[perso/Immae/Config/Nix.git] / modules / private / mail / dovecot.nix

{ lib, pkgs, config, ... }:
let
  sieve_bin = pkgs.runCommand "sieve_bin" {
    buildInputs = [ pkgs.makeWrapper ];
  } ''
    cp -a ${./sieve_bin} $out
    chmod -R u+w $out
    patchShebangs $out
    for i in $out/*; do
      wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
    done
    '';
in
{
  config = lib.mkIf config.myServices.mail.enable {
    systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
    services.duplyBackup.profiles.mail.excludeFile = ''
      + /var/lib/dhparams
      + /var/lib/dovecot
      '';
    secrets.keys."dovecot/ldap" = {
      user = config.services.dovecot2.user;
      group = config.services.dovecot2.group;
      permissions = "0400";
      text = ''
        hosts = ${config.myEnv.mail.dovecot.ldap.host}
        tls = yes

        dn = ${config.myEnv.mail.dovecot.ldap.dn}
        dnpass = ${config.myEnv.mail.dovecot.ldap.password}

        auth_bind = yes

        ldap_version = 3

        base = ${config.myEnv.mail.dovecot.ldap.base}
        scope = subtree

        pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
        pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}

        user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
        user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
        iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
        iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
        '';
    };

    users.users.vhost = {
      group = "vhost";
      uid = config.ids.uids.vhost;
    };
    users.groups.vhost.gid = config.ids.gids.vhost;

    # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
    services.dovecot2 = {
      enable = true;
      enablePAM = false;
      enablePop3 = true;
      enableImap = true;
      enableLmtp = true;
      protocols = [ "sieve" ];
      modules = [
        pkgs.dovecot_pigeonhole
        pkgs.dovecot_fts-xapian
      ];
      mailUser = "vhost";
      mailGroup = "vhost";
      createMailUser = false;
      mailboxes = {
        Trash  = { auto = "subscribe"; specialUse = "Trash"; };
        Junk   = { auto = "subscribe"; specialUse = "Junk"; };
        Sent   = { auto = "subscribe"; specialUse = "Sent"; };
        Drafts = { auto = "subscribe"; specialUse = "Drafts"; };
      };
      mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
      sslServerCert = "/var/lib/acme/mail/fullchain.pem";
      sslServerKey = "/var/lib/acme/mail/key.pem";
      sslCACert = "/var/lib/acme/mail/fullchain.pem";
      extraConfig = builtins.concatStringsSep "\n" [
        # For printer which doesn’t support elliptic curve
        ''
          ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
          ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
        ''

        ''
          postmaster_address = postmaster@immae.eu
          mail_attribute_dict = file:%h/dovecot-attributes
          imap_idle_notify_interval = 20 mins
          namespace inbox {
            type = private
            separator = /
            inbox = yes
            list = yes
          }
        ''

        # ACL
        ''
          mail_plugins = $mail_plugins acl
          plugin {
            acl = vfile:${pkgs.writeText "dovecot-acl" ''
              Backup/* owner lrp
              ''}
            acl_globals_only = yes
          }
        ''

        # Full text search
        ''
          # needs to be bigger than any mailbox size
          default_vsz_limit = 2GB
          mail_plugins = $mail_plugins fts fts_xapian
          plugin {
            plugin = fts fts_xapian
            fts = xapian
            fts_xapian = partial=2 full=20
            fts_autoindex = yes
            fts_autoindex_exclude = \Junk
            fts_autoindex_exclude2 = \Trash
            fts_autoindex_exclude3 = Virtual/*
          }
        ''

