ktiu/omniflake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
omniflake/system/web-server/mail.nix
Till 0d08c32077 mailserver
2025-04-25 21:15:17 +02:00

151 lines
4.2 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Enigmail:/ IGNORE
/^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@ktiu.net>
'';
in {
networking.firewall.allowedTCPPorts = [
993 # IMAP
25 # SMTP
587 # SMTP w/ TLS
];
services.opendkim = {
enable = true;
domains = "csl:ktiu.net,t9e.me";
selector = "202412";
settings.UMask = "007";
};
users.users.postfix.extraGroups = [ "opendkim" ];
services.nginx = {
enable = true;
virtualHosts = {
"ktiu.net" = {
addSSL = true;
enableACME = true;
locations."/" = {
return = "418 'Ich bin eine Teekanne.'";
};
};
"${config.networking.fqdn}" = {
addSSL = true;
enableACME = true;
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 http://${config.networking.domain}";
};
};
};
};
security.acme.certs."${config.networking.fqdn}-postfix" = {
domain = config.networking.fqdn;
webroot = "/var/lib/acme/.challenges";
group = config.services.postfix.group;
};
services.postfix = {
enable = true;
domain = "ktiu.net";
origin = "ktiu.net";
hostname = "arielle.ktiu.net";
destination = [
"ktiu.net"
"mail.ktiu.net"
"t9e.me"
"localhost"
"localhost.localdomain"
];
virtual = ''
@ktiu.net till
@t9e.me till
till till
'';
networks = [ "127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" ];
sslKey = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem";
sslCert = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem";
config = {
smtpd_tls_security_level = "may";
smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ];
};
enableSubmission = true;
submissionOptions = {
milter_macro_daemon_name = "ORIGINATING";
cleanup_service_name = "submission-header-cleanup";
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/var/run/dovecot2/auth";
smtpd_sasl_security_options = "noanonymous";
smtpd_client_restrictions = "permit_mynetworks,permit_sasl_authenticated,reject";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
};
masterConfig = {
"submission-header-cleanup" = {
type = "unix";
private = false;
chroot = false;
maxproc = 0;
command = "cleanup";
args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"];
};
};
};
security.acme.certs."${config.networking.fqdn}-dovecot" = {
domain = config.networking.fqdn;
webroot = "/var/lib/acme/.challenges";
group = config.services.dovecot2.group;
};
services.dovecot2 = {
enable = true;
sslServerKey = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/key.pem";
sslServerCert = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/cert.pem";
mailboxes = {
Junk = { specialUse = "Junk"; auto = "subscribe"; };
Sent = { specialUse = "Sent"; auto = "subscribe"; };
Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
Trash = { specialUse = "Trash"; auto = "subscribe"; };
Archive = { specialUse = "Archive"; auto = "subscribe"; };
};
extraConfig = ''
ssl = required
service auth {
unix_listener auth {
mode = 0660
user = postfix
group = postfix
}
}
'';
};
services.roundcube = {
enable = true;
hostName = "webmail.ktiu.net";
extraConfig = ''
$config['smtp_host'] = 'tls://%h';
$config['smtp_conn_options'] = [
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
],
];
'';
};
}
Reference in a new issue View git blame Copy permalink