.
      '';
    };
@@ -591,7 +628,7 @@ in
        This affects how mailboxes appear to mail clients and sieve scripts.
        For instance when using "." then in a sieve script "example.com" would refer to the mailbox "com" in the parent mailbox "example".
        This does not determine the way your mails are stored on disk.
-        See https://wiki.dovecot.org/Namespaces for details.
+        See https://doc.dovecot.org/main/core/config/namespaces.html#namespaces for details.
      '';
    };
@@ -675,6 +712,19 @@ in
      '';
    };
    acmeCertificateName = mkOption {
      type = types.str;
      default = cfg.fqdn;
      example = "example.com";
      description = ''
          ({option}`mailserver.certificateScheme` == `acme`)
        When the `acme` `certificateScheme` is selected, you can use this option
        to override the default certificate name. This is useful if you've
        generated a wildcard certificate, for example.
      '';
    };
    enableImap = mkOption {
      type = types.bool;
      default = true;
@@ -683,6 +733,14 @@ in
      '';
    };
    imapMemoryLimit = mkOption {
      type = types.int;
      default = 256;
      description = ''
        The memory limit for the imap service, in megabytes.
      '';
    };
    enableImapSsl = mkOption {
      type = types.bool;
      default = true;
@@ -776,6 +834,19 @@ in
      '';
    };
    dkimKeyType = mkOption {
      type = types.enum [ "rsa" "ed25519" ];
      default = "rsa";
      description = ''
        The key type used for generating DKIM keys. ED25519 was introduced in RFC6376 (2018).
        If you have already deployed a key with a different type than specified
        here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
        this package to generate a key with the new type, you will either have to
        change the selector or delete the old key file.
      '';
    };
    dkimKeyBits = mkOption {
        type = types.int;
        default = 1024;
@@ -789,26 +860,6 @@ in
        '';
    };
    dkimHeaderCanonicalization = mkOption {
        type = types.enum ["relaxed" "simple"];
        default = "relaxed";
        description = ''
          DKIM canonicalization algorithm for message headers.
          See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
        '';
    };
    dkimBodyCanonicalization = mkOption {
        type = types.enum ["relaxed" "simple"];
        default = "relaxed";
        description = ''
          DKIM canonicalization algorithm for message bodies.
          See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
        '';
    };
    dmarcReporting = {
      enable = mkOption {
        type = types.bool;
@@ -868,6 +919,14 @@ in
          The sender name for DMARC reports. Defaults to the organization name.
        '';
      };
      excludeDomains = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          List of domains or eSLDs to be excluded from DMARC reports.
        '';
      };
    };
    debug = mkOption {
@@ -910,28 +969,19 @@ in
      address = mkOption {
        type = types.str;
        # read the default from nixos' redis module
-        default = let
+        default = config.services.redis.servers.rspamd.unixSocket;
-          cf = config.services.redis.servers.rspamd.bind;
+        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.unixSocket";
          cfdefault = if cf == null then "127.0.0.1" else cf;
          ips = lib.strings.splitString " " cfdefault;
          ip = lib.lists.head (ips ++ [ "127.0.0.1" ]);
          isIpv6 = ip: lib.lists.elem ":" (lib.stringToCharacters ip);
        in
        if (ip == "0.0.0.0" || ip == "::")
        then "127.0.0.1"
        else if isIpv6 ip then "[${ip}]" else ip;
        defaultText = lib.literalMD "computed from `config.services.redis.servers.rspamd.bind`";
        description = ''
-          Address that rspamd should use to contact redis.
+          Path, IP address or hostname that Rspamd should use to contact Redis.
        '';
      };
      port = mkOption {
-        type = types.port;
+        type = with types; nullOr port;
-        default = config.services.redis.servers.rspamd.port;
+        default = null;
-        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.port";
+        example = lib.literalExpression "config.services.redis.servers.rspamd.port";
        description = ''
-          Port that rspamd should use to contact redis.
+          Port that Rspamd should use to contact Redis.
        '';
      };
@@ -997,18 +1047,6 @@ in
      '';
    };
    policydSPFExtraConfig = mkOption {
      type = types.lines;
      default = "";
      example = ''
        skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
      '';
      description = ''
        Extra configuration options for policyd-spf. This can be use to among
        other things skip spf checking for some IP addresses.
      '';
    };
    monitoring = {
      enable = mkEnableOption "monitoring via monit";
@@ -1202,27 +1240,6 @@ in
    };
    rebootAfterKernelUpgrade = {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether to enable automatic reboot after kernel upgrades.
          This is to be used in conjunction with `system.autoUpgrade.enable = true;`
        '';
      };
      method = mkOption {
        type = types.enum [ "reboot" "systemctl kexec" ];
        default = "reboot";
        description = ''
          Whether to issue a full "reboot" or just a "systemctl kexec"-only reboot.
          It is recommended to use the default value because the quicker kexec reboot has a number of problems.
          Also if your server is running in a virtual machine the regular reboot will already be very quick.
        '';
      };
    };
    backup = {
      enable = mkEnableOption "backup via rsnapshot";
@@ -1284,9 +1301,33 @@ in
  };
  imports = [
    (lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "enable" ] ''
    This option is not needed for fts-flatcurve
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "onCalendar" ] ''
    This option is not needed for fts-flatcurve
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "randomizedDelaySec" ] ''
    This option is not needed for fts-flatcurve
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "minSize" ] ''
    This option is not supported by fts-flatcurve
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maxSize" ] ''
    This option is not needed since fts-xapian 1.8.3
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "indexAttachments" ] ''
    Text attachments are always indexed since fts-xapian 1.4.8
    '')
    (lib.mkRenamedOptionModule
      [ "mailserver" "rebootAfterKernelUpgrade" "enable" ]
      [ "system" "autoUpgrade" "allowReboot" ]
    )
    (lib.mkRemovedOptionModule [ "mailserver" "rebootAfterKernelUpgrade" "method" ] ''
    Use `system.autoUpgrade` instead.
    '')
    ./mail-server/assertions.nix
    ./mail-server/borgbackup.nix
    ./mail-server/debug.nix
    ./mail-server/rsnapshot.nix
    ./mail-server/clamav.nix
    ./mail-server/monit.nix
@@ -1295,11 +1336,19 @@ in
    ./mail-server/networking.nix
    ./mail-server/systemd.nix
    ./mail-server/dovecot.nix
    ./mail-server/opendkim.nix
    ./mail-server/postfix.nix
    ./mail-server/rspamd.nix
    ./mail-server/nginx.nix
    ./mail-server/kresd.nix
-    ./mail-server/post-upgrade-check.nix
+    (lib.mkRemovedOptionModule [ "mailserver" "policydSPFExtraConfig" ] ''
      SPF checking has been migrated to Rspamd, which makes this config redundant. Please look into the rspamd config to migrate your settings.
      It may be that they are redundant and are already configured in rspamd like for skip_addresses.
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "dkimHeaderCanonicalization" ] ''
      DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
    '')
    (lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
      DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
    '')
  ];
 }
--- a/docs/add-radicale.rst
+++ b/docs/add-radicale.rst
@@ -24,12 +24,13 @@ have to be used. These can still be generated using `mkpasswd -m bcrypt`.
   in {
     services.radicale = {
       enable = true;
-       config = ''
+       settings = {
-         [auth]
+         auth = {
-         type = htpasswd
+           type = "htpasswd";
-         htpasswd_filename = ${htpasswd}
+           htpasswd_filename = "${htpasswd}";
-         htpasswd_encryption = bcrypt
+           htpasswd_encryption = "bcrypt";
-       '';
+         };
       };
     };
     services.nginx = {
--- a/docs/add-roundcube.rst
+++ b/docs/add-roundcube.rst
@@ -20,7 +20,7 @@ servers may require more work.
        extraConfig = ''
          # starttls needed for authentication, so the fqdn required to match
          # the certificate
-          $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+          $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
          $config['smtp_user'] = "%u";
          $config['smtp_pass'] = "%p";
        '';
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -17,9 +17,9 @@
 # -- Project information -----------------------------------------------------
-project = 'NixOS Mailserver'
+project = "NixOS Mailserver"
-copyright = '2022, NixOS Mailserver Contributors'
+copyright = "2022, NixOS Mailserver Contributors"
-author = 'NixOS Mailserver Contributors'
+author = "NixOS Mailserver Contributors"
 # -- General configuration ---------------------------------------------------
@@ -27,33 +27,31 @@ author = 'NixOS Mailserver Contributors'
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
-extensions = [
+extensions = ["myst_parser"]
    'myst_parser'
 ]
 myst_enable_extensions = [
-    'colon_fence',
+    "colon_fence",
-    'linkify',
+    "linkify",
 ]
 smartquotes = False
 # Add any paths that contain templates here, relative to this directory.
-templates_path = ['_templates']
+templates_path = ["_templates"]
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 # This pattern also affects html_static_path and html_extra_path.
-exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"]
-master_doc = 'index'
+master_doc = "index"
 # -- Options for HTML output -------------------------------------------------
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-html_theme = 'sphinx_rtd_theme'
+html_theme = "sphinx_rtd_theme"
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
--- a/docs/flakes.rst
+++ b/docs/flakes.rst
@@ -1,7 +1,7 @@
 Nix Flakes
 ==========
-If you're using `flakes <https://nixos.wiki/wiki/Flakes>`__, you can use
+If you're using `flakes <https://wiki.nixos.org/wiki/Flakes>`__, you can use
 the following minimal ``flake.nix`` as an example:
 .. code:: nix
--- a/docs/fts.rst
+++ b/docs/fts.rst
@@ -4,7 +4,7 @@ Full text search
 By default, when your IMAP client searches for an email containing some
 text in its *body*, dovecot will read all your email sequentially. This
 is very slow and IO intensive. To speed body searches up, it is possible to
-*index* emails with a plugin to dovecot, ``fts_xapian``.
+*index* emails with a plugin to dovecot, ``fts_flatcurve``.
 Enabling full text search
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -20,8 +20,6 @@ To enable indexing for full text search here is an example configuration.
        enable = true;
        # index new email as they arrive
        autoIndex = true;
        # this only applies to plain text attachments, binary attachments are never indexed
        indexAttachments = true;
        enforced = "body";
      };
    };
@@ -61,8 +59,8 @@ Mitigating resources requirements
 You can:
-* disable indexation of attachements ``mailserver.fullTextSearch.indexAttachments = false``
+* exclude some headers from indexation with ``mailserver.fullTextSearch.headerExcludes``
-* reduce the size of ngrams to be indexed ``mailserver.fullTextSearch.minSize`` and ``maxSize``
+* disable expensive token normalisation in ``mailserver.fullTextSearch.filters``
 * disable automatic indexation for some folders with
  ``mailserver.fullTextSearch.autoIndexExclude``.  Folders can be specified by
  name (``"Trash"``), by special use (``"\\Junk"``) or with a wildcard.
--- a/docs/howto-develop.rst
+++ b/docs/howto-develop.rst
@@ -4,13 +4,33 @@ Contribute or troubleshoot
 To report an issue, please go to
 `<https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues>`_.
-You can also chat with us on the Libera IRC channel ``#nixos-mailserver``.
+If you have questions, feel free to reach out:
 * Matrix: `#nixos-mailserver:nixos.org <https://matrix.to/#/#nixos-mailserver:nixos.org>`__
 * IRC: `#nixos-mailserver <ircs://irc.libera.chat/nixos-mailserver>`__ on `Libera Chat <https://libera.chat/guides/connect>`__
 All our workflows rely on Nix being configured with `Flakes <https://wiki.nixos.org/wiki/Flakes#Installing_flakes>`__.
