[perso/Immae/Config/Nix.git] / modules / private / mail / dovecot.nix

{ lib, pkgs, config, ... }:
let
  sieve_bin = pkgs.runCommand "sieve_bin" {
    buildInputs = [ pkgs.makeWrapper ];
  } ''
    cp -a ${./sieve_bin} $out
    chmod -R u+w $out
    patchShebangs $out
    for i in $out/*; do
      wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
    done
    '';
in
{
  config = lib.mkIf config.myServices.mail.enable {
    systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
    services.duplyBackup.profiles.mail.excludeFile = ''
      + /var/lib/dhparams
      + /var/lib/dovecot
      '';
    secrets.keys = [
      {
        dest = "dovecot/ldap";
        user = config.services.dovecot2.user;
        group = config.services.dovecot2.group;
        permissions = "0400";
        text = ''
          hosts = ${config.myEnv.mail.dovecot.ldap.host}
          tls = yes

          dn = ${config.myEnv.mail.dovecot.ldap.dn}
          dnpass = ${config.myEnv.mail.dovecot.ldap.password}

          auth_bind = yes

          ldap_version = 3

          base = ${config.myEnv.mail.dovecot.ldap.base}
          scope = subtree

          pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
          pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}

          user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
          user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
          iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
          iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
          '';
      }
    ];

    users.users.vhost = {
      group = "vhost";
      uid = config.ids.uids.vhost;
    };
    users.groups.vhost.gid = config.ids.gids.vhost;

    # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
    services.dovecot2 = {
      enable = true;
      enablePAM = false;
      enablePop3 = true;
      enableImap = true;
      enableLmtp = true;
      protocols = [ "sieve" ];
      modules = [
        pkgs.dovecot_pigeonhole
        pkgs.dovecot_fts-xapian
      ];
      mailUser = "vhost";
      mailGroup = "vhost";
      createMailUser = false;
      mailboxes = {
        Trash  = { auto = "subscribe"; specialUse = "Trash"; };
        Junk   = { auto = "subscribe"; specialUse = "Junk"; };
        Sent   = { auto = "subscribe"; specialUse = "Sent"; };
        Drafts = { auto = "subscribe"; specialUse = "Drafts"; };
      };
      mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
      sslServerCert = "/var/lib/acme/mail/fullchain.pem";
      sslServerKey = "/var/lib/acme/mail/key.pem";
      sslCACert = "/var/lib/acme/mail/fullchain.pem";
      extraConfig = builtins.concatStringsSep "\n" [
        # For printer which doesn’t support elliptic curve
        ''
          ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
          ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
        ''

        ''
          postmaster_address = postmaster@immae.eu
          mail_attribute_dict = file:%h/dovecot-attributes
          imap_idle_notify_interval = 20 mins
          namespace inbox {
            type = private
            separator = /
            inbox = yes
            list = yes
          }
        ''

        # ACL
        ''
          mail_plugins = $mail_plugins acl
          plugin {
            acl = vfile:${pkgs.writeText "dovecot-acl" ''
              Backup/* owner lrp
              ''}
            acl_globals_only = yes
          }
        ''

        # Full text search
        ''
          # needs to be bigger than any mailbox size
          default_vsz_limit = 2GB
          mail_plugins = $mail_plugins fts fts_xapian
          plugin {
            plugin = fts fts_xapian
            fts = xapian
            fts_xapian = partial=2 full=20
            fts_autoindex = yes
            fts_autoindex_exclude = \Junk
            fts_autoindex_exclude2 = \Trash
            fts_autoindex_exclude3 = Virtual/*
          }
        ''

