97 lines
2.9 KiB
Nix
97 lines
2.9 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
(builtins.fetchTarball {
|
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-24.05/nixos-mailserver-nixos-24.05.tar.gz";
|
|
sha256 = "0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
|
|
})
|
|
];
|
|
|
|
mailserver = {
|
|
enable = true;
|
|
fqdn = "mail.eurofusion.eu";
|
|
domains = [ "eurofusion.eu" ];
|
|
|
|
messageSizeLimit = 78643200; # ~50MiB of base64 binary
|
|
|
|
loginAccounts = config.secrets.emailAccounts;
|
|
extraVirtualAliases = config.secrets.emailAliases;
|
|
|
|
# store state under /var
|
|
mailDirectory = "/var/lib/mail";
|
|
dkimKeyDirectory = "/var/lib/dkim";
|
|
|
|
mailboxes = {
|
|
# default IMAP folders
|
|
Sent = { specialUse = "Sent"; auto = "subscribe"; };
|
|
Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
|
|
Spam = { specialUse = "Junk"; auto = "subscribe"; };
|
|
Trash = { specialUse = "Trash"; auto = "no"; };
|
|
};
|
|
|
|
# Use Let's Encrypt certificate
|
|
certificateScheme = "acme-nginx";
|
|
|
|
# There is one already (pdns-recursor)
|
|
localDnsResolver = false;
|
|
|
|
# Enable IMAPS (993), SMTPS (465)
|
|
enableImapSsl = true;
|
|
enableImap = false;
|
|
enableSubmissionSsl = true;
|
|
enableSubmission = false;
|
|
};
|
|
|
|
services.dovecot2.extraConfig = ''
|
|
# Improve hashing speed
|
|
auth_cache_verify_password_with_worker = yes
|
|
'';
|
|
|
|
services.postfix.extraConfig = ''
|
|
# Prefer IPv6
|
|
smtp_address_preference = ipv6
|
|
# Prevent binding on temporary addresses
|
|
smtp_bind_address6 = ${config.var.ipv6Address}
|
|
'';
|
|
|
|
# Keep the key stable across renewals (for DANE)
|
|
security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];
|
|
|
|
# Utilities
|
|
environment.systemPackages = [
|
|
# computes the DANE records
|
|
(pkgs.writers.writeDashBin "mailserver-dane" ''
|
|
set -e
|
|
export PATH=${with pkgs; lib.makeBinPath [ coreutils openssl gawk ]}:$PATH
|
|
|
|
pubkey_hash() {
|
|
openssl x509 -noout -pubkey | \
|
|
openssl pkey -pubin -outform DER | \
|
|
sha256sum | cut -f1 -d' '
|
|
}
|
|
|
|
fqdn=${config.mailserver.fqdn}
|
|
cert="/var/lib/acme/$fqdn/cert.pem"
|
|
self=$(awk '{print $0} /END CERT/{exit}' "$cert" | pubkey_hash)
|
|
ca=$(awk '{if(keep) print $0} /END CERT/{keep=1}' "$cert" | pubkey_hash)
|
|
|
|
# main: DANE-EE(3) SPKI(1) SHA2-256(1)
|
|
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' "$fqdn" "$self"
|
|
# fallback: DANE-TA(2) SPKI(1) SHA2-256(1)
|
|
printf '_25._tcp.%s. IN TLSA 2 1 1 %s\n' "$fqdn" "$ca"
|
|
'')
|
|
|
|
# computes the DKIM record
|
|
(pkgs.writers.writeDashBin "mailserver-dkim" ''
|
|
set -e
|
|
export PATH=${with pkgs; lib.makeBinPath [ coreutils gawk ]}:$PATH
|
|
|
|
domain=${builtins.elemAt config.mailserver.domains 0}
|
|
raw=$(cat ${config.mailserver.dkimKeyDirectory}/*.txt | tr -d '\n\t' | awk -F'"' '{print $2$4}')
|
|
printf 'mail._domainkey.%s IN TXT %s' "$domain" "$raw"
|
|
'')
|
|
|
|
];
|
|
}
|