[perso/Immae/Config/Nix.git] / modules / private / mail / dovecot.nix

{ lib, pkgs, config, ... }:
let
  sieve_bin = pkgs.runCommand "sieve_bin" {
    buildInputs = [ pkgs.makeWrapper ];
  } ''
    cp -a ${./sieve_bin} $out
    chmod -R u+w $out
    patchShebangs $out
    for i in $out/*; do
      wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
    done
    '';
in
{
  config = lib.mkIf config.myServices.mail.enable {
    services.duplyBackup.profiles.mail.excludeFile = ''
      + /var/lib/dhparams
      + /var/lib/dovecot
      '';
    secrets.keys = [
      {
        dest = "dovecot/ldap";
        user = config.services.dovecot2.user;
        group = config.services.dovecot2.group;
        permissions = "0400";
        text = ''
          hosts = ${config.myEnv.mail.dovecot.ldap.host}
          tls = yes

          dn = ${config.myEnv.mail.dovecot.ldap.dn}
          dnpass = ${config.myEnv.mail.dovecot.ldap.password}

          auth_bind = yes

          ldap_version = 3

          base = ${config.myEnv.mail.dovecot.ldap.base}
          scope = subtree

          pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
          pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}

          user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
          user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
          iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
          iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
          '';
      }
    ];

    users.users.vhost = {
      group = "vhost";
      uid = config.ids.uids.vhost;
    };
    users.groups.vhost.gid = config.ids.gids.vhost;

    # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
    services.dovecot2 = {
      enable = true;
      enablePAM = false;
      enablePop3 = true;
      enableImap = true;
      enableLmtp = true;
      protocols = [ "sieve" ];
      modules = [
        pkgs.dovecot_pigeonhole
        pkgs.dovecot_fts-xapian
      ];
      mailUser = "vhost";
      mailGroup = "vhost";
      createMailUser = false;
      mailboxes = [
        { name = "Trash";  auto = "subscribe"; specialUse = "Trash"; }
        { name = "Junk";   auto = "subscribe"; specialUse = "Junk"; }
        { name = "Sent";   auto = "subscribe"; specialUse = "Sent"; }
        { name = "Drafts"; auto = "subscribe"; specialUse = "Drafts"; }
      ];
      mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
      sslServerCert = "/var/lib/acme/mail/fullchain.pem";
      sslServerKey = "/var/lib/acme/mail/key.pem";
      sslCACert = "/var/lib/acme/mail/fullchain.pem";
      extraConfig = builtins.concatStringsSep "\n" [
        ''
          postmaster_address = postmaster@immae.eu
          mail_attribute_dict = file:%h/dovecot-attributes
          imap_idle_notify_interval = 20 mins
          namespace inbox {
            type = private
            separator = /
            inbox = yes
            list = yes
          }
        ''

        # ACL
        ''
          mail_plugins = $mail_plugins acl
          plugin {
            acl = vfile:${pkgs.writeText "dovecot-acl" ''
              Backup/* owner lrp
              ''}
            acl_globals_only = yes
          }
        ''

        # Full text search
        ''
          # needs to be bigger than any mailbox size
          default_vsz_limit = 2GB
          mail_plugins = $mail_plugins fts fts_xapian
          plugin {
            plugin = fts fts_xapian
            fts = xapian
            fts_xapian = partial=2 full=20
            fts_autoindex = yes
            fts_autoindex_exclude = \Junk
            fts_autoindex_exclude2 = \Trash
            fts_autoindex_exclude3 = Virtual/*
          }
        ''

        # Antispam
        # https://docs.iredmail.org/dovecot.imapsieve.html
        ''
        # imap_sieve plugin added below

        plugin {
            sieve_plugins = sieve_imapsieve sieve_extprograms
            imapsieve_url = sieve://127.0.0.1:4190

            sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin

            # From elsewhere to Junk folder
            imapsieve_mailbox1_name = Junk
            imapsieve_mailbox1_causes = COPY APPEND
            imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From Junk folder to elsewhere
            imapsieve_mailbox2_name = *
            imapsieve_mailbox2_from = Junk
            imapsieve_mailbox2_causes = COPY
            imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From anywhere to NoJunk folder
            imapsieve_mailbox3_name = NoJunk
            imapsieve_mailbox3_causes = COPY APPEND
            imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            sieve_pipe_bin_dir = ${sieve_bin}

            sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        }
        ''
        # Services to listen
        ''
        service imap-login {
          inet_listener imap {
          }
          inet_listener imaps {
          }
        }
        service pop3-login {
          inet_listener pop3 {
          }
          inet_listener pop3s {
          }
        }
        service imap {
        }
        service pop3 {
        }
        service auth {
          unix_listener auth-userdb {
          }
          unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
            mode = 0666
          }
        }
        service auth-worker {
        }
        service dict {
          unix_listener dict {
          }
        }
        service stats {
          unix_listener stats-reader {
            user = vhost
            group = vhost
            mode = 0660
          }
          unix_listener stats-writer {
            user = vhost
            group = vhost
            mode = 0660
          }
        }
        ''