 Development Shell
 -----------------
 We provide a `flake.nix` devshell that automatically sets up pre-commit hooks,
 which allows for fast feedback cycles when making changes to the repository.
 ::
  $ nix develop
 We recommend setting up `direnv <https://direnv.net/>`__ to automatically
 attach to the development environment when entering the project directories.
 Run NixOS tests
 ---------------
 To run the test suite, you need to enable `Nix Flakes
-<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
+<https://wiki.nixos.org/wiki/Flakes#Installing_flakes>`__.
 You can then run the testsuite via
@@ -37,36 +57,10 @@ For the syntax, see the `RST/Sphinx primer
 <https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html>`_.
 To build the documentation, you need to enable `Nix Flakes
-<https://nixos.wiki/wiki/Flakes#Installing_flakes>`_.
+<https://wiki.nixos.org/wiki/Flakes#Installing_flakes>`__.
 ::
   $ nix build .#documentation
   $ xdg-open result/index.html
 Nixops
 ------
 You can test the setup via ``nixops``. After installation, do
 ::
   $ nixops create nixops/single-server.nix nixops/vbox.nix -d mail
   $ nixops deploy -d mail
   $ nixops info -d mail
 You can then test the server via e.g. \ ``telnet``. To log into it, use
 ::
   $ nixops ssh -d mail mailserver
 Imap
 ----
 To test imap manually use
 ::
   $ openssl s_client -host mail.example.com -port 143 -starttls imap
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -1,6 +1,56 @@
 Release Notes
 =============
 NixOS 25.05
 -----------
 - OpenDKIM has been removed and DKIM signing is now handled by Rspamd, which only supports ``relaxed`` canoncalizaliaton.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/374>`__)
 - Rspamd now connects to Redis over its Unix Domain Socket by default
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/375>`__)
  - If you need to revert TCP connections, configure ``mailserver.redis.address`` to reference the value of ``config.services.redis.servers.rspamd.bind``.
 - The integration with policyd-spf was removed and SPF handling is now fully based on Rspamd scoring.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/380>`__)
 - Switch to the more efficient `fts-flatcurve` indexer for full text search
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/361>`__).
  This makes use of a new index, which will be automatically re-generated the
  next time a folder is searched.
  The operation is now quick enough to be performed "just-in-time".
  Alternatively, all indices can be immediately re-generated for all users and
  folders by running
  .. code-block:: bash
    doveadm fts rescan -u '*' && doveadm index -u '*' -q '*'
  The previous index (which is not automatically discarded to allow rollbacks)
  can be cleaned up by removing all the `xapian-indexes` directories within
  ``mailserver.indexDir``.
 - Individual domains can now be excluded from DMARC Reporting through ``mailserver.dmarcReporting.excludedDomains``.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/297>`__)
 - Configuring ``mailserver.forwards`` is now possible when the setup relies on LDAP.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/313>`__)
 - Support for TLS 1.1 was disabled in accordance with `Mozilla's recommendations <https://ssl-config.mozilla.org/#server=postfix>`_.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/234>`__)
 NixOS 24.11
 -----------
 - No new feature, only bug fixes and documentation improvements
 NixOS 24.05
 -----------
 - Add new option ``acmeCertificateName`` which can be used to support
  wildcard certificates
 NixOS 23.11
 -----------
 - Add basic support for LDAP users
 - Add support for regex (PCRE) aliases
 NixOS 23.05
 -----------
@@ -34,7 +84,6 @@ NixOS 21.11
 - New option ``certificateDomains`` to generate certificate for
  additional domains (such as ``imap.example.com``)
 NixOS 21.05
 -----------
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -2,3 +2,4 @@ sphinx ~= 5.3
 sphinx_rtd_theme ~= 1.1
 myst-parser ~= 0.18
 linkify-it-py ~= 2.0
 standard-imghdr
--- a/docs/rspamd-tuning.rst
+++ b/docs/rspamd-tuning.rst
@@ -24,17 +24,14 @@ You can run the training in a root shell as follows:
 .. code:: bash
  # Path to the controller socket
  export RSOCK="/var/run/rspamd/worker-controller.sock"
  # Learn the Junk folder as spam
-  rspamc -h $RSOCK learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
+  rspamc learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
  # Learn the INBOX as ham
-  rspamc -h $RSOCK learn_ham /var/vmail/$DOMAIN/$USER/cur/
+  rspamc learn_ham /var/vmail/$DOMAIN/$USER/cur/
  # Check that training was successful
-  rspamc -h $RSOCK stat | grep learned
+  rspamc stat | grep learned
 Tune symbol weight
 ~~~~~~~~~~~~~~~~~~
--- a/docs/setup-guide.rst
+++ b/docs/setup-guide.rst
@@ -20,25 +20,30 @@ an up and running mail server. Once the server is deployed, we could
 then set all DNS entries required to send and receive mails on this
 server.
-Setup DNS A record for server
+Setup DNS A/AAAA records for server
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Add a DNS record to the domain ``example.com`` with the following
+Add DNS records to the domain ``example.com`` with the following
 entries
 ==================== ===== ==== =============
 Name (Subdomain)     TTL   Type Value
 ==================== ===== ==== =============
 ``mail.example.com`` 10800 A    ``1.2.3.4``
 ``mail.example.com`` 10800 AAAA ``2001::1``
 ==================== ===== ==== =============
 If your server does not have an IPv6 address, you must skip the `AAAA` record.
 You can check this with
 ::
-   $ ping mail.example.com
+   $ nix-shell -p bind --command "host -t A mail.example.com"
-   64 bytes from mail.example.com (1.2.3.4): icmp_seq=1 ttl=46 time=21.3 ms
+   mail.example.com has address 1.2.3.4
-   ...
+
   $ nix-shell -p bind --command "host -t AAAA mail.example.com"
   mail.example.com has address 2001::1
 Note that it can take a while until a DNS entry is propagated. This
 DNS entry is required for the Let's Encrypt certificate generation
@@ -58,9 +63,9 @@ common ones.
     imports = [
       (builtins.fetchTarball {
         # Pick a release version you are interested in and set its hash, e.g.
-         url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.05/nixos-mailserver-nixos-23.05.tar.gz";
+         url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
         # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
-         # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
+         # release="nixos-25.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
         sha256 = "0000000000000000000000000000000000000000000000000000";
       })
     ];
@@ -98,8 +103,11 @@ Set rDNS (reverse DNS) entry for server
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 Wherever you have rented your server, you should be able to set reverse
-DNS entries for the IP’s you own. Add an entry resolving ``1.2.3.4``
+DNS entries for the IP’s you own:
-to ``mail.example.com``.
+
 - Add an entry resolving IPv4 address ``1.2.3.4`` to ``mail.example.com``.
 - Add an entry resolving IPv6 ``2001::1`` to ``mail.example.com``. Again, this
  must be skipped if your server does not have an IPv6 address.
 .. warning::
@@ -115,6 +123,9 @@ You can check this with
   $ nix-shell -p bind --command "host 1.2.3.4"
   4.3.2.1.in-addr.arpa domain name pointer mail.example.com.
   $ nix-shell -p bind --command "host 2001::1"
   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa domain name pointer mail.example.com.
 Note that it can take a while until a DNS entry is propagated.
 Set a ``MX`` record
@@ -162,25 +173,26 @@ Note that it can take a while until a DNS entry is propagated.
 Set ``DKIM`` signature
 ^^^^^^^^^^^^^^^^^^^^^^
-On your server, the ``opendkim`` systemd service generated a file
+On your server, the ``rspamd`` systemd service generated a file
 containing your DKIM public key in the file
 ``/var/dkim/example.com.mail.txt``. The content of this file looks
 like
 ::
-   mail._domainkey IN TXT "v=DKIM1; k=rsa; s=email; p=<really-long-key>" ; ----- DKIM mail for domain.tld
+   mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
      "p=<really-long-key>" )  ; ----- DKIM key mail for nixos.org
 where ``really-long-key`` is your public key.
 Based on the content of this file, we can add a ``DKIM`` record to the
 domain ``example.com``.
