nixfiles/hosts/hetzner-vm/services/mailserver/dovecot.nix

217 lines
5.4 KiB
Nix
Raw Normal View History

2022-06-22 15:51:22 +01:00
{ config, pkgs, lib, ... }:
let
mail_config = (import ./config.nix { });
passwdDir = "/run/dovecot2";
passwdFile = "${passwdDir}/passwd";
bool2int = x: if x then "1" else "0";
# maildir in format "/${domain}/${user}"
dovecotMaildir = "maildir:${mail_config.vmail_config.directory}/%d/%n";
postfixCfg = config.services.postfix;
dovecot2Cfg = config.services.dovecot2;
stateDir = "/var/lib/dovecot";
passwordFiles =
lib.mapAttrs (name: value: value.passwordFile) mail_config.accounts;
genPasswdScript = pkgs.writeScript "generate-password-file" ''
#!${pkgs.stdenv.shell}
set -euo pipefail
if (! test -d "${passwdDir}"); then
mkdir "${passwdDir}"
chmod 755 "${passwdDir}"
fi
for f in ${
builtins.toString
(lib.mapAttrsToList (name: value: passwordFiles."${name}")
mail_config.accounts)
}; do
if [ ! -f "$f" ]; then
echo "Expected password hash file $f does not exist!"
exit 1
fi
done
cat <<EOF > ${passwdFile}
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${
builtins.toString mail_config.vmail_config.user_group_id
}:${
builtins.toString mail_config.vmail_config.user_group_id
}::${mail_config.vmail_config.directory}:/run/current-system/sw/bin/nologin:")
mail_config.accounts)}
EOF
chmod 600 ${passwdFile}
'';
2022-06-28 09:45:59 +01:00
pipeBin = pkgs.stdenv.mkDerivation {
name = "pipe_bin";
src = ./pipe_bin;
buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
buildCommand = ''
mkdir -p $out/pipe/bin
cp $src/* $out/pipe/bin/
chmod a+x $out/pipe/bin/*
patchShebangs $out/pipe/bin
for file in $out/pipe/bin/*; do
wrapProgram $file \
--set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
done
'';
};
2022-06-22 15:51:22 +01:00
in {
services.dovecot2 = {
enable = true;
enableImap = true;
enablePop3 = false;
enablePAM = false;
enableQuota = true;
mailGroup = mail_config.vmail_config.user_group_name;
mailUser = mail_config.vmail_config.user_group_name;
mailLocation = dovecotMaildir;
sslServerCert = mail_config.ssl_config.cert;
sslServerKey = mail_config.ssl_config.key;
enableLmtp = true;
modules = [ pkgs.dovecot_pigeonhole ];
protocols = [ "sieve" ];
sieveScripts = {
after = builtins.toFile "spam.sieve" ''
require "fileinto";
if header :is "X-Spam" "Yes" {
fileinto "Junk";
stop;
}
'';
};
mailboxes = {
Trash = {
auto = "no";
specialUse = "Trash";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
};
extraConfig = ''
${lib.optionalString mail_config.debug_mode ''
mail_debug = yes
auth_debug = yes
verbose_ssl = yes
''}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
protocol imap {
mail_max_userip_connections = 100
mail_plugins = $mail_plugins imap_sieve
}
mail_access_groups = "${mail_config.vmail_config.user_group_name}"
ssl = required
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
service lmtp {
unix_listener dovecot-lmtp {
group = ${postfixCfg.group}
mode = 0600
user = ${postfixCfg.user}
}
}
recipient_delimiter = "+"
lmtp_save_to_detail_mailbox = "no"
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
passdb {
driver = passwd-file
args = ${passwdFile}
}
userdb {
driver = passwd-file
args = ${passwdFile}
}
service auth {
unix_listener auth {
mode = 0660
user = ${postfixCfg.user}
group = ${postfixCfg.group}
}
}
auth_mechanisms = plain login
namespace inbox {
separator = "."
inbox = yes
}
plugin {
2022-06-28 09:45:59 +01:00
sieve_plugins = sieve_imapsieve sieve_extprograms
2022-06-22 15:51:22 +01:00
sieve = file:${mail_config.sieve_directory}/%u/scripts;active=${mail_config.sieve_directory}/%u/active.sieve
sieve_default = file:${mail_config.sieve_directory}/%u/default.sieve
sieve_default_name = default
2022-06-28 09:45:59 +01:00
# From elsewhere to Spam folder
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:${./spam_sieve/report-spam.sieve}
# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:${./spam_sieve/report-ham.sieve}
sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
2022-06-22 15:51:22 +01:00
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
'';
};
systemd.services.dovecot2 = {
preStart = ''
${genPasswdScript}
'';
};
systemd.services.postfix.restartTriggers = [ genPasswdScript ];
}