        # Authentification
        ''
        first_valid_uid = ${toString config.ids.uids.vhost}
        disable_plaintext_auth = yes
        passdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        userdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        ''

        # Zlib
        ''
        mail_plugins = $mail_plugins zlib
        plugin {
          zlib_save_level = 6
          zlib_save = gz
        }
        ''

        # Sieve
        ''
        plugin {
          sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
        }
        service managesieve-login {
        }
        service managesieve {
        }
        ''

        # Virtual mailboxes
        ''
        mail_plugins = $mail_plugins virtual
        namespace Virtual {
          prefix = Virtual/
          location = virtual:~/Virtual
        }
        ''

        # Protocol specific configuration
        # Needs to come last if there are mail_plugins entries
        ''
        protocol imap {
          mail_plugins = $mail_plugins imap_sieve imap_acl
        }
        protocol lda {
          mail_plugins = $mail_plugins sieve
        }
        ''
      ];
    };
    networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
    system.activationScripts.dovecot = {
      deps = [ "users" ];
      text  =''
        install -m 0755 -o vhost -g vhost -d /var/lib/vhost
        '';
    };

    services.cron.systemCronJobs = let
      cron_script = pkgs.writeScriptBin "cleanup-imap-folders" ''
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB"
        '';
      in
      [
        "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
      ];
    security.acme.certs."mail" = {
      postRun = ''
        systemctl restart dovecot2.service
      '';
      extraDomains = {
        "imap.immae.eu" = null;
        "pop3.immae.eu" = null;
      };
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
a929614f IB	2	let
	3	sieve_bin = pkgs.runCommand "sieve_bin" {
	4	buildInputs = [ pkgs.makeWrapper ];
	5	} ''
	6	cp -a ${./sieve_bin} $out
	7	chmod -R u+w $out
	8	patchShebangs $out
	9	for i in $out/*; do
	10	wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
	11	done
	12	'';
	13	in
	14	{
8415083e	15	config = lib.mkIf config.myServices.mail.enable {
d2e703c5	16	services.duplyBackup.profiles.mail.excludeFile = ''
8415083e IB	17	+ /var/lib/dhparams
	18	+ /var/lib/dovecot
	19	'';
	20	secrets.keys = [
	21	{
	22	dest = "dovecot/ldap";
	23	user = config.services.dovecot2.user;
	24	group = config.services.dovecot2.group;
	25	permissions = "0400";
	26	text = ''
ab8f306d	27	hosts = ${config.myEnv.mail.dovecot.ldap.host}
8415083e	28	tls = yes
a929614f	29
ab8f306d IB	30	dn = ${config.myEnv.mail.dovecot.ldap.dn}
ab8f306d IB	31	dnpass = ${config.myEnv.mail.dovecot.ldap.password}
a929614f	32
8415083e	33	auth_bind = yes
a929614f	34
8415083e	35	ldap_version = 3
a929614f	36
ab8f306d	37	base = ${config.myEnv.mail.dovecot.ldap.base}
8415083e	38	scope = subtree
a929614f	39
ab8f306d IB	40	pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
ab8f306d IB	41	pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
a929614f	42
ab8f306d IB	43	user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
	44	user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
	45	iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
	46	iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
8415083e IB	47	'';
8415083e IB	48	}
a929614f	49	];
8415083e IB	50
	51	users.users.vhost = {
	52	group = "vhost";
	53	uid = config.ids.uids.vhost;
	54	};
	55	users.groups.vhost.gid = config.ids.gids.vhost;
	56
	57	# https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
	58	services.dovecot2 = {
	59	enable = true;
	60	enablePAM = false;
	61	enablePop3 = true;
	62	enableImap = true;
	63	enableLmtp = true;
	64	protocols = [ "sieve" ];
	65	modules = [
	66	pkgs.dovecot_pigeonhole
	67	pkgs.dovecot_fts-xapian
	68	];
	69	mailUser = "vhost";
	70	mailGroup = "vhost";
	71	createMailUser = false;
	72	mailboxes = [
	73	{ name = "Trash"; auto = "subscribe"; specialUse = "Trash"; }
	74	{ name = "Junk"; auto = "subscribe"; specialUse = "Junk"; }
	75	{ name = "Sent"; auto = "subscribe"; specialUse = "Sent"; }
	76	{ name = "Drafts"; auto = "subscribe"; specialUse = "Drafts"; }
	77	];
	78	mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
	79	sslServerCert = "/var/lib/acme/mail/fullchain.pem";
	80	sslServerKey = "/var/lib/acme/mail/key.pem";
	81	sslCACert = "/var/lib/acme/mail/fullchain.pem";
	82	extraConfig = builtins.concatStringsSep "\n" [
	83	''
	84	postmaster_address = postmaster@immae.eu