-=========================== ===== ==== ==============================
+=========================== ===== ==== ================================================
 Name (Subdomain)            TTL   Type Value
-=========================== ===== ==== ==============================
+=========================== ===== ==== ================================================
-mail._domainkey.example.com 10800 TXT  ``v=DKIM1; p=<really-long-key>``
+mail._domainkey.example.com 10800 TXT  ``v=DKIM1; k=rsa; s=email; p=<really-long-key>``
-=========================== ===== ==== ==============================
+=========================== ===== ==== ================================================
 You can check this with
--- a/flake.lock
+++ b/flake.lock
@@ -19,11 +19,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1668681692,
+        "lastModified": 1747046372,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -32,74 +32,90 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "flake-compat"
        ],
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1742649964,
        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1670751203,
+        "lastModified": 1747179050,
-        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
        "ref": "nixos-unstable",
-        "type": "indirect"
+        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-22_11": {
+    "nixpkgs-25_05": {
      "locked": {
-        "lastModified": 1669558522,
+        "lastModified": 1747610100,
-        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.11",
        "type": "indirect"
      }
    },
    "nixpkgs-23_05": {
      "locked": {
        "lastModified": 1684782344,
        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-23.05",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "git-hooks": "git-hooks",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-22_11": "nixpkgs-22_11",
+        "nixpkgs-25_05": "nixpkgs-25_05"
        "nixpkgs-23_05": "nixpkgs-23_05",
        "utils": "utils"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@@ -3,47 +3,62 @@
  inputs = {
    flake-compat = {
      # for shell.nix compat
      url = "github:edolstra/flake-compat";
      flake = false;
    };
-    utils.url = "github:numtide/flake-utils";
+    git-hooks = {
-    nixpkgs.url = "flake:nixpkgs/nixos-unstable";
+      url = "github:cachix/git-hooks.nix";
-    nixpkgs-22_11.url = "flake:nixpkgs/nixos-22.11";
+      inputs.flake-compat.follows = "flake-compat";
-    nixpkgs-23_05.url = "flake:nixpkgs/nixos-23.05";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-25_05.url = "github:NixOS/nixpkgs/nixos-25.05";
    blobs = {
      url = "gitlab:simple-nixos-mailserver/blobs";
      flake = false;
    };
  };
-  outputs = { self, utils, blobs, nixpkgs, nixpkgs-22_11, nixpkgs-23_05, ... }: let
+  outputs = { self, blobs, git-hooks, nixpkgs, nixpkgs-25_05, ... }: let
    lib = nixpkgs.lib;
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};
    releases = [
      {
        name = "unstable";
        nixpkgs = nixpkgs;
        pkgs = nixpkgs.legacyPackages.${system};
      }
      {
-        name = "23.05";
+        name = "25.05";
-        pkgs = nixpkgs-23_05.legacyPackages.${system};
+        nixpkgs = nixpkgs-25_05;
        pkgs = nixpkgs-25_05.legacyPackages.${system};
      }
    ];
    testNames = [
      "internal"
      "external"
      "clamav"
-      "multiple"
+      "external"
      "internal"
      "ldap"
      "multiple"
    ];
-    genTest = testName: release: {
+
-      "name"= "${testName}-${builtins.replaceStrings ["."] ["_"] release.name}";
+    genTest = testName: release: let
      "value"= import (./tests/. + "/${testName}.nix") {
      pkgs = release.pkgs;
-        inherit blobs;
+      nixos-lib = import (release.nixpkgs + "/nixos/lib") {
        inherit (pkgs) lib;
      };
    in {
      name = "${testName}-${builtins.replaceStrings ["."] ["_"] release.name}";
      value = nixos-lib.runTest {
        hostPkgs = pkgs;
        imports = [ ./tests/${testName}.nix ];
        _module.args = { inherit blobs; };
        extraBaseModules.imports = [ ./default.nix ];
      };
    };
    # Generate an attribute set such as
    # {
    #   external-unstable = <derivation>;
@@ -81,6 +96,7 @@
    in pkgs.runCommand "options.md" { buildInputs = [pkgs.python3Minimal]; } ''
      echo "Generating options.md from ${options}"
      python ${./scripts/generate-options.py} ${options} > $out
      echo $out
    '';
    documentation = pkgs.stdenv.mkDerivation {
@@ -91,6 +107,7 @@
          sphinx
          sphinx_rtd_theme
          myst-parser
          linkify-it-py
        ])
      )];
      buildPhase = ''
@@ -112,16 +129,64 @@
    nixosModule = self.nixosModules.default; # compatibility
    hydraJobs.${system} = allTests // {
      inherit documentation;
      inherit (self.checks.${system}) pre-commit;
    };
    checks.${system} = allTests // {
      pre-commit = git-hooks.lib.${system}.run {
        src = ./.;
        hooks = {
          # docs
          markdownlint = {
            enable = true;
            settings.configuration = {
              # Max line length, doesn't seem to correclty account for lines containing links
              # https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
              MD013 = false;
            };
          };
          rstcheck = {
            enable = true;
            package = pkgs.rstcheckWithSphinx;
            entry = lib.getExe pkgs.rstcheckWithSphinx;
            files = "\\.rst$";
          };
          # nix
          deadnix.enable = true;
          # python
          pyright.enable = true;
          ruff = {
            enable = true;
            args = [
              "--extend-select"
              "I"
            ];
          };
          ruff-format.enable = true;
          # scripts
          shellcheck.enable = true;
          # sieve
          check-sieve = {
            enable = true;
            package = pkgs.check-sieve;
            entry = lib.getExe pkgs.check-sieve;
            files = "\\.sieve$";
          };
        };
      };
    };
    checks.${system} = allTests;
    packages.${system} = {
      inherit optionsDoc documentation;
    };
-    devShells.${system}.default = pkgs.mkShell {
+    devShells.${system}.default = pkgs.mkShellNoCC {
      inputsFrom = [ documentation ];
      packages = with pkgs; [
-        clamav
+        glab
-      ];
+      ] ++ self.checks.${system}.pre-commit.enabledPackages;
      shellHook = self.checks.${system}.pre-commit.shellHook;
    };
    devShell.${system} = self.devShells.${system}.default; # compatibility
  };
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
  assertions = lib.optionals config.mailserver.ldap.enable [
    {
@@ -9,9 +9,10 @@
      assertion = config.mailserver.extraVirtualAliases == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
    {
-      assertion = config.mailserver.forwards == {};
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
-      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
    }
  ];
 }
--- a/mail-server/clamav.nix
+++ b/mail-server/clamav.nix
@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ config, pkgs, lib, options, ... }:
+{ config, lib, ... }:
 let
  cfg = config.mailserver;
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
             else if cfg.certificateScheme == "selfsigned"
                  then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                  else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                       else throw "unknown certificate scheme";
  # key :: PATH
@@ -35,7 +35,7 @@ in
        else if cfg.certificateScheme == "selfsigned"
             then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
              else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                   else throw "unknown certificate scheme";
  passwordFiles = let
@@ -49,7 +49,7 @@ in
  # Appends the LDAP bind password to files to avoid writing this
  # password into the Nix store.
  appendLdapBindPwd = {
-    name, file, prefix, passwordFile, destination
+    name, file, prefix, suffix ? "", passwordFile, destination
  }: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
    #!${pkgs.stdenv.shell}
    set -euo pipefail
@@ -61,8 +61,9 @@ in
    fi
    cat ${file} > ${destination}
-    echo -n "${prefix}" >> ${destination}
+    echo -n '${prefix}' >> ${destination}
-    cat ${passwordFile} >> ${destination}
+    cat ${passwordFile} | tr -d '\n' >> ${destination}
    echo -n '${suffix}' >> ${destination}
    chmod 600 ${destination}
  '';
--- a/mail-server/debug.nix
+++ b/mail-server/debug.nix
@@ -1,4 +0,0 @@
 { config, lib, ... }:
 {
  mailserver.policydSPFExtraConfig = lib.mkIf config.mailserver.debug "debugLevel = 4";
 }
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ config, pkgs, lib, ... }:
+{ options, config, pkgs, lib, ... }:
 with (import ./common.nix { inherit config pkgs lib; });
@@ -26,40 +26,24 @@ let
  userdbFile = "${passwdDir}/userdb";
  # This file contains the ldap bind password
  ldapConfFile = "${passwdDir}/dovecot-ldap.conf.ext";
-  bool2int = x: if x then "1" else "0";
+  boolToYesNo = x: if x then "yes" else "no";
  listToLine = lib.concatStringsSep " ";
  listToMultiAttrs = keyPrefix: attrs: lib.listToAttrs (lib.imap1 (n: x: {
    name = "${keyPrefix}${if n==1 then "" else toString n}";
    value = x;
  }) attrs);
  maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
  maildirUTF8FolderNames = lib.optionalString cfg.useUTF8FolderNames ":UTF-8";
  # maildir in format "/${domain}/${user}"
  dovecotMaildir =
-    "maildir:${cfg.mailDirectory}/%d/%n${maildirLayoutAppendix}${maildirUTF8FolderNames}"
+    "maildir:${cfg.mailDirectory}/%{domain}/%{username}${maildirLayoutAppendix}${maildirUTF8FolderNames}"
    + (lib.optionalString (cfg.indexDir != null)
-       ":INDEX=${cfg.indexDir}/%d/%n"
+       ":INDEX=${cfg.indexDir}/%{domain}/%{username}"
      );
  postfixCfg = config.services.postfix;
  dovecot2Cfg = config.services.dovecot2;
  stateDir = "/var/lib/dovecot";
  pipeBin = pkgs.stdenv.mkDerivation {
    name = "pipe_bin";
    src = ./dovecot/pipe_bin;
    buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
    buildCommand = ''
      mkdir -p $out/pipe/bin
      cp $src/* $out/pipe/bin/
      chmod a+x $out/pipe/bin/*
      patchShebangs $out/pipe/bin
      for file in $out/pipe/bin/*; do
        wrapProgram $file \
          --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
      done
    '';
  };
  ldapConfig = pkgs.writeTextFile {
    name = "dovecot-ldap.conf.ext.template";
@@ -76,7 +60,7 @@ let
      auth_bind = yes
      base = ${cfg.ldap.searchBase}
      scope = ${mkLdapSearchScope cfg.ldap.searchScope}
-      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != "") ''
+      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != null) ''
      user_attrs = ${cfg.ldap.dovecot.userAttrs}
      ''}
      user_filter = ${cfg.ldap.dovecot.userFilter}
@@ -90,7 +74,8 @@ let
  setPwdInLdapConfFile = appendLdapBindPwd {
    name = "ldap-conf-file";
    file = ldapConfig;
-    prefix = "dnpass = ";
+    prefix = ''dnpass = "'';
    suffix = ''"'';
    passwordFile = cfg.ldap.bind.passwordFile;
    destination = ldapConfFile;
  };
@@ -108,7 +93,7 @@ let
    # Prevent world-readable password files, even temporarily.
    umask 077
-    for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
+    for f in ${builtins.toString (lib.mapAttrsToList (name: _: passwordFiles."${name}") cfg.loginAccounts)}; do
      if [ ! -f "$f" ]; then
        echo "Expected password hash file $f does not exist!"
        exit 1
@@ -116,7 +101,7 @@ let
    done
    cat <<EOF > ${passwdFile}
-    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
+    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: _:
      "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
    ) cfg.loginAccounts)}
    EOF
@@ -124,14 +109,12 @@ let
    cat <<EOF > ${userdbFile}
    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
      "${name}:::::::"
-        + (if lib.isString value.quota
+        + lib.optionalString (value.quota != null) "userdb_quota_rule=*:storage=${value.quota}"
              then "userdb_quota_rule=*:storage=${value.quota}"
              else "")
    ) cfg.loginAccounts)}
    EOF
  '';
-  junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
+  junkMailboxes = builtins.attrNames (lib.filterAttrs (_: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
  junkMailboxNumber = builtins.length junkMailboxes;
  # The assertion garantees there is exactly one Junk mailbox.
  junkMailboxName = if junkMailboxNumber == 1 then builtins.elemAt junkMailboxes 0 else "";
@@ -142,6 +125,24 @@ let
    else scope
  );
  dovecotModules = [
    pkgs.dovecot_pigeonhole
  ] ++ lib.optional cfg.fullTextSearch.enable pkgs.dovecot-fts-flatcurve;
  # Remove and assume `false` after NixOS 25.05
  haveDovecotModulesOption = options.services.dovecot2 ? "modules" && (options.services.dovecot2.modules.visible or true);
  ftsPluginSettings = {
    fts = "flatcurve";
    fts_languages = listToLine cfg.fullTextSearch.languages;
    fts_tokenizers = listToLine [ "generic" "email-address" ];
    fts_tokenizer_email_address = "maxlen=100"; # default 254 too large for Xapian
    fts_flatcurve_substring_search = boolToYesNo cfg.fullTextSearch.substringSearch;
    fts_filters = listToLine cfg.fullTextSearch.filters;
    fts_header_excludes = listToLine cfg.fullTextSearch.headerExcludes;
    fts_autoindex = boolToYesNo cfg.fullTextSearch.autoIndex;
    fts_enforced = cfg.fullTextSearch.enforced;
  } // (listToMultiAttrs "fts_autoindex_exclude" cfg.fullTextSearch.autoIndexExclude);
 in
 {
  config = with cfg; lib.mkIf enable {
@@ -152,14 +153,33 @@ in
      }
    ];
    warnings =
      (lib.optional (
        (builtins.length cfg.fullTextSearch.languages > 1) &&
        (builtins.elem "stopwords" cfg.fullTextSearch.filters)
      ) ''
        Using stopwords in `mailserver.fullTextSearch.filters` with multiple
        languages in `mailserver.fullTextSearch.languages` configured WILL
        cause some searches to fail.
        The recommended solution is to NOT use the stopword filter when
        multiple languages are present in the configuration.