        # Antispam
        # https://docs.iredmail.org/dovecot.imapsieve.html
        ''
        # imap_sieve plugin added below

        plugin {
            sieve_plugins = sieve_imapsieve sieve_extprograms
            imapsieve_url = sieve://127.0.0.1:4190

            sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin

            # From elsewhere to Junk folder
            imapsieve_mailbox1_name = Junk
            imapsieve_mailbox1_causes = COPY APPEND
            imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From Junk folder to elsewhere
            imapsieve_mailbox2_name = *
            imapsieve_mailbox2_from = Junk
            imapsieve_mailbox2_causes = COPY
            imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From anywhere to NoJunk folder
            imapsieve_mailbox3_name = NoJunk
            imapsieve_mailbox3_causes = COPY APPEND
            imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            sieve_pipe_bin_dir = ${sieve_bin}

            sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        }
        ''
        # Services to listen
        ''
        service imap-login {
          inet_listener imap {
          }
          inet_listener imaps {
          }
        }
        service pop3-login {
          inet_listener pop3 {
          }
          inet_listener pop3s {
          }
        }
        service imap {
        }
        service pop3 {
        }
        service auth {
          unix_listener auth-userdb {
          }
          unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
            mode = 0666
          }
        }
        service auth-worker {
        }
        service dict {
          unix_listener dict {
          }
        }
        service stats {
          unix_listener stats-reader {
            user = vhost
            group = vhost
            mode = 0660
          }
          unix_listener stats-writer {
            user = vhost
            group = vhost
            mode = 0660
          }
        }
        ''

        # Authentification
        ''
        first_valid_uid = ${toString config.ids.uids.vhost}
        disable_plaintext_auth = yes
        passdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        userdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        ''

        # Zlib
        ''
        mail_plugins = $mail_plugins zlib
        plugin {
          zlib_save_level = 6
          zlib_save = gz
        }
        ''

        # Sieve
        ''
        plugin {
          sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
        }
        service managesieve-login {
        }
        service managesieve {
        }
        ''

        # Virtual mailboxes
        ''
        mail_plugins = $mail_plugins virtual
        namespace Virtual {
          prefix = Virtual/
          location = virtual:~/Virtual
        }
        ''

        # Protocol specific configuration
        # Needs to come last if there are mail_plugins entries
        ''
        protocol imap {
          mail_plugins = $mail_plugins imap_sieve imap_acl
        }
        protocol lda {
          mail_plugins = $mail_plugins sieve
        }
        ''
      ];
    };
    networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
    system.activationScripts.dovecot = {
      deps = [ "users" ];
      text  =''
        install -m 0755 -o vhost -g vhost -d /var/lib/vhost
        '';
    };

