maxwell/email.nix

97 lines
2.9 KiB
Nix
Raw Normal View History

2023-03-05 21:05:44 +01:00
{ config, pkgs, ... }:
2021-02-17 18:06:00 +01:00
{
imports = [
(builtins.fetchTarball {
2023-07-10 23:48:50 +02:00
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.05/nixos-mailserver-nixos-23.05.tar.gz";
sha256 = "1ngil2shzkf61qxiqw11awyl81cr7ks2kv3r3k243zz7v2xakm5c";
2021-02-17 18:06:00 +01:00
})
];
mailserver = {
enable = true;
fqdn = "mail.eurofusion.eu";
domains = [ "eurofusion.eu" ];
2021-02-17 18:06:00 +01:00
2022-08-22 16:41:05 +02:00
messageSizeLimit = 78643200; # ~50MiB of base64 binary
2021-02-17 18:06:00 +01:00
loginAccounts = config.secrets.emailAccounts;
2023-02-25 01:24:08 +01:00
extraVirtualAliases = config.secrets.emailAliases;
2021-02-17 18:06:00 +01:00
2022-10-17 23:55:36 +02:00
# store state under /var
mailDirectory = "/var/lib/mail";
dkimKeyDirectory = "/var/lib/dkim";
2021-04-02 19:19:48 +02:00
mailboxes = {
# default IMAP folders
Sent = { specialUse = "Sent"; auto = "subscribe"; };
Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
Spam = { specialUse = "Junk"; auto = "subscribe"; };
Trash = { specialUse = "Trash"; auto = "no"; };
};
2021-02-17 18:06:00 +01:00
# Use Let's Encrypt certificate
2023-07-10 23:48:50 +02:00
certificateScheme = "acme-nginx";
2021-02-17 18:06:00 +01:00
# There is one already (pdns-recursor)
localDnsResolver = false;
2022-08-11 02:47:27 +02:00
# Enable IMAPS (993), SMTPS (465)
2021-02-17 18:06:00 +01:00
enableImapSsl = true;
2022-08-11 02:47:27 +02:00
enableImap = false;
2021-02-17 18:06:00 +01:00
enableSubmissionSsl = true;
2022-08-11 02:47:27 +02:00
enableSubmission = false;
2021-02-17 18:06:00 +01:00
};
services.dovecot2.extraConfig = ''
# Improve hashing speed
2021-02-17 18:06:00 +01:00
auth_cache_verify_password_with_worker = yes
'';
2021-02-17 18:06:00 +01:00
services.postfix.extraConfig = ''
# Prefer IPv6
2021-02-17 18:06:00 +01:00
smtp_address_preference = ipv6
# Prevent binding on temporary addresses
2023-08-15 16:21:59 +02:00
smtp_bind_address6 = ${config.var.ipv6Address}
2021-02-17 18:06:00 +01:00
'';
2023-03-05 21:05:44 +01:00
# Keep the key stable across renewals (for DANE)
security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];
# Utilities
environment.systemPackages = [
# computes the DANE records
(pkgs.writers.writeDashBin "mailserver-dane" ''
set -e
export PATH=${with pkgs; lib.makeBinPath [ coreutils openssl gawk ]}:$PATH
pubkey_hash() {
openssl x509 -noout -pubkey | \
openssl pkey -pubin -outform DER | \
sha256sum | cut -f1 -d' '
}
fqdn=${config.mailserver.fqdn}
cert="/var/lib/acme/$fqdn/cert.pem"
self=$(awk '{print $0} /END CERT/{exit}' "$cert" | pubkey_hash)
ca=$(awk '{if(keep) print $0} /END CERT/{keep=1}' "$cert" | pubkey_hash)
# main: DANE-EE(3) SPKI(1) SHA2-256(1)
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' "$fqdn" "$self"
# fallback: DANE-TA(2) SPKI(1) SHA2-256(1)
printf '_25._tcp.%s. IN TLSA 2 1 1 %s\n' "$fqdn" "$ca"
'')
# computes the DKIM record
(pkgs.writers.writeDashBin "mailserver-dkim" ''
set -e
export PATH=${with pkgs; lib.makeBinPath [ coreutils gawk ]}:$PATH
domain=${builtins.elemAt config.mailserver.domains 0}
raw=$(cat ${config.mailserver.dkimKeyDirectory}/*.txt | tr -d '\n\t' | awk -F'"' '{print $2$4}')
printf 'mail._domainkey.%s IN TXT %s' "$domain" "$raw"
'')
];
2021-02-17 18:06:00 +01:00
}