      '')
    ;
    # for sieve-test. Shelling it in on demand usually doesnt' work, as it reads
    # the global config and tries to open shared libraries configured in there,
    # which are usually not compatible.
    environment.systemPackages = [
      pkgs.dovecot_pigeonhole
-    ];
+    ] ++ lib.optionals (!haveDovecotModulesOption) dovecotModules;
-    services.dovecot2 = {
+    # For compatibility with python imaplib
    environment.etc = lib.mkIf (!haveDovecotModulesOption) {
      "dovecot/modules".source = "/run/current-system/sw/lib/dovecot/modules";
    };
    services.dovecot2 = lib.mkMerge [{
      enable = true;
      enableImap = enableImap || enableImapSsl;
      enablePop3 = enablePop3 || enablePop3Ssl;
@@ -171,12 +191,24 @@ in
      sslServerCert = certificatePath;
      sslServerKey = keyPath;
      enableLmtp = true;
-      modules = [ pkgs.dovecot_pigeonhole ] ++ (lib.optional cfg.fullTextSearch.enable pkgs.dovecot_fts_xapian );
+      mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [
-      mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
+        "fts"
        "fts_flatcurve"
      ];
      protocols = lib.optional cfg.enableManageSieve "sieve";
-      sieveScripts = {
+      pluginSettings = {
-        after = builtins.toFile "spam.sieve" ''
+        sieve = "file:${cfg.sieveDirectory}/%{user}/scripts;active=${cfg.sieveDirectory}/%{user}/active.sieve";
        sieve_default = "file:${cfg.sieveDirectory}/%{user}/default.sieve";
        sieve_default_name = "default";
      } // (lib.optionalAttrs cfg.fullTextSearch.enable ftsPluginSettings);
      sieve = {
        extensions = [
          "fileinto"
        ];
        scripts.after = builtins.toFile "spam.sieve" ''
          require "fileinto";
          if header :is "X-Spam" "Yes" {
@@ -184,8 +216,29 @@ in
              stop;
          }
        '';
        pipeBins = map lib.getExe [
          (pkgs.writeShellScriptBin "rspamd-learn-ham.sh"
            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
          (pkgs.writeShellScriptBin "rspamd-learn-spam.sh"
            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
        ];
      };
      imapsieve.mailbox = [
        {
          name = junkMailboxName;
          causes = [ "COPY" "APPEND" ];
          before = ./dovecot/imap_sieve/report-spam.sieve;
        }
        {
          name = "*";
          from = junkMailboxName;
          causes = [ "COPY" ];
          before = ./dovecot/imap_sieve/report-ham.sieve;
        }
      ];
      mailboxes = cfg.mailboxes;
      extraConfig = ''
@@ -244,14 +297,18 @@ in
          mail_plugins = $mail_plugins imap_sieve
        }
        service imap {
          vsz_limit = ${builtins.toString cfg.imapMemoryLimit} MB
        }
        protocol pop3 {
          mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
        }
        mail_access_groups = ${vmailGroupName}
        ssl = required
-        ssl_min_protocol = TLSv1.2
+        ssl_min_protocol = TLSv1
-        ssl_prefer_server_ciphers = yes
+        ssl_prefer_server_ciphers = no
        service lmtp {
          unix_listener dovecot-lmtp {
@@ -259,6 +316,17 @@ in
            mode = 0600
            user = ${postfixCfg.user}
          }
          vsz_limit = ${builtins.toString cfg.lmtpMemoryLimit} MB
        }
        service quota-status {
          inet_listener {
            port = 0
          }
          unix_listener quota-status {
            user = postfix
          }
          vsz_limit = ${builtins.toString cfg.quotaStatusMemoryLimit} MB
        }
        recipient_delimiter = ${cfg.recipientDelimiter}
@@ -288,7 +356,7 @@ in
        userdb {
          driver = ldap
          args = ${ldapConfFile}
-          default_fields = home=/var/vmail/ldap/%u uid=${toString cfg.vmailUID} gid=${toString cfg.vmailUID}
+          default_fields = home=/var/vmail/ldap/%{user} uid=${toString cfg.vmailUID} gid=${toString cfg.vmailUID}
        }
        ''}
@@ -307,90 +375,27 @@ in
          inbox = yes
        }
        plugin {
          sieve_plugins = sieve_imapsieve sieve_extprograms
          sieve = file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve
          sieve_default = file:${cfg.sieveDirectory}/%u/default.sieve
          sieve_default_name = default
          # From elsewhere to Spam folder
          imapsieve_mailbox1_name = ${junkMailboxName}
          imapsieve_mailbox1_causes = COPY,APPEND
          imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
          # From Spam folder to elsewhere
          imapsieve_mailbox2_name = *
          imapsieve_mailbox2_from = ${junkMailboxName}
          imapsieve_mailbox2_causes = COPY
          imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        }
        ${lib.optionalString cfg.fullTextSearch.enable ''
        plugin {
          plugin = fts fts_xapian
          fts = xapian
          fts_xapian = partial=${toString cfg.fullTextSearch.minSize} full=${toString cfg.fullTextSearch.maxSize} attachments=${bool2int cfg.fullTextSearch.indexAttachments} verbose=${bool2int cfg.debug}
          fts_autoindex = ${if cfg.fullTextSearch.autoIndex then "yes" else "no"}
          ${lib.strings.concatImapStringsSep "\n" (n: x: "fts_autoindex_exclude${if n==1 then "" else toString n} = ${x}") cfg.fullTextSearch.autoIndexExclude}
          fts_enforced = ${cfg.fullTextSearch.enforced}
        }
        ${lib.optionalString (cfg.fullTextSearch.memoryLimit != null) ''
        service indexer-worker {
        ${lib.optionalString (cfg.fullTextSearch.memoryLimit != null) ''
          vsz_limit = ${toString (cfg.fullTextSearch.memoryLimit*1024*1024)}
        ''}
        }
        ''}
        ''}
        lda_mailbox_autosubscribe = yes
        lda_mailbox_autocreate = yes
      '';
-    };
+    }
      (lib.mkIf haveDovecotModulesOption {
        modules = dovecotModules;
      })
    ];
    systemd.services.dovecot2 = {
      preStart = ''
        ${genPasswdScript}
        rm -rf '${stateDir}/imap_sieve'
        mkdir '${stateDir}/imap_sieve'
        cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
        for k in "${stateDir}/imap_sieve"/*.sieve ; do
          ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
        done
        chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
      '' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
    };
    systemd.services.postfix.restartTriggers = [ genPasswdScript ] ++ (lib.optional cfg.ldap.enable [setPwdInLdapConfFile]);
    systemd.services.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable) {
      description = "Optimize dovecot indices for fts_xapian";
      requisite = [ "dovecot2.service" ];
      after = [ "dovecot2.service" ];
      startAt = cfg.fullTextSearch.maintenance.onCalendar;
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
        PrivateDevices = true;
        PrivateNetwork = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectSystem = true;
        PrivateTmp = true;
      };
    };
    systemd.timers.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable && cfg.fullTextSearch.maintenance.randomizedDelaySec != 0) {
      timerConfig = {
        RandomizedDelaySec = cfg.fullTextSearch.maintenance.randomizedDelaySec;
      };
    };
  };
 }
--- a/mail-server/dovecot/imap_sieve/report-ham.sieve
+++ b/mail-server/dovecot/imap_sieve/report-ham.sieve
@@ -12,4 +12,4 @@ if environment :matches "imap.user" "*" {
  set "username" "${1}";
 }
-pipe :copy "sa-learn-ham.sh" [ "${username}" ];
+pipe :copy "rspamd-learn-ham.sh" [ "${username}" ];
--- a/mail-server/dovecot/imap_sieve/report-spam.sieve
+++ b/mail-server/dovecot/imap_sieve/report-spam.sieve
@@ -4,4 +4,4 @@ if environment :matches "imap.user" "*" {
  set "username" "${1}";
 }
-pipe :copy "sa-learn-spam.sh" [ "${username}" ];
+pipe :copy "rspamd-learn-spam.sh" [ "${username}" ];
--- a/mail-server/dovecot/pipe_bin/sa-learn-ham.sh
+++ b/mail-server/dovecot/pipe_bin/sa-learn-ham.sh
@@ -1,3 +0,0 @@
 #!/bin/bash
 set -o errexit
 exec rspamc -h /run/rspamd/worker-controller.sock learn_ham
--- a/mail-server/dovecot/pipe_bin/sa-learn-spam.sh
+++ b/mail-server/dovecot/pipe_bin/sa-learn-spam.sh
@@ -1,3 +0,0 @@
 #!/bin/bash
 set -o errexit
 exec rspamc -h /run/rspamd/worker-controller.sock learn_spam
--- a/mail-server/environment.nix
+++ b/mail-server/environment.nix
@@ -22,7 +22,7 @@ in
 {
  config = with cfg; lib.mkIf enable {
    environment.systemPackages = with pkgs; [
-      dovecot opendkim openssh postfix rspamd
+      dovecot openssh postfix rspamd
    ] ++ (if certificateScheme == "selfsigned" then [ openssl ] else []);
  };
 }
--- a/mail-server/kresd.nix
+++ b/mail-server/kresd.nix
@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 let
  cfg = config.mailserver;
--- a/mail-server/monit.nix
+++ b/mail-server/monit.nix
@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 let
  cfg = config.mailserver;
--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@@ -17,11 +17,10 @@
 { config, pkgs, lib, ... }:
-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });
 let
  cfg = config.mailserver;
  acmeRoot = "/var/lib/acme/acme-challenge";
 in
 {
  config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
@@ -32,11 +31,10 @@ in
        serverAliases = cfg.certificateDomains;
        forceSSL = true;
        enableACME = true;
        acmeRoot = acmeRoot;
      };
    };
-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
      "postfix.service"
      "dovecot2.service"
    ];
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@@ -1,89 +0,0 @@
 #  nixos-mailserver: a simple mail server
 #  Copyright (C) 2017  Brian Olsen
 #
 #  This program is free software: you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
 #  the Free Software Foundation, either version 3 of the License, or
 #  (at your option) any later version.
 #
 #  This program is distributed in the hope that it will be useful,
 #  but WITHOUT ANY WARRANTY; without even the implied warranty of
 #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #  GNU General Public License for more details.
 #
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.mailserver;
  dkimUser = config.services.opendkim.user;
  dkimGroup = config.services.opendkim.group;
  createDomainDkimCert = dom:
    let
      dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
      dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt";
    in
        ''
          if [ ! -f "${dkim_key}" ]
          then
              ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
                                                   -d "${dom}" \
                                                   --bits="${toString cfg.dkimKeyBits}" \
                                                   --directory="${cfg.dkimKeyDirectory}"
              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
              chmod 644 "${dkim_txt}"
              echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}"
          fi
        '';
  createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
  keyTable = pkgs.writeText "opendkim-KeyTable"
    (lib.concatStringsSep "\n" (lib.flip map cfg.domains
      (dom: "${dom} ${dom}:${cfg.dkimSelector}:${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key")));
  signingTable = pkgs.writeText "opendkim-SigningTable"
    (lib.concatStringsSep "\n" (lib.flip map cfg.domains (dom: "${dom} ${dom}")));
  dkim = config.services.opendkim;
  args = [ "-f" "-l" ] ++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];
 in
 {
    config = mkIf (cfg.dkimSigning && cfg.enable) {
      services.opendkim = {
        enable = true;
        selector = cfg.dkimSelector;
        keyPath = cfg.dkimKeyDirectory;
        domains = "csl:${builtins.concatStringsSep "," cfg.domains}";
        configFile = pkgs.writeText "opendkim.conf" (''
          Canonicalization ${cfg.dkimHeaderCanonicalization}/${cfg.dkimBodyCanonicalization}
          UMask 0002
          Socket ${dkim.socket}
          KeyTable file:${keyTable}
          SigningTable file:${signingTable}
        '' + (lib.optionalString cfg.debug ''
          Syslog yes
          SyslogSuccess yes
          LogWhy yes
        ''));
      };
      users.users = optionalAttrs (config.services.postfix.user == "postfix") {
        postfix.extraGroups = [ "${dkimGroup}" ];
      };
      systemd.services.opendkim = {
        preStart = lib.mkForce createAllCerts;
        serviceConfig = {
          ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
          PermissionsStartOnly = lib.mkForce false;
        };
      };
      systemd.tmpfiles.rules = [
        "d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -"
      ];
    };
 }
--- a/mail-server/post-upgrade-check.nix
+++ b/mail-server/post-upgrade-check.nix
@@ -1,46 +0,0 @@
 #  nixos-mailserver: a simple mail server
 #  Copyright (C) 2016-2018  Robin Raymond
 #
 #  This program is free software: you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
 #  the Free Software Foundation, either version 3 of the License, or
 #  (at your option) any later version.
 #
 #  This program is distributed in the hope that it will be useful,
 #  but WITHOUT ANY WARRANTY; without even the implied warranty of
 #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #  GNU General Public License for more details.