    services.cron.systemCronJobs = let
      cron_script = pkgs.writeScriptBin "cleanup-imap-folders" ''
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        '';
      in
      [
        "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
      ];
    security.acme.certs."mail-rsa" = {
      postRun = ''
        systemctl restart dovecot2.service
      '';
      extraDomains = {
        "imap.immae.eu" = null;
        "pop3.immae.eu" = null;
      };
    };
    security.acme.certs."mail" = {
      postRun = ''
        systemctl restart dovecot2.service
      '';
      extraDomains = {
        "imap.immae.eu" = null;
        "pop3.immae.eu" = null;
      };
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
a929614f IB	2	let
	3	sieve_bin = pkgs.runCommand "sieve_bin" {
	4	buildInputs = [ pkgs.makeWrapper ];
	5	} ''
	6	cp -a ${./sieve_bin} $out
	7	chmod -R u+w $out
	8	patchShebangs $out
	9	for i in $out/*; do
	10	wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
	11	done
	12	'';
	13	in
	14	{
8415083e	15	config = lib.mkIf config.myServices.mail.enable {
850adcf4	16	systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
d2e703c5	17	services.duplyBackup.profiles.mail.excludeFile = ''
8415083e IB	18	+ /var/lib/dhparams
	19	+ /var/lib/dovecot
	20	'';
	21	secrets.keys = [
	22	{
	23	dest = "dovecot/ldap";
	24	user = config.services.dovecot2.user;
	25	group = config.services.dovecot2.group;
	26	permissions = "0400";
	27	text = ''
ab8f306d	28	hosts = ${config.myEnv.mail.dovecot.ldap.host}
8415083e	29	tls = yes
a929614f	30
ab8f306d IB	31	dn = ${config.myEnv.mail.dovecot.ldap.dn}
ab8f306d IB	32	dnpass = ${config.myEnv.mail.dovecot.ldap.password}
a929614f	33
8415083e	34	auth_bind = yes
a929614f	35
8415083e	36	ldap_version = 3
a929614f	37
ab8f306d	38	base = ${config.myEnv.mail.dovecot.ldap.base}
8415083e	39	scope = subtree
a929614f	40
ab8f306d IB	41	pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
ab8f306d IB	42	pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
a929614f	43
ab8f306d IB	44	user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
	45	user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
	46	iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
	47	iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
8415083e IB	48	'';
8415083e IB	49	}
a929614f	50	];
8415083e IB	51
	52	users.users.vhost = {
	53	group = "vhost";
	54	uid = config.ids.uids.vhost;
	55	};
	56	users.groups.vhost.gid = config.ids.gids.vhost;
	57
	58	# https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
	59	services.dovecot2 = {
	60	enable = true;
	61	enablePAM = false;
	62	enablePop3 = true;
	63	enableImap = true;
	64	enableLmtp = true;
	65	protocols = [ "sieve" ];
	66	modules = [
	67	pkgs.dovecot_pigeonhole
	68	pkgs.dovecot_fts-xapian
	69	];
	70	mailUser = "vhost";
	71	mailGroup = "vhost";
	72	createMailUser = false;
2053ddac IB	73	mailboxes = {
	74	Trash = { auto = "subscribe"; specialUse = "Trash"; };
	75	Junk = { auto = "subscribe"; specialUse = "Junk"; };
	76	Sent = { auto = "subscribe"; specialUse = "Sent"; };
	77	Drafts = { auto = "subscribe"; specialUse = "Drafts"; };
	78	};
8415083e IB	79	mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
	80	sslServerCert = "/var/lib/acme/mail/fullchain.pem";
	81	sslServerKey = "/var/lib/acme/mail/key.pem";
	82	sslCACert = "/var/lib/acme/mail/fullchain.pem";
	83	extraConfig = builtins.concatStringsSep "\n" [
5153eb54 IB	84	# For printer which doesn’t support elliptic curve
	85	''
	86	ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
	87	ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
	88	''
	89
8415083e IB	90	''
	91	postmaster_address = postmaster@immae.eu
	92	mail_attribute_dict = file:%h/dovecot-attributes
	93	imap_idle_notify_interval = 20 mins
	94	namespace inbox {
	95	type = private
	96	separator = /
	97	inbox = yes
	98	list = yes
	99	}
	100	''
	101
089f5093 IB	102	# ACL
	103	''
	104	mail_plugins = $mail_plugins acl
	105	plugin {
	106	acl = vfile:${pkgs.writeText "dovecot-acl" ''
	107	Backup/* owner lrp
	108	''}
	109	acl_globals_only = yes
	110	}
	111	''
	112
8415083e IB	113	# Full text search
	114	''
	115	# needs to be bigger than any mailbox size
	116	default_vsz_limit = 2GB
	117	mail_plugins = $mail_plugins fts fts_xapian
	118	plugin {
	119	plugin = fts fts_xapian
	120	fts = xapian
	121	fts_xapian = partial=2 full=20
	122	fts_autoindex = yes
	123	fts_autoindex_exclude = \Junk
