Allow TLSv1 for compatibility with older devices

This allows overwriting the default values for user_attrs to be empty
which is required when using virtual mailboxes with ldap accounts
that have posixAccount attributes set. When user_attrs is empty string
those are ignored then.

.hydra/declarative-jobsets.nix

@@ -32,8 +32,8 @@ let
 
   desc = prJobsets // {
     "master" = mkFlakeJobset "master";
-    "nixos-22.11" = mkFlakeJobset "nixos-22.11";
+    "nixos-23.11" = mkFlakeJobset "nixos-23.11";
-    "nixos-23.05" = mkFlakeJobset "nixos-23.05";
+    "nixos-24.05" = mkFlakeJobset "nixos-24.05";
   };
 
   log = {

README.md

@@ -8,14 +8,14 @@
 For each NixOS release, we publish a branch. You then have to use the
 SNM branch corresponding to your NixOS version.
 
-* For NixOS 23.05
+* For NixOS 24.05
-   - Use the [SNM branch `nixos-23.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.05)
+   - Use the [SNM branch `nixos-24.05`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-24.05)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.05/release-notes.html#nixos-23-05)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-24.05/release-notes.html#nixos-24-05)
-* For NixOS 22.11
+* For NixOS 23.11
-   - Use the [SNM branch `nixos-22.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-22.11)
+   - Use the [SNM branch `nixos-23.11`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-23.11)
-   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/)
+   - [Documentation](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/)
-   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-22.11/release-notes.html#nixos-22-11)
+   - [Release notes](https://nixos-mailserver.readthedocs.io/en/nixos-23.11/release-notes.html#nixos-23-11)
 * For NixOS unstable
    - Use the [SNM branch `master`](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/master)
    - [Documentation](https://nixos-mailserver.readthedocs.io/en/latest/)

default.nix

@@ -277,7 +277,7 @@ in
 
       dovecot = {
         userAttrs = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
           default = "";
           description = ''
             LDAP attributes to be retrieved during userdb lookups.
@@ -675,6 +675,19 @@ in
       '';
     };
 
+    acmeCertificateName = mkOption {
+      type = types.str;
+      default = cfg.fqdn;
+      example = "example.com";
+      description = ''
+          ({option}`mailserver.certificateScheme` == `acme`)
+
+        When the `acme` `certificateScheme` is selected, you can use this option
+        to override the default certificate name. This is useful if you've
+        generated a wildcard certificate, for example.
+      '';
+    };
+
     enableImap = mkOption {
       type = types.bool;
       default = true;

docs/add-radicale.rst

@@ -24,12 +24,13 @@ have to be used. These can still be generated using `mkpasswd -m bcrypt`.
    in {
      services.radicale = {
        enable = true;
-       config = ''
+       settings = {
-         [auth]
+         auth = {
-         type = htpasswd
+           type = "htpasswd";
-         htpasswd_filename = ${htpasswd}
+           htpasswd_filename = "${htpasswd}";
-         htpasswd_encryption = bcrypt
+           htpasswd_encryption = "bcrypt";
-       '';
+         };
+       };
      };
 
      services.nginx = {

docs/add-roundcube.rst

@@ -20,7 +20,7 @@ servers may require more work.
         extraConfig = ''
           # starttls needed for authentication, so the fqdn required to match
           # the certificate
-          $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+          $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
           $config['smtp_user'] = "%u";
           $config['smtp_pass'] = "%p";
         '';

docs/release-notes.rst

@@ -1,6 +1,17 @@
 Release Notes
 =============
 
+NixOS 24.05
+-----------
+
+- Add new option ``acmeCertificateName`` which can be used to support
+  wildcard certificates
+
+NixOS 23.11
+-----------
+
+- Add basic support for LDAP users
+- Add support for regex (PCRE) aliases
 
 NixOS 23.05
 -----------

docs/rspamd-tuning.rst

@@ -24,17 +24,14 @@ You can run the training in a root shell as follows:
 
