From 0d08c3207712c0ea107e15664304afe942810592 Mon Sep 17 00:00:00 2001
From: Till <till@ktiu.net>
Date: Fri, 25 Apr 2025 21:15:17 +0200
Subject: [PATCH] mailserver

---
 system/web-server/mail.nix | 153 +++++++++++++++++++++++++++++++++----
 1 file changed, 139 insertions(+), 14 deletions(-)

diff --git a/system/web-server/mail.nix b/system/web-server/mail.nix
index 292ab45..38ce4a7 100644
--- a/system/web-server/mail.nix
+++ b/system/web-server/mail.nix
@@ -1,26 +1,151 @@
 { config, pkgs, ... }:
 
-{
+let
+
+  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
+     /^Received:/            IGNORE
+     /^X-Originating-IP:/    IGNORE
+     /^X-Mailer:/            IGNORE
+     /^User-Agent:/          IGNORE
+     /^X-Enigmail:/          IGNORE
+     /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@ktiu.net>
+  '';
+
+in {
+
+  networking.firewall.allowedTCPPorts = [
+    993 # IMAP
+    25  # SMTP
+    587 # SMTP w/ TLS
+  ];
+
+  services.opendkim = {
+    enable = true;
+    domains = "csl:ktiu.net,t9e.me";
+    selector = "202412";
+    settings.UMask = "007";
+  };
+  users.users.postfix.extraGroups = [ "opendkim" ];
+
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "ktiu.net" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/" = {
+          return = "418 'Ich bin eine Teekanne.'";
+        };
+      };
+      "${config.networking.fqdn}" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/.challenges";
+        };
+        locations."/" = {
+          return = "301 http://${config.networking.domain}";
+        };
+      };
+    };
+  };
+
+  security.acme.certs."${config.networking.fqdn}-postfix" = {
+    domain = config.networking.fqdn;
+    webroot = "/var/lib/acme/.challenges";
+    group = config.services.postfix.group;
+  };
 
   services.postfix = {
     enable = true;
-    # domain = "ktiu.net";
-    domain = "t9e.me";
-    virtual = [
-      # "@ktiu.net till"
-      "@t9e.me till"
-      "till till"
-      # "uni@ktiu.net straube@geo.uni-frankfurt.de"
-      # "meetup@ktiu.net straube@geo.uni-frankfurt.de"
+    domain = "ktiu.net";
+    origin = "ktiu.net";
+    hostname = "arielle.ktiu.net";
+    destination = [
+      "ktiu.net"
+      "mail.ktiu.net"
+      "t9e.me"
+      "localhost"
+      "localhost.localdomain"
     ];
+    virtual = ''
+      @ktiu.net till
+      @t9e.me till
+      till till
+    '';
+    networks = [ "127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" ];
+    sslKey = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem";
+    sslCert = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem";
+    config = {
+      smtpd_tls_security_level = "may";
+      smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ];
+    };
+    enableSubmission = true;
+    submissionOptions = {
+      milter_macro_daemon_name = "ORIGINATING";
+      cleanup_service_name = "submission-header-cleanup";
+      smtpd_tls_security_level = "encrypt";
+      smtpd_sasl_auth_enable = "yes";
+      smtpd_sasl_type = "dovecot";
+      smtpd_sasl_path = "/var/run/dovecot2/auth";
+      smtpd_sasl_security_options = "noanonymous";
+      smtpd_client_restrictions = "permit_mynetworks,permit_sasl_authenticated,reject";
+      smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
+    };
+    masterConfig = {
+      "submission-header-cleanup" = {
+        type = "unix";
+        private = false;
+        chroot = false;
+        maxproc = 0;
+        command = "cleanup";
+        args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"];
+      };
+    };
   };
 
+  security.acme.certs."${config.networking.fqdn}-dovecot" = {
+    domain = config.networking.fqdn;
+    webroot = "/var/lib/acme/.challenges";
+    group = config.services.dovecot2.group;
+  };
 
+  services.dovecot2 = {
+    enable = true;
+    sslServerKey = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/key.pem";
+    sslServerCert = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/cert.pem";
+    mailboxes = {
+      Junk = { specialUse = "Junk"; auto = "subscribe"; };
+      Sent = { specialUse = "Sent"; auto = "subscribe"; };
+      Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
+      Trash = { specialUse = "Trash"; auto = "subscribe"; };
+      Archive = { specialUse = "Archive"; auto = "subscribe"; };
+    };
+    extraConfig = ''
+      ssl = required
+      service auth {
+        unix_listener auth {
+          mode = 0660
+          user = postfix
+          group = postfix
+        }
+      }
+    '';
+  };
 
-  # services.opendkim = {
-  #   enable = true;
-  #   domains = "csl:ktiu.net";
-  #   selector = "202412";
-  # };
+  services.roundcube = {
+    enable = true;
+    hostName = "webmail.ktiu.net";
+    extraConfig = ''
+      $config['smtp_host'] = 'tls://%h';
+      $config['smtp_conn_options'] = [
+        'ssl' => [
+          'verify_peer' => false,
+          'verify_peer_name' => false,
+        ],
+      ];
+    '';
+  };
 
 }