{ config, pkgs, ... }: let submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" '' /^Received:/ IGNORE /^X-Originating-IP:/ IGNORE /^X-Mailer:/ IGNORE /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@ktiu.net> ''; in { networking.firewall.allowedTCPPorts = [ 993 # IMAP 25 # SMTP 587 # SMTP w/ TLS ]; services.opendkim = { enable = true; domains = "csl:ktiu.net,t9e.me"; selector = "202412"; settings.UMask = "007"; }; users.users.postfix.extraGroups = [ "opendkim" ]; services.nginx = { enable = true; virtualHosts = { "ktiu.net" = { addSSL = true; enableACME = true; locations."/" = { return = "418 'Ich bin eine Teekanne.'"; }; }; "${config.networking.fqdn}" = { addSSL = true; enableACME = true; locations."/.well-known/acme-challenge" = { root = "/var/lib/acme/.challenges"; }; locations."/" = { return = "301 http://${config.networking.domain}"; }; }; }; }; security.acme.certs."${config.networking.fqdn}-postfix" = { domain = config.networking.fqdn; webroot = "/var/lib/acme/.challenges"; group = config.services.postfix.group; }; services.postfix = { enable = true; domain = "ktiu.net"; origin = "ktiu.net"; hostname = "arielle.ktiu.net"; destination = [ "ktiu.net" "mail.ktiu.net" "t9e.me" "localhost" "localhost.localdomain" ]; virtual = '' @ktiu.net till @t9e.me till till till ''; networks = [ "127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" ]; sslKey = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem"; sslCert = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem"; config = { smtpd_tls_security_level = "may"; smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ]; }; enableSubmission = true; submissionOptions = { milter_macro_daemon_name = "ORIGINATING"; cleanup_service_name = "submission-header-cleanup"; smtpd_tls_security_level = "encrypt"; smtpd_sasl_auth_enable = "yes"; smtpd_sasl_type = "dovecot"; smtpd_sasl_path = "/var/run/dovecot2/auth"; smtpd_sasl_security_options = "noanonymous"; smtpd_client_restrictions = "permit_mynetworks,permit_sasl_authenticated,reject"; smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; }; masterConfig = { "submission-header-cleanup" = { type = "unix"; private = false; chroot = false; maxproc = 0; command = "cleanup"; args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"]; }; }; }; security.acme.certs."${config.networking.fqdn}-dovecot" = { domain = config.networking.fqdn; webroot = "/var/lib/acme/.challenges"; group = config.services.dovecot2.group; }; services.dovecot2 = { enable = true; sslServerKey = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/key.pem"; sslServerCert = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/cert.pem"; mailboxes = { Junk = { specialUse = "Junk"; auto = "subscribe"; }; Sent = { specialUse = "Sent"; auto = "subscribe"; }; Drafts = { specialUse = "Drafts"; auto = "subscribe"; }; Trash = { specialUse = "Trash"; auto = "subscribe"; }; Archive = { specialUse = "Archive"; auto = "subscribe"; }; }; extraConfig = '' ssl = required service auth { unix_listener auth { mode = 0660 user = postfix group = postfix } } ''; }; services.roundcube = { enable = true; hostName = "webmail.ktiu.net"; extraConfig = '' $config['smtp_host'] = 'tls://%h'; $config['smtp_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'verify_peer_name' => false, ], ]; ''; }; }