 .. code:: bash
 
-  # Path to the controller socket
-  export RSOCK="/var/run/rspamd/worker-controller.sock"
-
   # Learn the Junk folder as spam
-  rspamc -h $RSOCK learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
+  rspamc learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
 
   # Learn the INBOX as ham
-  rspamc -h $RSOCK learn_ham /var/vmail/$DOMAIN/$USER/cur/
+  rspamc learn_ham /var/vmail/$DOMAIN/$USER/cur/
 
   # Check that training was successful
-  rspamc -h $RSOCK stat | grep learned
+  rspamc stat | grep learned
 
 Tune symbol weight
 ~~~~~~~~~~~~~~~~~~

flake.lock

@@ -19,11 +19,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
+        "lastModified": 1696426674,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -34,11 +34,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1670751203,
+        "lastModified": 1717602782,
-        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
+        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
+        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
         "type": "github"
       },
       "original": {
@@ -47,33 +47,18 @@
         "type": "indirect"
       }
     },
-    "nixpkgs-22_11": {
+    "nixpkgs-24_05": {
       "locked": {
-        "lastModified": 1669558522,
+        "lastModified": 1717144377,
-        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-22.11",
+        "ref": "nixos-24.05",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-23_05": {
-      "locked": {
-        "lastModified": 1684782344,
-        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.05",
         "type": "indirect"
       }
     },
@@ -82,24 +67,7 @@
         "blobs": "blobs",
         "flake-compat": "flake-compat",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-22_11": "nixpkgs-22_11",
+        "nixpkgs-24_05": "nixpkgs-24_05"
-        "nixpkgs-23_05": "nixpkgs-23_05",
-        "utils": "utils"
-      }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
       }
     }
   },

flake.nix

@@ -6,17 +6,15 @@
       url = "github:edolstra/flake-compat";
       flake = false;
     };
-    utils.url = "github:numtide/flake-utils";
     nixpkgs.url = "flake:nixpkgs/nixos-unstable";
-    nixpkgs-22_11.url = "flake:nixpkgs/nixos-22.11";
+    nixpkgs-24_05.url = "flake:nixpkgs/nixos-24.05";
-    nixpkgs-23_05.url = "flake:nixpkgs/nixos-23.05";
     blobs = {
       url = "gitlab:simple-nixos-mailserver/blobs";
       flake = false;
     };
   };
 
-  outputs = { self, utils, blobs, nixpkgs, nixpkgs-22_11, nixpkgs-23_05, ... }: let
+  outputs = { self, blobs, nixpkgs, nixpkgs-24_05, ... }: let
     lib = nixpkgs.lib;
     system = "x86_64-linux";
     pkgs = nixpkgs.legacyPackages.${system};
@@ -26,8 +24,8 @@
         pkgs = nixpkgs.legacyPackages.${system};
       }
       {
-        name = "23.05";
+        name = "24.05";
-        pkgs = nixpkgs-23_05.legacyPackages.${system};
+        pkgs = nixpkgs-24_05.legacyPackages.${system};
       }
     ];
     testNames = [
@@ -91,6 +89,7 @@
           sphinx
           sphinx_rtd_theme
           myst-parser
+          linkify-it-py
         ])
       )];
       buildPhase = ''

mail-server/assertions.nix

@@ -13,5 +13,10 @@
       assertion = config.mailserver.forwards == {};
       message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
     }
+  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
+    {
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
+    }
   ];
 }

mail-server/common.nix

@@ -26,7 +26,7 @@ in
              else if cfg.certificateScheme == "selfsigned"
                   then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                   else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                        else throw "unknown certificate scheme";
 
   # key :: PATH
@@ -35,7 +35,7 @@ in
         else if cfg.certificateScheme == "selfsigned"
              then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
               else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                    else throw "unknown certificate scheme";
 
   passwordFiles = let
@@ -49,7 +49,7 @@ in