        # Antispam
        # https://docs.iredmail.org/dovecot.imapsieve.html
        ''
        # imap_sieve plugin added below

        plugin {
            sieve_plugins = sieve_imapsieve sieve_extprograms
            imapsieve_url = sieve://127.0.0.1:4190

            sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin

            # From elsewhere to Junk folder
            imapsieve_mailbox1_name = Junk
            imapsieve_mailbox1_causes = COPY APPEND
            imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From Junk folder to elsewhere
            imapsieve_mailbox2_name = *
            imapsieve_mailbox2_from = Junk
            imapsieve_mailbox2_causes = COPY
            imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From anywhere to NoJunk folder
            imapsieve_mailbox3_name = NoJunk
            imapsieve_mailbox3_causes = COPY APPEND
            imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            sieve_pipe_bin_dir = ${sieve_bin}

            sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        }
        ''
        # Services to listen
        ''
        service imap-login {
          inet_listener imap {
          }
          inet_listener imaps {
          }
        }
        service pop3-login {
          inet_listener pop3 {
          }
          inet_listener pop3s {
          }
        }
        service imap {
        }
        service pop3 {
        }
        service auth {
          unix_listener auth-userdb {
          }
          unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
            mode = 0666
          }
        }
        service auth-worker {
        }
        service dict {
          unix_listener dict {
          }
        }
        service stats {
          unix_listener stats-reader {
            user = vhost
            group = vhost
            mode = 0660
          }
          unix_listener stats-writer {
            user = vhost
            group = vhost
            mode = 0660
          }
        }
        ''

        # Authentification
        ''
        first_valid_uid = ${toString config.ids.uids.vhost}
        disable_plaintext_auth = yes
        passdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        userdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        ''

        # Zlib
        ''
        mail_plugins = $mail_plugins zlib
        plugin {
          zlib_save_level = 6
          zlib_save = gz
        }
        ''

        # Sieve
        ''
        plugin {
          sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
        }
        service managesieve-login {
        }
        service managesieve {
        }
        ''

        # Virtual mailboxes
        ''
        mail_plugins = $mail_plugins virtual
        namespace Virtual {
          prefix = Virtual/
          location = virtual:~/Virtual
        }
        ''

        # Protocol specific configuration
        # Needs to come last if there are mail_plugins entries
        ''
        protocol imap {
          mail_plugins = $mail_plugins imap_sieve imap_acl
        }
        protocol lda {
          mail_plugins = $mail_plugins sieve
        }
        ''
      ];
    };
    networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
    system.activationScripts.dovecot = {
      deps = [ "users" ];
      text  =''
        install -m 0755 -o vhost -g vhost -d /var/lib/vhost
        '';
    };

