]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { lib, pkgs, config, ... }: |
a929614f IB |
2 | let |
3 | sieve_bin = pkgs.runCommand "sieve_bin" { | |
4 | buildInputs = [ pkgs.makeWrapper ]; | |
5 | } '' | |
6 | cp -a ${./sieve_bin} $out | |
7 | chmod -R u+w $out | |
8 | patchShebangs $out | |
9 | for i in $out/*; do | |
10 | wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]} | |
11 | done | |
12 | ''; | |
13 | in | |
14 | { | |
8415083e | 15 | config = lib.mkIf config.myServices.mail.enable { |
850adcf4 | 16 | systemd.services.dovecot2.serviceConfig.Slice = "mail.slice"; |
d2e703c5 | 17 | services.duplyBackup.profiles.mail.excludeFile = '' |
8415083e IB |
18 | + /var/lib/dhparams |
19 | + /var/lib/dovecot | |
20 | ''; | |
4c4652aa IB |
21 | secrets.keys."dovecot/ldap" = { |
22 | user = config.services.dovecot2.user; | |
23 | group = config.services.dovecot2.group; | |
24 | permissions = "0400"; | |
25 | text = '' | |
26 | hosts = ${config.myEnv.mail.dovecot.ldap.host} | |
27 | tls = yes | |
28 | ||
29 | dn = ${config.myEnv.mail.dovecot.ldap.dn} | |
30 | dnpass = ${config.myEnv.mail.dovecot.ldap.password} | |
31 | ||
32 | auth_bind = yes | |
33 | ||
34 | ldap_version = 3 | |
35 | ||
36 | base = ${config.myEnv.mail.dovecot.ldap.base} | |
37 | scope = subtree | |
38 | ||
39 | pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} | |
40 | pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} | |
41 | ||
42 | user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} | |
43 | user_filter = ${config.myEnv.mail.dovecot.ldap.filter} | |
44 | iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} | |
45 | iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} | |
46 | ''; | |
47 | }; | |
8415083e IB |
48 | |
49 | users.users.vhost = { | |
50 | group = "vhost"; | |
51 | uid = config.ids.uids.vhost; | |
52 | }; | |
53 | users.groups.vhost.gid = config.ids.gids.vhost; | |
54 | ||
55 | # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous....... | |
56 | services.dovecot2 = { | |
57 | enable = true; | |
58 | enablePAM = false; | |
59 | enablePop3 = true; | |
60 | enableImap = true; | |
61 | enableLmtp = true; | |
62 | protocols = [ "sieve" ]; | |
63 | modules = [ | |
64 | pkgs.dovecot_pigeonhole | |
65 | pkgs.dovecot_fts-xapian | |
66 | ]; | |
67 | mailUser = "vhost"; | |
68 | mailGroup = "vhost"; | |
69 | createMailUser = false; | |
2053ddac IB |
70 | mailboxes = { |
71 | Trash = { auto = "subscribe"; specialUse = "Trash"; }; | |
72 | Junk = { auto = "subscribe"; specialUse = "Junk"; }; | |
73 | Sent = { auto = "subscribe"; specialUse = "Sent"; }; | |
74 | Drafts = { auto = "subscribe"; specialUse = "Drafts"; }; | |
75 | }; | |
8415083e IB |
76 | mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap"; |
77 | sslServerCert = "/var/lib/acme/mail/fullchain.pem"; | |
78 | sslServerKey = "/var/lib/acme/mail/key.pem"; | |
79 | sslCACert = "/var/lib/acme/mail/fullchain.pem"; | |
80 | extraConfig = builtins.concatStringsSep "\n" [ | |
5153eb54 IB |
81 | # For printer which doesn’t support elliptic curve |
82 | '' | |
83 | ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem | |
84 | ssl_alt_key = </var/lib/acme/mail-rsa/key.pem | |
85 | '' | |
86 | ||
8415083e IB |
87 | '' |
88 | postmaster_address = postmaster@immae.eu | |
89 | mail_attribute_dict = file:%h/dovecot-attributes | |
90 | imap_idle_notify_interval = 20 mins | |
91 | namespace inbox { | |
92 | type = private | |
93 | separator = / | |
94 | inbox = yes | |
95 | list = yes | |
96 | } | |
97 | '' | |
98 | ||
089f5093 IB |
99 | # ACL |
100 | '' | |
101 | mail_plugins = $mail_plugins acl | |
102 | plugin { | |
103 | acl = vfile:${pkgs.writeText "dovecot-acl" '' | |
104 | Backup/* owner lrp | |
105 | ''} | |
106 | acl_globals_only = yes | |
107 | } | |
108 | '' | |
109 | ||
8415083e IB |
110 | # Full text search |
111 | '' | |
112 | # needs to be bigger than any mailbox size | |
113 | default_vsz_limit = 2GB | |
114 | mail_plugins = $mail_plugins fts fts_xapian | |
115 | plugin { | |
116 | plugin = fts fts_xapian | |
117 | fts = xapian | |
118 | fts_xapian = partial=2 full=20 | |
119 | fts_autoindex = yes | |
120 | fts_autoindex_exclude = \Junk | |
121 | fts_autoindex_exclude2 = \Trash | |
122 | fts_autoindex_exclude3 = Virtual/* | |
123 | } | |
124 | '' | |
125 | ||
126 | # Antispam | |
127 | # https://docs.iredmail.org/dovecot.imapsieve.html | |
128 | '' | |
129 | # imap_sieve plugin added below | |
130 | ||
a929614f | 131 | plugin { |
8415083e IB |
132 | sieve_plugins = sieve_imapsieve sieve_extprograms |
133 | imapsieve_url = sieve://127.0.0.1:4190 | |
134 | ||
304a7dac | 135 | sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin |
089f5093 | 136 | |
8415083e IB |
137 | # From elsewhere to Junk folder |