   # Appends the LDAP bind password to files to avoid writing this
   # password into the Nix store.
   appendLdapBindPwd = {
-    name, file, prefix, passwordFile, destination
+    name, file, prefix, suffix ? "", passwordFile, destination
   }: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
     #!${pkgs.stdenv.shell}
     set -euo pipefail
@@ -61,8 +61,9 @@ in
     fi
 
     cat ${file} > ${destination}
-    echo -n "${prefix}" >> ${destination}
+    echo -n '${prefix}' >> ${destination}
     cat ${passwordFile} >> ${destination}
+    echo -n '${suffix}' >> ${destination}
     chmod 600 ${destination}
   '';
 

mail-server/dovecot.nix

@@ -76,7 +76,7 @@ let
       auth_bind = yes
       base = ${cfg.ldap.searchBase}
       scope = ${mkLdapSearchScope cfg.ldap.searchScope}
-      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != "") ''
+      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != null) ''
       user_attrs = ${cfg.ldap.dovecot.userAttrs}
       ''}
       user_filter = ${cfg.ldap.dovecot.userFilter}
@@ -90,7 +90,8 @@ let
   setPwdInLdapConfFile = appendLdapBindPwd {
     name = "ldap-conf-file";
     file = ldapConfig;
-    prefix = "dnpass = ";
+    prefix = ''dnpass = "'';
+    suffix = ''"'';
     passwordFile = cfg.ldap.bind.passwordFile;
     destination = ldapConfFile;
   };
@@ -175,8 +176,18 @@ in
       mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [ "fts" "fts_xapian" ];
       protocols = lib.optional cfg.enableManageSieve "sieve";
 
-      sieveScripts = {
+      pluginSettings = {
-        after = builtins.toFile "spam.sieve" ''
+        sieve = "file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve";
+        sieve_default = "file:${cfg.sieveDirectory}/%u/default.sieve";
+        sieve_default_name = "default";
+      };
+
+      sieve = {
+        extensions = [
+          "fileinto"
+        ];
+
+        scripts.after = builtins.toFile "spam.sieve" ''
           require "fileinto";
 
           if header :is "X-Spam" "Yes" {
@@ -184,8 +195,29 @@ in
               stop;
           }
         '';
+
+        pipeBins = map lib.getExe [
+          (pkgs.writeShellScriptBin "sa-learn-ham.sh"
+            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_ham")
+          (pkgs.writeShellScriptBin "sa-learn-spam.sh"
+            "exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/worker-controller.sock learn_spam")
+        ];
       };
 
+      imapsieve.mailbox = [
+        {
+          name = junkMailboxName;
+          causes = [ "COPY" "APPEND" ];
+          before = ./dovecot/imap_sieve/report-spam.sieve;
+        }
+        {
+          name = "*";
+          from = junkMailboxName;
+          causes = [ "COPY" ];
+          before = ./dovecot/imap_sieve/report-ham.sieve;
+        }
+      ];
+
       mailboxes = cfg.mailboxes;
 
       extraConfig = ''
@@ -307,28 +339,6 @@ in
           inbox = yes
         }
 
-        plugin {
-          sieve_plugins = sieve_imapsieve sieve_extprograms
-          sieve = file:${cfg.sieveDirectory}/%u/scripts;active=${cfg.sieveDirectory}/%u/active.sieve
-          sieve_default = file:${cfg.sieveDirectory}/%u/default.sieve
-          sieve_default_name = default
-
-          # From elsewhere to Spam folder
-          imapsieve_mailbox1_name = ${junkMailboxName}
-          imapsieve_mailbox1_causes = COPY,APPEND
-          imapsieve_mailbox1_before = file:${stateDir}/imap_sieve/report-spam.sieve
-
-          # From Spam folder to elsewhere
-          imapsieve_mailbox2_name = *
-          imapsieve_mailbox2_from = ${junkMailboxName}
-          imapsieve_mailbox2_causes = COPY
-          imapsieve_mailbox2_before = file:${stateDir}/imap_sieve/report-ham.sieve
-
-          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
-
-          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
-        }
-
         ${lib.optionalString cfg.fullTextSearch.enable ''
         plugin {
           plugin = fts fts_xapian
@@ -357,13 +367,6 @@ in
     systemd.services.dovecot2 = {
       preStart = ''
         ${genPasswdScript}
-        rm -rf '${stateDir}/imap_sieve'
-        mkdir '${stateDir}/imap_sieve'