 #
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.mailserver;
 in
 {
  config = mkIf (cfg.enable && cfg.rebootAfterKernelUpgrade.enable) {
    systemd.services.nixos-upgrade.serviceConfig.ExecStartPost = pkgs.writeScript "post-upgrade-check" ''
      #!${pkgs.stdenv.shell}
      # Checks whether the "current" kernel is different from the booted kernel
      # and then triggers a reboot so that the "current" kernel will be the booted one.
      # This is just an educated guess. If the links do not differ the kernels might still be different, according to spacefrogg in #nixos.
      current=$(readlink -f /run/current-system/kernel)
      booted=$(readlink -f /run/booted-system/kernel)
      if [ "$current" == "$booted" ]; then
        echo "kernel version seems unchanged, skipping reboot" | systemd-cat --priority 4 --identifier "post-upgrade-check";
      else
        echo "kernel path changed, possibly a new version" | systemd-cat --priority 2 --identifier "post-upgrade-check"
        echo "$booted" | systemd-cat --priority 2 --identifier "post-upgrade-kernel-check"
        echo "$current" | systemd-cat --priority 2 --identifier "post-upgrade-kernel-check"
        ${cfg.rebootAfterKernelUpgrade.method}
      fi
    '';
  };
 }
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -25,7 +25,7 @@ let
  # Merge several lookup tables. A lookup table is a attribute set where
  # - the key is an address (user@example.com) or a domain (@example.com)
  # - the value is a list of addresses
-  mergeLookupTables = tables: lib.zipAttrsWith (n: v: lib.flatten v) tables;
+  mergeLookupTables = tables: lib.zipAttrsWith (_: v: lib.flatten v) tables;
  # valiases_postfix :: Map String [String]
  valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
@@ -123,14 +123,7 @@ let
     /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}>
  '');
-  inetSocket = addr: port: "inet:[${toString port}@${addr}]";
+  smtpdMilters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
  unixSocket = sock: "unix:${sock}";
  smtpdMilters =
   (lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
   ++ [ "unix:/run/rspamd/rspamd-milter.sock" ];
  policyd-spf = pkgs.writeText "policyd-spf.conf" cfg.policydSPFExtraConfig;
  mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
  mappedRegexFile = name: "pcre:/var/lib/postfix/conf/${name}";
@@ -247,6 +240,11 @@ in
        # Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
        lmtp_destination_recipient_limit = "1";
        # Opportunistic DANE support
        # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
        smtp_dns_support_level = "dnssec";
        smtp_tls_security_level = "dane";
        # sasl with dovecot
        smtpd_sasl_type = "dovecot";
        smtpd_sasl_path = "/run/dovecot2/auth";
@@ -255,33 +253,28 @@ in
          "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination"
        ];
        policy-spf_time_limit = "3600s";
        # reject selected senders
        smtpd_sender_restrictions = [
          "check_sender_access ${mappedFile "reject_senders"}"
        ];
        # quota and spf checking
        smtpd_recipient_restrictions = [
          # reject selected recipients
          "check_recipient_access ${mappedFile "denied_recipients"}"
          "check_recipient_access ${mappedFile "reject_recipients"}"
-          "check_policy_service inet:localhost:12340"
+          # quota checking
-          "check_policy_service unix:private/policy-spf"
+          "check_policy_service unix:/run/dovecot2/quota-status"
        ];
        # TLS settings, inspired by https://github.com/jeaye/nix-files
        # Submission by mail clients is handled in submissionOptions
        smtpd_tls_security_level = "may";
        # strong might suffice and is computationally less expensive
        smtpd_tls_eecdh_grade = "ultra";
        # Disable obselete protocols
-        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
-        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
        smtp_tls_ciphers = "high";
        smtpd_tls_ciphers = "high";
@@ -299,15 +292,16 @@ in
        # Allowing AUTH on a non encrypted connection poses a security risk
        smtpd_tls_auth_only = true;
        # Log only a summary message on TLS handshake completion
        smtp_tls_loglevel = "1";
        smtpd_tls_loglevel = "1";
        # Configure a non blocking source of randomness
        tls_random_source = "dev:/dev/urandom";
        smtpd_milters = smtpdMilters;
-        non_smtpd_milters = lib.mkIf cfg.dkimSigning ["unix:/run/opendkim/opendkim.sock"];
+        non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
        milter_protocol = "6";
-        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
+        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
        # Fix for https://www.postfix.org/smtp-smuggling.html
        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
@@ -323,13 +317,6 @@ in
          # D => Delivered-To, O => X-Original-To, R => Return-Path
          args = [ "flags=O" ];
        };
        "policy-spf" = {
          type = "unix";
          privileged = true;
          chroot = false;
          command = "spawn";
          args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
        };
        "submission-header-cleanup" = {
          type = "unix";
          private = false;
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -22,18 +22,51 @@ let
  postfixCfg = config.services.postfix;
  rspamdCfg = config.services.rspamd;
  rspamdSocket = "rspamd.service";
  rspamdUser = config.services.rspamd.user;
  rspamdGroup = config.services.rspamd.group;
  createDkimKeypair = domain: let
    privateKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.key";
    publicKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.txt";
  in pkgs.writeShellScript "dkim-keygen-${domain}" ''
    if [ ! -f "${privateKey}" ]
    then
      ${lib.getExe' pkgs.rspamd "rspamadm"} dkim_keygen \
        --domain "${domain}" \
        --selector "${cfg.dkimSelector}" \
        --type "${cfg.dkimKeyType}" \
        --bits ${toString cfg.dkimKeyBits} \
        --privkey "${privateKey}" > "${publicKey}"
      chmod 0644 "${publicKey}"
      echo "Generated key for domain ${domain} and selector ${cfg.dkimSelector}"
    fi
  '';
 in
 {
  config = with cfg; lib.mkIf enable {
    environment.systemPackages = lib.mkBefore [
      (pkgs.runCommand "rspamc-wrapped" {
        nativeBuildInputs = with pkgs; [ makeWrapper ];
       }''
        makeWrapper ${pkgs.rspamd}/bin/rspamc $out/bin/rspamc \
          --add-flags "-h /run/rspamd/worker-controller.sock"
      '')
    ];
    services.rspamd = {
      enable = true;
      inherit debug;
      locals = {
          "milter_headers.conf" = { text = ''
-              extended_spam_headers = yes;
+              extended_spam_headers = true;
          ''; };
          "redis.conf" = { text = ''
-              servers = "${cfg.redis.address}:${toString cfg.redis.port}";
+              servers = "${if cfg.redis.port == null
                then
                  cfg.redis.address
                else
                  "${cfg.redis.address}:${toString cfg.redis.port}"}";
          '' + (lib.optionalString (cfg.redis.password != null) ''
              password = "${cfg.redis.password}";
          ''); };
@@ -53,8 +86,11 @@ in
              }
          ''; };
          "dkim_signing.conf" = { text = ''
-              # Disable outbound email signing, we use opendkim for this
+            enabled = ${lib.boolToString cfg.dkimSigning};
-              enabled = false;
+            path = "${cfg.dkimKeyDirectory}/$domain.$selector.key";
            selector = "${cfg.dkimSelector}";
            # Allow for usernames w/o domain part
            allow_username_mismatch = true
          ''; };
          "dmarc.conf" = { text = ''
              ${lib.optionalString cfg.dmarcReporting.enable ''
@@ -64,19 +100,14 @@ in
                domain = "${cfg.dmarcReporting.domain}";
                org_name = "${cfg.dmarcReporting.organizationName}";
                from_name = "${cfg.dmarcReporting.fromName}";
-                msgid_from = "dmarc-rua";
+                msgid_from = "${cfg.dmarcReporting.domain}";
                ${lib.optionalString (cfg.dmarcReporting.excludeDomains != []) ''
                  exclude_domains = ${builtins.toJSON cfg.dmarcReporting.excludeDomains};
                ''}
              }''}
          ''; };
      };
      overrides = {
        "milter_headers.conf" = {
          text = ''
            extended_spam_headers = true;
          '';
        };
      };
      workers.rspamd_proxy = {
        type = "rspamd_proxy";
        bindSockets = [{
@@ -109,14 +140,35 @@ in
    };
-    services.redis.servers.rspamd = {
+    services.redis.servers.rspamd.enable = lib.mkDefault true;
-      enable = lib.mkDefault true;
+
-      port = lib.mkDefault 6380;
+    systemd.tmpfiles.settings."10-rspamd.conf" = {
      "${cfg.dkimKeyDirectory}" = {
        d = {
          # Create /var/dkim owned by rspamd user/group
          user = rspamdUser;
          group = rspamdGroup;
        };
        Z = {
          # Recursively adjust permissions in /var/dkim
          user = rspamdUser;
          group = rspamdGroup;
        };
      };
    };
    systemd.services.rspamd = {
      requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
      after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
      serviceConfig = lib.mkMerge [
        {
          SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
        }
        (lib.optionalAttrs cfg.dkimSigning {
          ExecStartPre = map createDkimKeypair cfg.domains;
          ReadWritePaths = [ cfg.dkimKeyDirectory ];
        })
      ];
    };
    systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@@ -63,7 +63,7 @@ in
        );
      in ''
        # Create mail directory and set permissions. See
-        # <http://wiki2.dovecot.org/SharedMailboxes/Permissions>.
+        # <https://doc.dovecot.org/main/core/config/shared_mailboxes.html#filesystem-permissions-1>.