    services.cron.systemCronJobs = let
      cron_script = pkgs.writeScriptBin "cleanup-imap-folders" ''
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        '';
      in
      [
        "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
      ];
    security.acme.certs."mail-rsa" = {
      postRun = ''
        systemctl restart dovecot2.service
      '';
      extraDomains = {
        "imap.immae.eu" = null;
        "pop3.immae.eu" = null;
      };
    };
    security.acme.certs."mail" = {
      postRun = ''
        systemctl restart dovecot2.service
      '';
      extraDomains = {
        "imap.immae.eu" = null;
        "pop3.immae.eu" = null;
      };
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
a929614f IB	2	let
	3	sieve_bin = pkgs.runCommand "sieve_bin" {
	4	buildInputs = [ pkgs.makeWrapper ];
	5	} ''
	6	cp -a ${./sieve_bin} $out
	7	chmod -R u+w $out
	8	patchShebangs $out
	9	for i in $out/*; do
	10	wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
	11	done
	12	'';
	13	in
	14	{
8415083e	15	config = lib.mkIf config.myServices.mail.enable {
850adcf4	16	systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
d2e703c5	17	services.duplyBackup.profiles.mail.excludeFile = ''
8415083e IB	18	+ /var/lib/dhparams
	19	+ /var/lib/dovecot
	20	'';
4c4652aa IB	21	secrets.keys."dovecot/ldap" = {
	22	user = config.services.dovecot2.user;
	23	group = config.services.dovecot2.group;
	24	permissions = "0400";
	25	text = ''
	26	hosts = ${config.myEnv.mail.dovecot.ldap.host}
	27	tls = yes
	28
	29	dn = ${config.myEnv.mail.dovecot.ldap.dn}
	30	dnpass = ${config.myEnv.mail.dovecot.ldap.password}
	31
	32	auth_bind = yes
	33
	34	ldap_version = 3
	35
	36	base = ${config.myEnv.mail.dovecot.ldap.base}
	37	scope = subtree
	38
	39	pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
	40	pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
	41
	42	user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
	43	user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
	44	iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
	45	iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
	46	'';
	47	};
8415083e IB	48
	49	users.users.vhost = {
	50	group = "vhost";
	51	uid = config.ids.uids.vhost;
	52	};
	53	users.groups.vhost.gid = config.ids.gids.vhost;
	54
	55	# https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
	56	services.dovecot2 = {
	57	enable = true;
	58	enablePAM = false;
	59	enablePop3 = true;
	60	enableImap = true;
	61	enableLmtp = true;
	62	protocols = [ "sieve" ];
	63	modules = [
	64	pkgs.dovecot_pigeonhole
	65	pkgs.dovecot_fts-xapian
	66	];
	67	mailUser = "vhost";
	68	mailGroup = "vhost";
	69	createMailUser = false;
2053ddac IB	70	mailboxes = {
	71	Trash = { auto = "subscribe"; specialUse = "Trash"; };
	72	Junk = { auto = "subscribe"; specialUse = "Junk"; };
	73	Sent = { auto = "subscribe"; specialUse = "Sent"; };
	74	Drafts = { auto = "subscribe"; specialUse = "Drafts"; };
	75	};
8415083e IB	76	mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
	77	sslServerCert = "/var/lib/acme/mail/fullchain.pem";
	78	sslServerKey = "/var/lib/acme/mail/key.pem";
	79	sslCACert = "/var/lib/acme/mail/fullchain.pem";
	80	extraConfig = builtins.concatStringsSep "\n" [
5153eb54 IB	81	# For printer which doesn’t support elliptic curve
	82	''
	83	ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
	84	ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
	85	''
	86
8415083e IB	87	''
	88	postmaster_address = postmaster@immae.eu
	89	mail_attribute_dict = file:%h/dovecot-attributes
	90	imap_idle_notify_interval = 20 mins
	91	namespace inbox {
	92	type = private
	93	separator = /
	94	inbox = yes
	95	list = yes
	96	}
	97	''
	98
089f5093 IB	99	# ACL
	100	''
	101	mail_plugins = $mail_plugins acl
	102	plugin {
	103	acl = vfile:${pkgs.writeText "dovecot-acl" ''
	104	Backup/* owner lrp
	105	''}
	106	acl_globals_only = yes
	107	}
	108	''
	109
8415083e IB	110	# Full text search
	111	''
	112	# needs to be bigger than any mailbox size
	113	default_vsz_limit = 2GB
	114	mail_plugins = $mail_plugins fts fts_xapian
	115	plugin {
	116	plugin = fts fts_xapian
	117	fts = xapian
	118	fts_xapian = partial=2 full=20
	119	fts_autoindex = yes
	120	fts_autoindex_exclude = \Junk
	121	fts_autoindex_exclude2 = \Trash
	122	fts_autoindex_exclude3 = Virtual/*
	123	}
	124	''
	125
	126	# Antispam