	124	fts_autoindex_exclude2 = \Trash
	125	fts_autoindex_exclude3 = Virtual/*
	126	}
	127	''
	128
	129	# Antispam
	130	# https://docs.iredmail.org/dovecot.imapsieve.html
	131	''
	132	# imap_sieve plugin added below
	133
a929614f	134	plugin {
8415083e IB	135	sieve_plugins = sieve_imapsieve sieve_extprograms
	136	imapsieve_url = sieve://127.0.0.1:4190
	137
304a7dac	138	sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin
089f5093	139
8415083e IB	140	# From elsewhere to Junk folder
	141	imapsieve_mailbox1_name = Junk
	142	imapsieve_mailbox1_causes = COPY APPEND
	143	imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	144
	145	# From Junk folder to elsewhere
	146	imapsieve_mailbox2_name = *
	147	imapsieve_mailbox2_from = Junk
	148	imapsieve_mailbox2_causes = COPY
	149	imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	150
95ca3110 IB	151	# From anywhere to NoJunk folder
	152	imapsieve_mailbox3_name = NoJunk
	153	imapsieve_mailbox3_causes = COPY APPEND
	154	imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	155
8415083e IB	156	sieve_pipe_bin_dir = ${sieve_bin}
	157
	158	sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
a929614f	159	}
8415083e IB	160	''
	161	# Services to listen
	162	''
	163	service imap-login {
	164	inet_listener imap {
	165	}
	166	inet_listener imaps {
	167	}
a929614f	168	}
8415083e IB	169	service pop3-login {
	170	inet_listener pop3 {
	171	}
	172	inet_listener pop3s {
	173	}
a929614f	174	}
8415083e	175	service imap {
a929614f	176	}
8415083e	177	service pop3 {
a929614f	178	}
8415083e IB	179	service auth {
	180	unix_listener auth-userdb {
	181	}
	182	unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
	183	mode = 0666
	184	}
a929614f	185	}
8415083e	186	service auth-worker {
a929614f	187	}
8415083e IB	188	service dict {
	189	unix_listener dict {
	190	}
a929614f	191	}
8415083e IB	192	service stats {
	193	unix_listener stats-reader {
	194	user = vhost
	195	group = vhost
	196	mode = 0660
	197	}
	198	unix_listener stats-writer {
	199	user = vhost
	200	group = vhost
	201	mode = 0660
	202	}
a929614f	203	}
8415083e IB	204	''
	205
	206	# Authentification
	207	''
	208	first_valid_uid = ${toString config.ids.uids.vhost}
	209	disable_plaintext_auth = yes
	210	passdb {
	211	driver = ldap
	212	args = ${config.secrets.fullPaths."dovecot/ldap"}
	213	}
	214	userdb {
98f8f4de IB	215	driver = ldap
98f8f4de IB	216	args = ${config.secrets.fullPaths."dovecot/ldap"}
8415083e IB	217	}
8415083e IB	218	''
a929614f	219
8415083e IB	220	# Zlib
	221	''
	222	mail_plugins = $mail_plugins zlib
	223	plugin {
	224	zlib_save_level = 6
	225	zlib_save = gz
	226	}
	227	''
a929614f	228
8415083e IB	229	# Sieve
	230	''
	231	plugin {
	232	sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
	233	}
	234	service managesieve-login {
	235	}
	236	service managesieve {
	237	}
	238	''
	239
	240	# Virtual mailboxes
	241	''
	242	mail_plugins = $mail_plugins virtual
	243	namespace Virtual {
	244	prefix = Virtual/
	245	location = virtual:~/Virtual
	246	}
	247	''
a929614f	248
8415083e IB	249	# Protocol specific configuration
	250	# Needs to come last if there are mail_plugins entries
	251	''
	252	protocol imap {
089f5093	253	mail_plugins = $mail_plugins imap_sieve imap_acl
8415083e IB	254	}
	255	protocol lda {
	256	mail_plugins = $mail_plugins sieve
	257	}
	258	''
	259	];
	260	};
	261	networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
	262	system.activationScripts.dovecot = {
	263	deps = [ "users" ];
	264	text =''
	265	install -m 0755 -o vhost -g vhost -d /var/lib/vhost
	266	'';
	267	};
	268
98f8f4de IB	269	services.cron.systemCronJobs = let
98f8f4de IB	270	cron_script = pkgs.writeScriptBin "cleanup-imap-folders" ''
5dc338f0	271	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
cecfa2f6 IB	272	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
cecfa2f6 IB	273	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
98f8f4de IB	274	'';
	275	in
	276	[
	277	"0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
	278	];
5153eb54 IB	279	security.acme.certs."mail-rsa" = {
	280	postRun = ''
	281	systemctl restart dovecot2.service
	282	'';
	283	extraDomains = {
	284	"imap.immae.eu" = null;
	285	"pop3.immae.eu" = null;
	286	};
	287	};
5400b9b6	288	security.acme.certs."mail" = {
8415083e IB	289	postRun = ''
	290	systemctl restart dovecot2.service
	291	'';
	292	extraDomains = {
	293	"imap.immae.eu" = null;
	294	"pop3.immae.eu" = null;
	295	};
a929614f IB	296	};
	297	};
	298	}
	299