        # Prevent world-readable paths, even temporarily.
        umask 007
        mkdir -p ${directories}
@@ -76,10 +76,10 @@ in
    systemd.services.postfix = {
      wants = certificatesDeps;
      after = [ "dovecot2.service" ]
-        ++ lib.optional cfg.dkimSigning "opendkim.service"
+        ++ lib.optional cfg.dkimSigning "rspamd.service"
        ++ certificatesDeps;
      requires = [ "dovecot2.service" ]
-        ++ lib.optional cfg.dkimSigning "opendkim.service";
+        ++ lib.optional cfg.dkimSigning "rspamd.service";
    };
  };
 }
--- a/nixops/single-server.nix
+++ b/nixops/single-server.nix
@@ -1,31 +0,0 @@
 {
  network.description = "mail server";
  mailserver =
    { config, pkgs, ... }:
    {
        imports = [
            ../default.nix
        ];
        mailserver = {
          enable = true;
          fqdn = "mail.example.com";
          domains = [ "example.com" "example2.com" ];
          loginAccounts = {
              "user1@example.com" = {
                  hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
              };
          };
          extraVirtualAliases = {
              "info@example.com" = "user1@example.com";
              "postmaster@example.com" = "user1@example.com";
              "abuse@example.com" = "user1@example.com";
              "user1@example2.com" = "user1@example.com";
              "info@example2.com" = "user1@example.com";
              "postmaster@example2.com" = "user1@example.com";
              "abuse@example2.com" = "user1@example.com";
          };
        };
    };
 }
--- a/nixops/vbox.nix
+++ b/nixops/vbox.nix
@@ -1,9 +0,0 @@
 {
  mailserver =
    { config, pkgs, ... }:
    { deployment.targetEnv = "virtualbox";
      deployment.virtualbox.memorySize = 1024; # megabytes
      deployment.virtualbox.vcpu = 2; # number of cpus
      deployment.virtualbox.headless = true;
    };
 }
--- a/scripts/generate-options.py
+++ b/scripts/generate-options.py
@@ -1,5 +1,7 @@
 import json
 import sys
 from textwrap import indent
 from typing import Any, Mapping
 header = """
 # Mailserver options
@@ -21,7 +23,8 @@ template = """
 f = open(sys.argv[1])
 options = json.load(f)
-groups = ["mailserver.loginAccounts",
+groups = [
    "mailserver.loginAccounts",
    "mailserver.certificate",
    "mailserver.dkim",
    "mailserver.dmarcReporting",
@@ -30,53 +33,77 @@ groups = ["mailserver.loginAccounts",
    "mailserver.ldap",
    "mailserver.monitoring",
    "mailserver.backup",
-          "mailserver.borgbackup"]
+    "mailserver.borgbackup",
 ]
 def render_option_value(opt, attr):
  if attr in opt:
      if isinstance(opt[attr], dict) and '_type' in opt[attr]:
          if opt[attr]['_type'] == 'literalExpression':
              if '\n' in opt[attr]['text']:
                  res = '\n```nix\n' + opt[attr]['text'].rstrip('\n') + '\n```'
              else:
                  res = '```{}```'.format(opt[attr]['text'])
          elif opt[attr]['_type'] == 'literalMD':
              res = opt[attr]['text']
      else:
          s = str(opt[attr])
          if s == "":
              res = '`""`'
          elif '\n' in s:
              res = '\n```\n' + s.rstrip('\n') + '\n```'
          else:
              res = '```{}```'.format(s)
      res = '- ' + attr + ': ' + res
  else:
      res = ""
  return res
-def print_option(opt):
+def md_literal(value: str) -> str:
-    if isinstance(opt['description'], dict) and '_type' in opt['description']: # mdDoc
+    return f"`{value}`"
-        description = opt['description']['text']
+
 def md_codefence(value: str, language: str = "nix") -> str:
    return indent(
        f"\n```{language}\n{value}\n```",
        prefix=2 * " ",
    )
 def render_option_value(option: Mapping[str, Any], key: str) -> str:
    if key not in option:
        return ""
    if isinstance(option[key], dict) and "_type" in option[key]:
        if option[key]["_type"] == "literalExpression":
            # multi-line codeblock
            if "\n" in option[key]["text"]:
                text = option[key]["text"].rstrip("\n")
                value = md_codefence(text)
            # inline codeblock
            else:
-        description = opt['description']
+                value = md_literal(option[key]["text"])
-    print(template.format(
+        # literal markdown
-        key=opt['name'],
+        elif option[key]["_type"] == "literalMD":
            value = option[key]["text"]
        else:
            assert RuntimeError(f"Unhandled option type {option[key]['_type']}")
    else:
        text = str(option[key])
        if text == "":
            value = md_literal('""')
        elif "\n" in text:
            value = md_codefence(text.rstrip("\n"))
        else:
            value = md_literal(text)
    return f"- {key}: {value}"  # type: ignore
 def print_option(option):
    if (
        isinstance(option["description"], dict) and "_type" in option["description"]
    ):  # mdDoc
        description = option["description"]["text"]
    else:
        description = option["description"]
    print(
        template.format(
            key=option["name"],
            description=description or "",
-        type="- type: ```{}```".format(opt['type']),
+            type=f"- type: {md_literal(option['type'])}",
-        default=render_option_value(opt, 'default'),
+            default=render_option_value(option, "default"),
-        example=render_option_value(opt, 'example')))
+            example=render_option_value(option, "example"),
        )
    )
 print(header)
 for opt in options:
-    if any([opt['name'].startswith(c) for c in groups]):
+    if any([opt["name"].startswith(c) for c in groups]):
        continue
    print_option(opt)
 for c in groups:
-    print('## `{}`'.format(c))
+    print(f"## `{c}`\n")
    print()
    for opt in options:
-        if opt['name'].startswith(c):
+        if opt["name"].startswith(c):
            print_option(opt)
--- a/scripts/mail-check.py
+++ b/scripts/mail-check.py
@@ -1,26 +1,31 @@
 import smtplib, sys
 import argparse
 import os
 import uuid
 import imaplib
 from datetime import datetime, timedelta
 import email
 import email.utils
 import imaplib
 import smtplib
 import time
 import uuid
 from datetime import datetime, timedelta
 from typing import cast
 RETRY = 100
 def _send_mail(smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr, subject, starttls):
    print("Sending mail with subject '{}'".format(subject))
    message = "\n".join([
        "From: {from_addr}",
        "To: {to_addr}",
        "Subject: {subject}",
        "",
        "This validates our mail server can send to Gmail :/"]).format(
            from_addr=from_addr,
            to_addr=to_addr,
            subject=subject)
 def _send_mail(
    smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr, subject, starttls
 ):
    print(f"Sending mail with subject '{subject}'")
    message = "\n".join(
        [
            f"From: {from_addr}",
            f"To: {to_addr}",
            f"Subject: {subject}",
            f"Message-ID: {uuid.uuid4()}@mail-check.py",
            f"Date: {email.utils.formatdate()}",
            "",
            "This validates our mail server can send to Gmail :/",
        ]
    )
    retry = RETRY
    while True:
@@ -37,7 +42,9 @@ def _send_mail(smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr
                except smtplib.SMTPResponseException as e:
                    if e.smtp_code == 451:  # service unavailable error
                        print(e)
-                    elif e.smtp_code == 454:  # smtplib.SMTPResponseException: (454, b'4.3.0 Try again later')
+                    elif (
                        e.smtp_code == 454
                    ):  # smtplib.SMTPResponseException: (454, b'4.3.0 Try again later')
                        print(e)
                    else:
                        raise
@@ -55,6 +62,7 @@ def _send_mail(smtp_host, smtp_port, smtp_username, from_addr, from_pwd, to_addr
            print("Retry attempts exhausted")
            exit(5)
 def _read_mail(
    imap_host,
    imap_port,
@@ -63,8 +71,9 @@ def _read_mail(
    subject,
    ignore_dkim_spf,
    show_body=False,
-        delete=True):
+    delete=True,
-    print("Reading mail from %s" % imap_username)
+):
    print("Reading mail from {imap_username}")
    message = None
@@ -74,49 +83,62 @@ def _read_mail(
    today = datetime.today()
    cutoff = today - timedelta(days=1)
-    dt = cutoff.strftime('%d-%b-%Y')
+    dt = cutoff.strftime("%d-%b-%Y")
    for _ in range(0, RETRY):
        print("Retrying")
        obj.select()
-        typ, data = obj.search(None, '(SINCE %s) (SUBJECT "%s")'%(dt, subject))
+        _, data = obj.search(None, f'(SINCE {dt}) (SUBJECT "{subject}")')
-        if data == [b'']:
+        if data == [b""]:
            time.sleep(1)
            continue
        uids = data[0].decode("utf-8").split(" ")
        if len(uids) != 1:
-          print("Warning: %d messages have been found with subject containing %s " % (len(uids), subject))
+            print(
                f"Warning: {len(uids)} messages have been found with subject containing {subject}"
            )
        # FIXME: we only consider the first matching message...
        uid = uids[0]
-        _, raw = obj.fetch(uid, '(RFC822)')
+        _, raw = obj.fetch(uid, "(RFC822)")
        if delete:
-            obj.store(uid, '+FLAGS', '\\Deleted')
+            obj.store(uid, "+FLAGS", "\\Deleted")
            obj.expunge()
-        message = email.message_from_bytes(raw[0][1])
+        assert raw[0] and raw[0][1]
-        print("Message with subject '%s' has been found" % message['subject'])
+        message = email.message_from_bytes(cast(bytes, raw[0][1]))
        print(f"Message with subject '{message['subject']}' has been found")
        if show_body:
-            for m in message.get_payload():
+            if message.is_multipart():
-                if m.get_content_type() == 'text/plain':
+                for part in message.walk():
-                    print("Body:\n%s" % m.get_payload(decode=True).decode('utf-8'))
+                    ctype = part.get_content_type()
                    if ctype == "text/plain":
                        body = cast(bytes, part.get_payload(decode=True)).decode()
                        print(f"Body:\n{body}")
                    else:
                        print(f"Body with content type {ctype} not printed")
            else:
                body = cast(bytes, message.get_payload(decode=True)).decode()
                print(f"Body:\n{body}")
        break
    if message is None:
-        print("Error: no message with subject '%s' has been found in INBOX of %s" % (subject, imap_username))
+        print(
            f"Error: no message with subject '{subject}' has been found in INBOX of {imap_username}"
        )
        exit(1)
    if ignore_dkim_spf:
        return
    # gmail set this standardized header
-    if 'ARC-Authentication-Results' in message:
+    if "ARC-Authentication-Results" in message:
-        if "dkim=pass" in message['ARC-Authentication-Results']:
+        if "dkim=pass" in message["ARC-Authentication-Results"]:
            print("DKIM ok")
        else:
            print("Error: no DKIM validation found in message:")
            print(message.as_string())
            exit(2)
-        if "spf=pass" in message['ARC-Authentication-Results']:
+        if "spf=pass" in message["ARC-Authentication-Results"]:
            print("SPF ok")
        else:
            print("Error: no SPF validation found in message:")
@@ -126,71 +148,108 @@ def _read_mail(
        print("DKIM and SPF verification failed")
        exit(4)
 def send_and_read(args):
    src_pwd = None
    if args.src_password_file is not None:
        src_pwd = args.src_password_file.readline().rstrip()
    dst_pwd = args.dst_password_file.readline().rstrip()
-    if args.imap_username != '':
+    if args.imap_username != "":
        imap_username = args.imap_username
    else:
        imap_username = args.to_addr
-    subject = "{}".format(uuid.uuid4())
+    subject = f"{uuid.uuid4()}"
-    _send_mail(smtp_host=args.smtp_host,
+    _send_mail(
        smtp_host=args.smtp_host,
        smtp_port=args.smtp_port,
        smtp_username=args.smtp_username,
        from_addr=args.from_addr,
        from_pwd=src_pwd,
        to_addr=args.to_addr,
        subject=subject,
-               starttls=args.smtp_starttls)
+        starttls=args.smtp_starttls,
    )
-    _read_mail(imap_host=args.imap_host,
+    _read_mail(
        imap_host=args.imap_host,
        imap_port=args.imap_port,
        imap_username=imap_username,
        to_pwd=dst_pwd,
        subject=subject,
-               ignore_dkim_spf=args.ignore_dkim_spf)
+        ignore_dkim_spf=args.ignore_dkim_spf,
    )
 def read(args):
-    _read_mail(imap_host=args.imap_host,
+    _read_mail(
        imap_host=args.imap_host,
        imap_port=args.imap_port,
-               to_addr=args.imap_username,
+        imap_username=args.imap_username,
        to_pwd=args.imap_password,
        subject=args.subject,
        ignore_dkim_spf=args.ignore_dkim_spf,
        show_body=args.show_body,
-               delete=False)
+        delete=False,
    )
 parser = argparse.ArgumentParser()
 subparsers = parser.add_subparsers()
-parser_send_and_read = subparsers.add_parser('send-and-read', description="Send a email with a subject containing a random UUID and then try to read this email from the recipient INBOX.")