-        cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
-        for k in "${stateDir}/imap_sieve"/*.sieve ; do
-          ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
-        done
-        chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
       '' + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
     };
 

mail-server/nginx.nix

@@ -17,11 +17,10 @@
 
 { config, pkgs, lib, ... }:
 
-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });
 
 let
   cfg = config.mailserver;
-  acmeRoot = "/var/lib/acme/acme-challenge";
 in
 {
   config = lib.mkIf (cfg.enable && (cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx")) {
@@ -32,11 +31,10 @@ in
         serverAliases = cfg.certificateDomains;
         forceSSL = true;
         enableACME = true;
-        acmeRoot = acmeRoot;
       };
     };
 
-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
       "postfix.service"
       "dovecot2.service"
     ];

mail-server/postfix.nix

@@ -274,9 +274,6 @@ in
         # Submission by mail clients is handled in submissionOptions
         smtpd_tls_security_level = "may";
 
-        # strong might suffice and is computationally less expensive
-        smtpd_tls_eecdh_grade = "ultra";
-
         # Disable obselete protocols
         smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
         smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
@@ -328,7 +325,7 @@ in
           privileged = true;
           chroot = false;
           command = "spawn";
-          args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
+          args = [ "user=nobody" "argv=${pkgs.spf-engine}/bin/policyd-spf" "${policyd-spf}"];
         };
         "submission-header-cleanup" = {
           type = "unix";

mail-server/rspamd.nix

@@ -25,12 +25,21 @@ let
 in
 {
   config = with cfg; lib.mkIf enable {
+    environment.systemPackages = lib.mkBefore [
+      (pkgs.runCommand "rspamc-wrapped" {
+        nativeBuildInputs = with pkgs; [ makeWrapper ];
+       }''
+        makeWrapper ${pkgs.rspamd}/bin/rspamc $out/bin/rspamc \
+          --add-flags "-h /var/run/rspamd/worker-controller.sock"
+      '')
+    ];
+
     services.rspamd = {
       enable = true;
       inherit debug;
       locals = {
           "milter_headers.conf" = { text = ''
-              extended_spam_headers = yes;
+              extended_spam_headers = true;
           ''; };
           "redis.conf" = { text = ''
               servers = "${cfg.redis.address}:${toString cfg.redis.port}";
@@ -69,14 +78,6 @@ in
           ''; };
       };
 
-      overrides = {
-        "milter_headers.conf" = {
-          text = ''
-            extended_spam_headers = true;
-          '';
-        };
-      };
-
       workers.rspamd_proxy = {
         type = "rspamd_proxy";
         bindSockets = [{

tests/external.nix

@@ -501,7 +501,6 @@ pkgs.nixosTest {
 
       with subtest("dmarc reporting"):
           server.systemctl("start rspamd-dmarc-reporter.service")
-          server.wait_until_succeeds("journalctl -eu rspamd-dmarc-reporter.service -o cat | grep -q 'No reports for '")
 
       with subtest("no warnings or errors"):
           server.fail("journalctl -u postfix | grep -i error >&2")
@@ -509,7 +508,7 @@ pkgs.nixosTest {
           server.fail("journalctl -u dovecot2 | grep -i error >&2")
           # harmless ? https://dovecot.org/pipermail/dovecot/2020-August/119575.html
           server.fail(
-              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -i warning >&2"
+              "journalctl -u dovecot2 |grep -v 'Expunged message reappeared, giving a new UID'| grep -v 'FTS Xapian: Box is empty' | grep -i warning >&2"
           )
     '';
 }

tests/internal.nix

@@ -177,7 +177,7 @@ pkgs.nixosTest {
             "set +e; timeout 1 ${pkgs.netcat}/bin/nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
         )
         machine.succeed(
-            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q 'This account cannot receive emails'"
+            "cat ${sendMail} | ${pkgs.netcat-gnu}/bin/nc localhost 25 | grep -q '554 5.5.0 Error'"
         )
 
     with subtest("rspamd controller serves web ui"):