138 | imapsieve_mailbox1_name = Junk | |
139 | imapsieve_mailbox1_causes = COPY APPEND | |
140 | imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin | |
141 | ||
142 | # From Junk folder to elsewhere | |
143 | imapsieve_mailbox2_name = * | |
144 | imapsieve_mailbox2_from = Junk | |
145 | imapsieve_mailbox2_causes = COPY | |
146 | imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin | |
147 | ||
95ca3110 IB |
148 | # From anywhere to NoJunk folder |
149 | imapsieve_mailbox3_name = NoJunk | |
150 | imapsieve_mailbox3_causes = COPY APPEND | |
151 | imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin | |
152 | ||
8415083e IB |
153 | sieve_pipe_bin_dir = ${sieve_bin} |
154 | ||
155 | sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment | |
a929614f | 156 | } |
8415083e IB |
157 | '' |
158 | # Services to listen | |
159 | '' | |
160 | service imap-login { | |
161 | inet_listener imap { | |
162 | } | |
163 | inet_listener imaps { | |
164 | } | |
a929614f | 165 | } |
8415083e IB |
166 | service pop3-login { |
167 | inet_listener pop3 { | |
168 | } | |
169 | inet_listener pop3s { | |
170 | } | |
a929614f | 171 | } |
8415083e | 172 | service imap { |
a929614f | 173 | } |
8415083e | 174 | service pop3 { |
a929614f | 175 | } |
8415083e IB |
176 | service auth { |
177 | unix_listener auth-userdb { | |
178 | } | |
179 | unix_listener ${config.services.postfix.config.queue_directory}/private/auth { | |
180 | mode = 0666 | |
181 | } | |
a929614f | 182 | } |
8415083e | 183 | service auth-worker { |
a929614f | 184 | } |
8415083e IB |
185 | service dict { |
186 | unix_listener dict { | |
187 | } | |
a929614f | 188 | } |
8415083e IB |
189 | service stats { |
190 | unix_listener stats-reader { | |
191 | user = vhost | |
192 | group = vhost | |
193 | mode = 0660 | |
194 | } | |
195 | unix_listener stats-writer { | |
196 | user = vhost | |
197 | group = vhost | |
198 | mode = 0660 | |
199 | } | |
a929614f | 200 | } |
8415083e IB |
201 | '' |
202 | ||
203 | # Authentification | |
204 | '' | |
205 | first_valid_uid = ${toString config.ids.uids.vhost} | |
206 | disable_plaintext_auth = yes | |
207 | passdb { | |
208 | driver = ldap | |
209 | args = ${config.secrets.fullPaths."dovecot/ldap"} | |
210 | } | |
211 | userdb { | |
98f8f4de IB |
212 | driver = ldap |
213 | args = ${config.secrets.fullPaths."dovecot/ldap"} | |
8415083e IB |
214 | } |
215 | '' | |
a929614f | 216 | |
8415083e IB |
217 | # Zlib |
218 | '' | |
219 | mail_plugins = $mail_plugins zlib | |
220 | plugin { | |
221 | zlib_save_level = 6 | |
222 | zlib_save = gz | |
223 | } | |
224 | '' | |
a929614f | 225 | |
8415083e IB |
226 | # Sieve |
227 | '' | |
228 | plugin { | |
229 | sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve | |
230 | } | |
231 | service managesieve-login { | |
232 | } | |
233 | service managesieve { | |
234 | } | |
235 | '' | |
236 | ||
237 | # Virtual mailboxes | |
238 | '' | |
239 | mail_plugins = $mail_plugins virtual | |
240 | namespace Virtual { | |
241 | prefix = Virtual/ | |
242 | location = virtual:~/Virtual | |
243 | } | |
244 | '' | |
a929614f | 245 | |
8415083e IB |
246 | # Protocol specific configuration |
247 | # Needs to come last if there are mail_plugins entries | |
248 | '' | |
249 | protocol imap { | |
089f5093 | 250 | mail_plugins = $mail_plugins imap_sieve imap_acl |
8415083e IB |
251 | } |
252 | protocol lda { | |
253 | mail_plugins = $mail_plugins sieve | |
254 | } | |
255 | '' | |
256 | ]; | |
257 | }; | |
258 | networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ]; | |
259 | system.activationScripts.dovecot = { | |
260 | deps = [ "users" ]; | |
261 | text ='' | |
262 | install -m 0755 -o vhost -g vhost -d /var/lib/vhost | |
263 | ''; | |
264 | }; | |
265 | ||
98f8f4de IB |
266 | services.cron.systemCronJobs = let |
267 | cron_script = pkgs.writeScriptBin "cleanup-imap-folders" '' | |
5dc338f0 | 268 | ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB" |
cecfa2f6 IB |
269 | ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB" |
270 | ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB" | |
98f8f4de IB |
271 | ''; |
272 | in | |
273 | [ | |
274 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" | |
275 | ]; | |
5153eb54 IB |
276 | security.acme.certs."mail-rsa" = { |
277 | postRun = '' | |
278 | systemctl restart dovecot2.service | |
279 | ''; | |
280 | extraDomains = { | |
281 | "imap.immae.eu" = null; | |
282 | "pop3.immae.eu" = null; | |
283 | }; | |
284 | }; | |
5400b9b6 | 285 | security.acme.certs."mail" = { |
8415083e IB |
286 | postRun = '' |
287 | systemctl restart dovecot2.service | |
288 | ''; | |
289 | extraDomains = { | |
290 | "imap.immae.eu" = null; | |
291 | "pop3.immae.eu" = null; | |
292 | }; | |
a929614f IB |
293 | }; |
294 | }; | |
295 | } | |
296 |