+parser_send_and_read = subparsers.add_parser(
-parser_send_and_read.add_argument('--smtp-host', type=str)
+    "send-and-read",
-parser_send_and_read.add_argument('--smtp-port', type=str, default=25)
+    description="Send a email with a subject containing a random UUID and then try to read this email from the recipient INBOX.",
-parser_send_and_read.add_argument('--smtp-starttls', action='store_true')
+)
-parser_send_and_read.add_argument('--smtp-username', type=str, default='', help="username used for smtp login. If not specified, the from-addr value is used")
+parser_send_and_read.add_argument("--smtp-host", type=str)
-parser_send_and_read.add_argument('--from-addr', type=str)
+parser_send_and_read.add_argument("--smtp-port", type=str, default=25)
-parser_send_and_read.add_argument('--imap-host', required=True, type=str)
+parser_send_and_read.add_argument("--smtp-starttls", action="store_true")
-parser_send_and_read.add_argument('--imap-port', type=str, default=993)
+parser_send_and_read.add_argument(
-parser_send_and_read.add_argument('--to-addr', type=str, required=True)
+    "--smtp-username",
-parser_send_and_read.add_argument('--imap-username', type=str, default='', help="username used for imap login. If not specified, the to-addr value is used")
+    type=str,
-parser_send_and_read.add_argument('--src-password-file', type=argparse.FileType('r'))
+    default="",
-parser_send_and_read.add_argument('--dst-password-file', required=True, type=argparse.FileType('r'))
+    help="username used for smtp login. If not specified, the from-addr value is used",
-parser_send_and_read.add_argument('--ignore-dkim-spf', action='store_true', help="to ignore the dkim and spf verification on the read mail")
+)
 parser_send_and_read.add_argument("--from-addr", type=str)
 parser_send_and_read.add_argument("--imap-host", required=True, type=str)
 parser_send_and_read.add_argument("--imap-port", type=str, default=993)
 parser_send_and_read.add_argument("--to-addr", type=str, required=True)
 parser_send_and_read.add_argument(
    "--imap-username",
    type=str,
    default="",
    help="username used for imap login. If not specified, the to-addr value is used",
 )
 parser_send_and_read.add_argument("--src-password-file", type=argparse.FileType("r"))
 parser_send_and_read.add_argument(
    "--dst-password-file", required=True, type=argparse.FileType("r")
 )
 parser_send_and_read.add_argument(
    "--ignore-dkim-spf",
    action="store_true",
    help="to ignore the dkim and spf verification on the read mail",
 )
 parser_send_and_read.set_defaults(func=send_and_read)
-parser_read = subparsers.add_parser('read', description="Search for an email with a subject containing 'subject' in the INBOX.")
+parser_read = subparsers.add_parser(
-parser_read.add_argument('--imap-host', type=str, default="localhost")
+    "read",
-parser_read.add_argument('--imap-port', type=str, default=993)
+    description="Search for an email with a subject containing 'subject' in the INBOX.",
-parser_read.add_argument('--imap-username', required=True, type=str)
+)
-parser_read.add_argument('--imap-password', required=True, type=str)
+parser_read.add_argument("--imap-host", type=str, default="localhost")
-parser_read.add_argument('--ignore-dkim-spf', action='store_true', help="to ignore the dkim and spf verification on the read mail")
+parser_read.add_argument("--imap-port", type=str, default=993)
-parser_read.add_argument('--show-body', action='store_true', help="print mail text/plain payload")
+parser_read.add_argument("--imap-username", required=True, type=str)
-parser_read.add_argument('subject', type=str)
+parser_read.add_argument("--imap-password", required=True, type=str)
 parser_read.add_argument(
    "--ignore-dkim-spf",
    action="store_true",
    help="to ignore the dkim and spf verification on the read mail",
 )
 parser_read.add_argument(
    "--show-body", action="store_true", help="print mail text/plain payload"
 )
 parser_read.add_argument("subject", type=str)
 parser_read.set_defaults(func=read)
 args = parser.parse_args()
--- a/tests/clamav.nix
+++ b/tests/clamav.nix
@@ -14,12 +14,17 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ pkgs ? import <nixpkgs> {}, blobs}:
+{
  lib,
  blobs,
  ...
 }:
-pkgs.nixosTest {
+{
  name = "clamav";
  nodes = {
-    server = { config, pkgs, lib, ... }:
+    server = { pkgs, ... }:
        {
            imports = [
                ../default.nix
@@ -28,6 +33,8 @@ pkgs.nixosTest {
            virtualisation.memorySize = 1500;
            environment.systemPackages = with pkgs; [ netcat ];
            services.rsyslogd = {
              enable = true;
              defaultConfig = ''
@@ -83,9 +90,9 @@ pkgs.nixosTest {
              "root/eicar.com.txt".text = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
            };
        };
-      client = { nodes, config, pkgs, ... }: let
+      client = { nodes, pkgs, ... }: let
-        serverIP = nodes.server.config.networking.primaryIPAddress;
+        serverIP = nodes.server.networking.primaryIPAddress;
-        clientIP = nodes.client.config.networking.primaryIPAddress;
+        clientIP = nodes.client.networking.primaryIPAddress;
        grep-ip = pkgs.writeScriptBin "grep-ip" ''
          #!${pkgs.stdenv.shell}
          echo grep '${clientIP}' "$@" >&2
@@ -180,8 +187,7 @@ pkgs.nixosTest {
      };
    };
-  testScript = { nodes, ... }:
+  testScript = ''
      ''
      start_all()
      server.wait_for_unit("multi-user.target")
@@ -189,10 +195,10 @@ pkgs.nixosTest {
      # TODO put this blocking into the systemd units? I am not sure if rspamd already waits for the clamd socket.
      server.wait_until_succeeds(
-          "set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+          "set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
      )
      server.wait_until_succeeds(
-          "set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
+          "set +e; timeout 1 nc -U /run/clamav/clamd.ctl < /dev/null; [ $? -eq 124 ]"
      )
      client.execute("cp -p /etc/root/.* ~/")
@@ -222,7 +228,7 @@ pkgs.nixosTest {
      with subtest("virus scan email"):
          client.succeed(
-              'set +o pipefail; msmtp -a user2 user1\@example.com < /etc/root/virus-email 2>&1 | tee /dev/stderr | grep "server message: 554 5\\.7\\.1" >&2'
+              'set +o pipefail; msmtp -a user2 user1@example.com < /etc/root/virus-email 2>&1 | tee /dev/stderr | grep "server message: 554 5\\.7\\.1" >&2'
          )
          server.succeed("journalctl -u rspamd | grep -i eicar")
          # give the mail server some time to process the mail
--- a/tests/external.nix
+++ b/tests/external.nix
@@ -14,18 +14,19 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ pkgs ? import <nixpkgs> {}, ...}:
+{
 pkgs.nixosTest {
  name = "external";
  nodes = {
-    server = { config, pkgs, ... }:
+    server = { pkgs, ... }:
        {
            imports = [
                ../default.nix
                ./lib/config.nix
            ];
            environment.systemPackages = with pkgs; [ netcat ];
            virtualisation.memorySize = 1024;
            services.rsyslogd = {
@@ -81,14 +82,12 @@ pkgs.nixosTest {
                # special use depends on https://github.com/NixOS/nixpkgs/pull/93201
                autoIndexExclude = [ (if (pkgs.lib.versionAtLeast pkgs.lib.version "21") then "\\Junk" else "Junk") ];
                enforced = "yes";
                # fts-xapian warns when memory is low, which makes the test fail
                memoryLimit = 100000;
              };
            };
        };
-      client = { nodes, config, pkgs, ... }: let
+      client = { nodes, pkgs, ... }: let
-        serverIP = nodes.server.config.networking.primaryIPAddress;
+        serverIP = nodes.server.networking.primaryIPAddress;
-        clientIP = nodes.client.config.networking.primaryIPAddress;
+        clientIP = nodes.client.networking.primaryIPAddress;
        grep-ip = pkgs.writeScriptBin "grep-ip" ''
          #!${pkgs.stdenv.shell}
          echo grep '${clientIP}' "$@" >&2
@@ -272,7 +271,7 @@ pkgs.nixosTest {
            To: Chuck <chuck@example.com>
            Cc:
            Bcc:
-            Subject: This is a test Email from postmaster\@example.com to chuck
+            Subject: This is a test Email from postmaster@example.com to chuck
            Reply-To:
            Hello Chuck,
@@ -286,7 +285,7 @@ pkgs.nixosTest {
            To: User1 <user1@example.com>
            Cc:
            Bcc:
-            Subject: This is a test Email from single-alias\@example.com to user1
+            Subject: This is a test Email from single-alias@example.com to user1
            Reply-To:
            Hello User1,
@@ -301,7 +300,7 @@ pkgs.nixosTest {
            To: Multi Alias <multi-alias@example.com>
            Cc:
            Bcc:
-            Subject: This is a test Email from user2\@example.com to multi-alias
+            Subject: This is a test Email from user2@example.com to multi-alias
            Reply-To:
            Hello Multi Alias,
@@ -341,8 +340,7 @@ pkgs.nixosTest {
      };
    };
-  testScript = { nodes, ... }:
+  testScript = ''
      ''
      start_all()
      server.wait_for_unit("multi-user.target")
