{ config, pkgs, ... }: { imports = [ (builtins.fetchTarball { url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.05/nixos-mailserver-nixos-23.05.tar.gz"; sha256 = "1ngil2shzkf61qxiqw11awyl81cr7ks2kv3r3k243zz7v2xakm5c"; }) ]; mailserver = { enable = true; fqdn = "mail.eurofusion.eu"; domains = [ "eurofusion.eu" ]; messageSizeLimit = 78643200; # ~50MiB of base64 binary loginAccounts = config.secrets.emailAccounts; extraVirtualAliases = config.secrets.emailAliases; # store state under /var mailDirectory = "/var/lib/mail"; dkimKeyDirectory = "/var/lib/dkim"; mailboxes = { # default IMAP folders Sent = { specialUse = "Sent"; auto = "subscribe"; }; Drafts = { specialUse = "Drafts"; auto = "subscribe"; }; Spam = { specialUse = "Junk"; auto = "subscribe"; }; Trash = { specialUse = "Trash"; auto = "no"; }; }; # Use Let's Encrypt certificate certificateScheme = "acme-nginx"; # There is one already (pdns-recursor) localDnsResolver = false; # Enable IMAPS (993), SMTPS (465) enableImapSsl = true; enableImap = false; enableSubmissionSsl = true; enableSubmission = false; }; services.dovecot2.extraConfig = '' # Improve hashing speed auth_cache_verify_password_with_worker = yes ''; services.postfix.extraConfig = '' # Prefer IPv6 smtp_address_preference = ipv6 # Prevent binding on temporary addresses smtp_bind_address6 = ${config.var.ipv6Address} ''; # Keep the key stable across renewals (for DANE) security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ]; # Listen on localhost:443 for sslh services.nginx.virtualHosts.${config.mailserver.fqdn}.listen = [ { addr = "localhost"; port = 443; ssl = true; } { addr = "[::]"; port = 80; } { addr = "0.0.0.0"; port = 80; } ]; # Utilities environment.systemPackages = [ # computes the DANE records (pkgs.writers.writeDashBin "mailserver-dane" '' set -e export PATH=${with pkgs; lib.makeBinPath [ coreutils openssl gawk ]}:$PATH pubkey_hash() { openssl x509 -noout -pubkey | \ openssl pkey -pubin -outform DER | \ sha256sum | cut -f1 -d' ' } fqdn=${config.mailserver.fqdn} cert="/var/lib/acme/$fqdn/cert.pem" self=$(awk '{print $0} /END CERT/{exit}' "$cert" | pubkey_hash) ca=$(awk '{if(keep) print $0} /END CERT/{keep=1}' "$cert" | pubkey_hash) # main: DANE-EE(3) SPKI(1) SHA2-256(1) printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' "$fqdn" "$self" # fallback: DANE-TA(2) SPKI(1) SHA2-256(1) printf '_25._tcp.%s. IN TLSA 2 1 1 %s\n' "$fqdn" "$ca" '') # computes the DKIM record (pkgs.writers.writeDashBin "mailserver-dkim" '' set -e export PATH=${with pkgs; lib.makeBinPath [ coreutils gawk ]}:$PATH domain=${builtins.elemAt config.mailserver.domains 0} raw=$(cat ${config.mailserver.dkimKeyDirectory}/*.txt | tr -d '\n\t' | awk -F'"' '{print $2$4}') printf 'mail._domainkey.%s IN TXT %s' "$domain" "$raw" '') ]; }