Allow TLSv1 for compatibility with older devices

This allows overwriting the default values for user_attrs to be empty
which is required when using virtual mailboxes with ldap accounts
that have posixAccount attributes set. When user_attrs is empty string
those are ignored then.

default.nix

@@ -277,7 +277,7 @@ in
 
       dovecot = {
         userAttrs = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
           default = "";
           description = ''
             LDAP attributes to be retrieved during userdb lookups.

docs/rspamd-tuning.rst

@@ -24,17 +24,14 @@ You can run the training in a root shell as follows:
 
 .. code:: bash
 
-  # Path to the controller socket
-  export RSOCK="/var/run/rspamd/worker-controller.sock"
-
   # Learn the Junk folder as spam
-  rspamc -h $RSOCK learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
+  rspamc learn_spam /var/vmail/$DOMAIN/$USER/.Junk/cur/
 
   # Learn the INBOX as ham
-  rspamc -h $RSOCK learn_ham /var/vmail/$DOMAIN/$USER/cur/
+  rspamc learn_ham /var/vmail/$DOMAIN/$USER/cur/
 
   # Check that training was successful
-  rspamc -h $RSOCK stat | grep learned
+  rspamc stat | grep learned
 
 Tune symbol weight
 ~~~~~~~~~~~~~~~~~~

flake.lock

@@ -67,41 +67,7 @@
         "blobs": "blobs",
         "flake-compat": "flake-compat",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-24_05": "nixpkgs-24_05",
+        "nixpkgs-24_05": "nixpkgs-24_05"
-        "utils": "utils"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
       }
     }
   },

flake.nix

@@ -6,7 +6,6 @@
       url = "github:edolstra/flake-compat";
       flake = false;
     };
-    utils.url = "github:numtide/flake-utils";
     nixpkgs.url = "flake:nixpkgs/nixos-unstable";
     nixpkgs-24_05.url = "flake:nixpkgs/nixos-24.05";
     blobs = {
@@ -15,7 +14,7 @@
     };
   };
 
-  outputs = { self, utils, blobs, nixpkgs, nixpkgs-24_05, ... }: let
+  outputs = { self, blobs, nixpkgs, nixpkgs-24_05, ... }: let
     lib = nixpkgs.lib;
     system = "x86_64-linux";
     pkgs = nixpkgs.legacyPackages.${system};

mail-server/dovecot.nix

@@ -76,7 +76,7 @@ let
       auth_bind = yes
       base = ${cfg.ldap.searchBase}
       scope = ${mkLdapSearchScope cfg.ldap.searchScope}
-      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != "") ''
+      ${lib.optionalString (cfg.ldap.dovecot.userAttrs != null) ''
       user_attrs = ${cfg.ldap.dovecot.userAttrs}
       ''}
       user_filter = ${cfg.ldap.dovecot.userFilter}
@@ -282,7 +282,7 @@ in
 
         mail_access_groups = ${vmailGroupName}
         ssl = required
-        ssl_min_protocol = TLSv1.2
+        ssl_min_protocol = TLSv1
         ssl_prefer_server_ciphers = yes
 
         service lmtp {

mail-server/postfix.nix

@@ -275,10 +275,10 @@ in
         smtpd_tls_security_level = "may";
 
         # Disable obselete protocols
-        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
-        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv2, !SSLv3";
 
         smtp_tls_ciphers = "high";
         smtpd_tls_ciphers = "high";
@@ -325,7 +325,7 @@ in
           privileged = true;
           chroot = false;
           command = "spawn";
-          args = [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" "${policyd-spf}"];
+          args = [ "user=nobody" "argv=${pkgs.spf-engine}/bin/policyd-spf" "${policyd-spf}"];
         };
         "submission-header-cleanup" = {
           type = "unix";

mail-server/rspamd.nix

@@ -25,6 +25,15 @@ let
 in
 {
   config = with cfg; lib.mkIf enable {
+    environment.systemPackages = lib.mkBefore [
+      (pkgs.runCommand "rspamc-wrapped" {
+        nativeBuildInputs = with pkgs; [ makeWrapper ];
+       }''
+        makeWrapper ${pkgs.rspamd}/bin/rspamc $out/bin/rspamc \
+          --add-flags "-h /var/run/rspamd/worker-controller.sock"
+      '')
+    ];
+
     services.rspamd = {
       enable = true;
       inherit debug;