@@ -350,7 +348,7 @@ pkgs.nixosTest {
      # TODO put this blocking into the systemd units?
      server.wait_until_succeeds(
-          "set +e; timeout 1 ${nodes.server.nixpkgs.pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+          "set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
      )
      client.execute("cp -p /etc/root/.* ~/")
@@ -367,7 +365,7 @@ pkgs.nixosTest {
      with subtest("submission port send mail"):
          # send email from user2 to user1
          client.succeed(
-              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email1 >&2"
+              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email1 >&2"
          )
          # give the mail server some time to process the mail
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
@@ -395,20 +393,20 @@ pkgs.nixosTest {
          client.execute("rm ~/mail/*")
          # send email from user2 to user1
          client.succeed(
-              "msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email2 >&2"
+              "msmtp -a test2 --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email2 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 0 when it retrieves mail
          client.succeed("fetchmail  --nosslcertck -v")
          client.succeed("cat ~/mail/* >&2")
          # make sure it is dkim signed
-          client.succeed("grep DKIM ~/mail/*")
+          client.succeed("grep DKIM-Signature: ~/mail/*")
      with subtest("aliases"):
          client.execute("rm ~/mail/*")
          # send email from chuck to postmaster
          client.succeed(
-              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on postmaster\@example.com < /etc/root/email2 >&2"
+              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on postmaster@example.com < /etc/root/email2 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 0 when it retrieves mail
@@ -418,7 +416,7 @@ pkgs.nixosTest {
          client.execute("rm ~/mail/*")
          # send email from chuck to non exsitent account
          client.succeed(
-              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lol\@example.com < /etc/root/email2 >&2"
+              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lol@example.com < /etc/root/email2 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 0 when it retrieves mail
@@ -427,7 +425,7 @@ pkgs.nixosTest {
          client.execute("rm ~/mail/*")
          # send email from user1 to chuck
          client.succeed(
-              "msmtp -a test4 --tls=on --tls-certcheck=off --auth=on chuck\@example.com < /etc/root/email2 >&2"
+              "msmtp -a test4 --tls=on --tls-certcheck=off --auth=on chuck@example.com < /etc/root/email2 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 1 when no new mail
@@ -438,7 +436,7 @@ pkgs.nixosTest {
          client.execute("rm ~/mail/*")
          # send email from single-alias to user1
          client.succeed(
-              "msmtp -a test5 --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email4 >&2"
+              "msmtp -a test5 --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email4 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 0 when it retrieves mail
@@ -447,7 +445,7 @@ pkgs.nixosTest {
          client.execute("rm ~/mail/*")
          # send email from user1 to multi-alias (user{1,2}@example.com)
          client.succeed(
-              "msmtp -a test --tls=on --tls-certcheck=off --auth=on multi-alias\@example.com < /etc/root/email5 >&2"
+              "msmtp -a test --tls=on --tls-certcheck=off --auth=on multi-alias@example.com < /etc/root/email5 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 0 when it retrieves mail
@@ -458,7 +456,7 @@ pkgs.nixosTest {
          client.execute("mv ~/.fetchmailRcLowQuota ~/.fetchmailrc")
          client.succeed(
-              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota\@example.com < /etc/root/email2 >&2"
+              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota@example.com < /etc/root/email2 >&2"
          )
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          # fetchmail returns EXIT_CODE 0 when it retrieves mail
@@ -467,23 +465,23 @@ pkgs.nixosTest {
      with subtest("imap sieve junk trainer"):
          # send email from user2 to user1
          client.succeed(
-              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email1 >&2"
+              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email1 >&2"
          )
          # give the mail server some time to process the mail
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
          client.succeed("imap-mark-spam >&2")
-          server.wait_until_succeeds("journalctl -u dovecot2 | grep -i sa-learn-spam.sh >&2")
+          server.wait_until_succeeds("journalctl -u dovecot2 | grep -i rspamd-learn-spam.sh >&2")
          client.succeed("imap-mark-ham >&2")
-          server.wait_until_succeeds("journalctl -u dovecot2 | grep -i sa-learn-ham.sh >&2")
+          server.wait_until_succeeds("journalctl -u dovecot2 | grep -i rspamd-learn-ham.sh >&2")
      with subtest("full text search and indexation"):
          # send 2 email from user2 to user1
          client.succeed(
-              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email6 >&2"
+              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email6 >&2"
          )
          client.succeed(
-              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1\@example.com < /etc/root/email7 >&2"
+              "msmtp -a test --tls=on --tls-certcheck=off --auth=on user1@example.com < /etc/root/email7 >&2"
          )
          # give the mail server some time to process the mail
          server.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
@@ -493,23 +491,23 @@ pkgs.nixosTest {
          # should fail because this folder is not indexed
          client.fail("search Junk a >&2")
          # check that search really goes through the indexer
-          server.succeed(
+          server.succeed("journalctl -u dovecot2 | grep 'fts-flatcurve(INBOX): Query ' >&2")
              "journalctl -u dovecot2 | grep -E 'indexer-worker.* Done indexing .INBOX.' >&2"
          )
          # check that Junk is not indexed
-          server.fail("journalctl -u dovecot2 | grep 'indexer-worker' | grep -i 'JUNK' >&2")
+          server.fail("journalctl -u dovecot2 | grep 'fts-flatcurve(JUNK): Indexing ' >&2")
      with subtest("dmarc reporting"):
          server.systemctl("start rspamd-dmarc-reporter.service")
          server.wait_until_succeeds("journalctl -eu rspamd-dmarc-reporter.service -o cat | grep -q 'No reports for '")
      with subtest("no warnings or errors"):
          server.fail("journalctl -u postfix | grep -i error >&2")
          server.fail("journalctl -u postfix | grep -i warning >&2")
-          server.fail("journalctl -u dovecot2 | grep -i error >&2")
+          server.fail("journalctl -u dovecot2 | grep -v 'imap-login: Debug: SSL error: Connection closed' | grep -i error >&2")
          # harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
          server.fail(
-              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -i warning >&2"
+            "journalctl -u dovecot2 | \
              grep -v 'Expunged message reappeared, giving a new UID' | \
              grep -v 'Time moved forwards' | \
              grep -i warning >&2"
          )
    '';
 }
--- a/tests/internal.nix
+++ b/tests/internal.nix
@@ -14,7 +14,10 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ pkgs ? import <nixpkgs> {}, ...}:
+{
  pkgs,
  ...
 }:
 let
  sendMail = pkgs.writeTextFile {
@@ -36,10 +39,11 @@ let
  hashedPasswordFile = hashPassword "my-password";
  passwordFile = pkgs.writeText "password" "my-password";
 in
-pkgs.nixosTest {
+{
  name = "internal";
  nodes = {
-    machine = { config, pkgs, ... }: {
+    machine = { pkgs, ... }: {
      imports = [
        ./../default.nix
        ./lib/config.nix
@@ -50,7 +54,12 @@ pkgs.nixosTest {
      environment.systemPackages = [
        (pkgs.writeScriptBin "mail-check" ''
          ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
-        '')];
+        '')
      ] ++ (with pkgs; [
        curl
        openssl
        netcat
      ]);
      mailserver = {
        enable = true;
@@ -174,22 +183,22 @@ pkgs.nixosTest {
        machine.wait_for_open_port(25)
        # TODO put this blocking into the systemd units
        machine.wait_until_succeeds(
-            "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+            "set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
        )
        machine.succeed(
-            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q 'This account cannot receive emails'"
+            "cat ${sendMail} | nc localhost 25 | grep -q '554 5.5.0 Error'"
        )
    with subtest("rspamd controller serves web ui"):
        machine.succeed(
-            "set +o pipefail; ${pkgs.curl}/bin/curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
+            "set +o pipefail; curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
        )
    with subtest("imap port 143 is closed and imaps is serving SSL"):
        machine.wait_for_closed_port(143)
        machine.wait_for_open_port(993)
        machine.succeed(
-            "echo | ${pkgs.openssl}/bin/openssl s_client -connect localhost:993 | grep 'New, TLS'"
+            "echo | openssl s_client -connect localhost:993 | grep 'New, TLS'"
        )
  '';
 }
--- a/tests/ldap.nix
+++ b/tests/ldap.nix
@@ -1,16 +1,13 @@
 { pkgs ? import <nixpkgs> {}
 , ...
 }:
 let
  bindPassword = "unsafegibberish";
  alicePassword = "testalice";
  bobPassword = "testbob";
 in
-pkgs.nixosTest {
+{
  name = "ldap";
  nodes = {
-    machine = { config, pkgs, ... }: {
+    machine = { pkgs, ... }: {
      imports = [
        ./../default.nix
        ./lib/config.nix
@@ -20,7 +17,7 @@ pkgs.nixosTest {
      services.openssh = {
        enable = true;
-        permitRootLogin = "yes";
+        settings.PermitRootLogin = "yes";
      };
      environment.systemPackages = [
@@ -104,6 +101,10 @@ pkgs.nixosTest {
          searchScope = "sub";
        };
        forwards = {
          "bob_fw@example.com" = "bob@example.com";
        };
        vmailGroupName = "vmail";
        vmailUID = 5000;
@@ -179,5 +180,39 @@ pkgs.nixosTest {
        "--dst-password-file <(echo '${bobPassword}')",
        "--ignore-dkim-spf"
      ]))
    with subtest("Test mail forwarding works"):
      machine.succeed(" ".join([
        "mail-check send-and-read",
        "--smtp-port 587",
        "--smtp-starttls",
        "--smtp-host localhost",
        "--smtp-username alice@example.com",
        "--imap-host localhost",
        "--imap-username bob@example.com",
        "--from-addr alice@example.com",
        "--to-addr bob_fw@example.com",
        "--src-password-file <(echo '${alicePassword}')",
        "--dst-password-file <(echo '${bobPassword}')",
        "--ignore-dkim-spf"
      ]))
    with subtest("Test cannot send mail from forwarded address"):
      machine.fail(" ".join([
        "mail-check send-and-read",
        "--smtp-port 587",
        "--smtp-starttls",
        "--smtp-host localhost",
        "--smtp-username bob@example.com",
        "--imap-host localhost",
        "--imap-username alice@example.com",
        "--from-addr bob_fw@example.com",
        "--to-addr alice@example.com",
        "--src-password-file <(echo '${bobPassword}')",
        "--dst-password-file <(echo '${alicePassword}')",
        "--ignore-dkim-spf"
      ]))
      machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob@example.com'")
  '';
 }
--- a/tests/lib/config.nix
+++ b/tests/lib/config.nix
@@ -1,3 +1,3 @@
 {
-    security.dhparams.defaultBitSize = 1024; # minimum size required by dovecot
+    security.dhparams.defaultBitSize = 2048; # minimum size required by dovecot
 }
--- a/tests/minimal.nix
+++ b/tests/minimal.nix
@@ -14,18 +14,14 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 import <nixpkgs/nixos/tests/make-test-python.nix> {
  nodes.machine =
    { config, pkgs, ... }:
 {
-        imports = [
+  name = "minimal";
-            ./../default.nix
+
-        ];
+  nodes.machine = {
    imports = [  ./../default.nix ];
  };
-  testScript =
+  testScript = ''
    ''
    machine.wait_for_unit("multi-user.target");
  '';
 }
--- a/tests/multiple.nix
+++ b/tests/multiple.nix
@@ -1,6 +1,9 @@
 # This tests is used to test features requiring several mail domains.
-{ pkgs ? import <nixpkgs> {}, ...}:
+{
  pkgs,
  ...
 }:
 let
    hashPassword = password: pkgs.runCommand
@@ -12,8 +15,9 @@ let
    password = pkgs.writeText "password" "password";
-    domainGenerator = domain: { config, pkgs, ... }: {
+    domainGenerator = domain: { pkgs, ... }: {
      imports = [../default.nix];
      environment.systemPackages = with pkgs; [ netcat ];
      virtualisation.memorySize = 1024;
      mailserver = {
        enable = true;
@@ -30,19 +34,15 @@ let
      };
      services.dnsmasq = {
        enable = true;
-        # Fixme: once nixos-22.11 has been removed, could be replaced by
+        settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
        # settings.mx-host = [ "domain1.com,domain1,10" "domain2.com,domain2,10" ];
        extraConfig = ''
          mx-host=domain1.com,domain1,10
          mx-host=domain2.com,domain2,10
        '';
      };
    };
 in
-pkgs.nixosTest {
+{
  name = "multiple";
  nodes = {
    domain1 = {...}: {
      imports = [
@@ -55,7 +55,7 @@ pkgs.nixosTest {
      };
    };
    domain2 = domainGenerator "domain2.com";
-    client = { config, pkgs, ... }: {
+    client = { pkgs, ... }: {
      environment.systemPackages = [
        (pkgs.writeScriptBin "mail-check" ''
          ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
@@ -70,10 +70,10 @@ pkgs.nixosTest {
    # TODO put this blocking into the systemd units?
    domain1.wait_until_succeeds(
-        "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+        "set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
    )
    domain2.wait_until_succeeds(
-        "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
+        "set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
    )
    # user@domain1.com sends a mail to user@domain2.com
--- a/update.sh
+++ b/update.sh
@@ -1,7 +0,0 @@
 #!/usr/bin/env bash
 sed -i -e "s/v[0-9]\+\.[0-9]\+\.[0-9]\+/$1/g" README.md
 HASH=$(nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.3.0/nixos-mailserver-$1.tar.gz" --unpack)
 sed -i -e "s/sha256 = \"[0-9a-z]\{52\}\"/sha256 = \"$HASH\"/g" README.md