	127	# https://docs.iredmail.org/dovecot.imapsieve.html
	128	''
	129	# imap_sieve plugin added below
	130
a929614f	131	plugin {
8415083e IB	132	sieve_plugins = sieve_imapsieve sieve_extprograms
	133	imapsieve_url = sieve://127.0.0.1:4190
	134
304a7dac	135	sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin
089f5093	136
8415083e IB	137	# From elsewhere to Junk folder
	138	imapsieve_mailbox1_name = Junk
	139	imapsieve_mailbox1_causes = COPY APPEND
	140	imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	141
	142	# From Junk folder to elsewhere
	143	imapsieve_mailbox2_name = *
	144	imapsieve_mailbox2_from = Junk
	145	imapsieve_mailbox2_causes = COPY
	146	imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	147
95ca3110 IB	148	# From anywhere to NoJunk folder
	149	imapsieve_mailbox3_name = NoJunk
	150	imapsieve_mailbox3_causes = COPY APPEND
	151	imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	152
8415083e IB	153	sieve_pipe_bin_dir = ${sieve_bin}
	154
	155	sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
a929614f	156	}
8415083e IB	157	''
	158	# Services to listen
	159	''
	160	service imap-login {
	161	inet_listener imap {
	162	}
	163	inet_listener imaps {
	164	}
a929614f	165	}
8415083e IB	166	service pop3-login {
	167	inet_listener pop3 {
	168	}
	169	inet_listener pop3s {
	170	}
a929614f	171	}
8415083e	172	service imap {
a929614f	173	}
8415083e	174	service pop3 {
a929614f	175	}
8415083e IB	176	service auth {
	177	unix_listener auth-userdb {
	178	}
	179	unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
	180	mode = 0666
	181	}
a929614f	182	}
8415083e	183	service auth-worker {
a929614f	184	}
8415083e IB	185	service dict {
	186	unix_listener dict {
	187	}
a929614f	188	}
8415083e IB	189	service stats {
	190	unix_listener stats-reader {
	191	user = vhost
	192	group = vhost
	193	mode = 0660
	194	}
	195	unix_listener stats-writer {
	196	user = vhost
	197	group = vhost
	198	mode = 0660
	199	}
a929614f	200	}
8415083e IB	201	''
	202
	203	# Authentification
	204	''
	205	first_valid_uid = ${toString config.ids.uids.vhost}
	206	disable_plaintext_auth = yes
	207	passdb {
	208	driver = ldap
	209	args = ${config.secrets.fullPaths."dovecot/ldap"}
	210	}
	211	userdb {
98f8f4de IB	212	driver = ldap
98f8f4de IB	213	args = ${config.secrets.fullPaths."dovecot/ldap"}
8415083e IB	214	}
8415083e IB	215	''
a929614f	216
8415083e IB	217	# Zlib
	218	''
	219	mail_plugins = $mail_plugins zlib
	220	plugin {
	221	zlib_save_level = 6
	222	zlib_save = gz
	223	}
	224	''
a929614f	225
8415083e IB	226	# Sieve
	227	''
	228	plugin {
	229	sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
	230	}
	231	service managesieve-login {
	232	}
	233	service managesieve {
	234	}
	235	''
	236
	237	# Virtual mailboxes
	238	''
	239	mail_plugins = $mail_plugins virtual
	240	namespace Virtual {
	241	prefix = Virtual/
	242	location = virtual:~/Virtual
	243	}
	244	''
a929614f	245
8415083e IB	246	# Protocol specific configuration
	247	# Needs to come last if there are mail_plugins entries
	248	''
	249	protocol imap {
089f5093	250	mail_plugins = $mail_plugins imap_sieve imap_acl
8415083e IB	251	}
	252	protocol lda {
	253	mail_plugins = $mail_plugins sieve
	254	}
	255	''
	256	];
	257	};
	258	networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
	259	system.activationScripts.dovecot = {
	260	deps = [ "users" ];
	261	text =''
	262	install -m 0755 -o vhost -g vhost -d /var/lib/vhost
	263	'';
	264	};
	265
98f8f4de IB	266	services.cron.systemCronJobs = let
98f8f4de IB	267	cron_script = pkgs.writeScriptBin "cleanup-imap-folders" ''
5dc338f0	268	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
cecfa2f6 IB	269	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
cecfa2f6 IB	270	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
98f8f4de IB	271	'';
	272	in
	273	[
	274	"0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
	275	];
5153eb54 IB	276	security.acme.certs."mail-rsa" = {
	277	postRun = ''
	278	systemctl restart dovecot2.service
	279	'';
	280	extraDomains = {
	281	"imap.immae.eu" = null;
	282	"pop3.immae.eu" = null;
	283	};
	284	};
5400b9b6	285	security.acme.certs."mail" = {
8415083e IB	286	postRun = ''
	287	systemctl restart dovecot2.service
	288	'';
	289	extraDomains = {
	290	"imap.immae.eu" = null;
	291	"pop3.immae.eu" = null;
	292	};
a929614f IB	293	};
	294	};
	295	}
	296