	85	mail_attribute_dict = file:%h/dovecot-attributes
	86	imap_idle_notify_interval = 20 mins
	87	namespace inbox {
	88	type = private
	89	separator = /
	90	inbox = yes
	91	list = yes
	92	}
	93	''
	94
089f5093 IB	95	# ACL
	96	''
	97	mail_plugins = $mail_plugins acl
	98	plugin {
	99	acl = vfile:${pkgs.writeText "dovecot-acl" ''
	100	Backup/* owner lrp
	101	''}
	102	acl_globals_only = yes
	103	}
	104	''
	105
8415083e IB	106	# Full text search
	107	''
	108	# needs to be bigger than any mailbox size
	109	default_vsz_limit = 2GB
	110	mail_plugins = $mail_plugins fts fts_xapian
	111	plugin {
	112	plugin = fts fts_xapian
	113	fts = xapian
	114	fts_xapian = partial=2 full=20
	115	fts_autoindex = yes
	116	fts_autoindex_exclude = \Junk
	117	fts_autoindex_exclude2 = \Trash
	118	fts_autoindex_exclude3 = Virtual/*
	119	}
	120	''
	121
	122	# Antispam
	123	# https://docs.iredmail.org/dovecot.imapsieve.html
	124	''
	125	# imap_sieve plugin added below
	126
a929614f	127	plugin {
8415083e IB	128	sieve_plugins = sieve_imapsieve sieve_extprograms
	129	imapsieve_url = sieve://127.0.0.1:4190
	130
304a7dac	131	sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin
089f5093	132
8415083e IB	133	# From elsewhere to Junk folder
	134	imapsieve_mailbox1_name = Junk
	135	imapsieve_mailbox1_causes = COPY APPEND
	136	imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	137
	138	# From Junk folder to elsewhere
	139	imapsieve_mailbox2_name = *
	140	imapsieve_mailbox2_from = Junk
	141	imapsieve_mailbox2_causes = COPY
	142	imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	143
95ca3110 IB	144	# From anywhere to NoJunk folder
	145	imapsieve_mailbox3_name = NoJunk
	146	imapsieve_mailbox3_causes = COPY APPEND
	147	imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	148
8415083e IB	149	sieve_pipe_bin_dir = ${sieve_bin}
	150
	151	sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
a929614f	152	}
8415083e IB	153	''
	154	# Services to listen
	155	''
	156	service imap-login {
	157	inet_listener imap {
	158	}
	159	inet_listener imaps {
	160	}
a929614f	161	}
8415083e IB	162	service pop3-login {
	163	inet_listener pop3 {
	164	}
	165	inet_listener pop3s {
	166	}
a929614f	167	}
8415083e	168	service imap {
a929614f	169	}
8415083e	170	service pop3 {
a929614f	171	}
8415083e IB	172	service auth {
	173	unix_listener auth-userdb {
	174	}
	175	unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
	176	mode = 0666
	177	}
a929614f	178	}
8415083e	179	service auth-worker {
a929614f	180	}
8415083e IB	181	service dict {
	182	unix_listener dict {
	183	}
a929614f	184	}
8415083e IB	185	service stats {
	186	unix_listener stats-reader {
	187	user = vhost
	188	group = vhost
	189	mode = 0660
	190	}
	191	unix_listener stats-writer {
	192	user = vhost
	193	group = vhost
	194	mode = 0660
	195	}
a929614f	196	}
8415083e IB	197	''
	198
	199	# Authentification
	200	''
	201	first_valid_uid = ${toString config.ids.uids.vhost}
	202	disable_plaintext_auth = yes
	203	passdb {
	204	driver = ldap
	205	args = ${config.secrets.fullPaths."dovecot/ldap"}
	206	}
	207	userdb {
98f8f4de IB	208	driver = ldap
98f8f4de IB	209	args = ${config.secrets.fullPaths."dovecot/ldap"}
8415083e IB	210	}
8415083e IB	211	''
a929614f	212
8415083e IB	213	# Zlib
	214	''
	215	mail_plugins = $mail_plugins zlib
	216	plugin {
	217	zlib_save_level = 6
	218	zlib_save = gz
	219	}
	220	''
a929614f	221
8415083e IB	222	# Sieve
	223	''
	224	plugin {
	225	sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
	226	}
	227	service managesieve-login {
	228	}
	229	service managesieve {
	230	}
	231	''
	232
	233	# Virtual mailboxes
	234	''
	235	mail_plugins = $mail_plugins virtual
	236	namespace Virtual {
	237	prefix = Virtual/
	238	location = virtual:~/Virtual
	239	}
	240	''
a929614f	241
8415083e IB	242	# Protocol specific configuration
	243	# Needs to come last if there are mail_plugins entries
	244	''
	245	protocol imap {
089f5093	246	mail_plugins = $mail_plugins imap_sieve imap_acl
8415083e IB	247	}
	248	protocol lda {
	249	mail_plugins = $mail_plugins sieve
	250	}
	251	''
	252	];
	253	};
	254	networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
	255	system.activationScripts.dovecot = {
	256	deps = [ "users" ];
	257	text =''
	258	install -m 0755 -o vhost -g vhost -d /var/lib/vhost
	259	'';
	260	};
	261
98f8f4de IB	262	services.cron.systemCronJobs = let
98f8f4de IB	263	cron_script = pkgs.writeScriptBin "cleanup-imap-folders" ''
5dc338f0	264	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
cecfa2f6 IB	265	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
cecfa2f6 IB	266	${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null \| grep -v "Mailbox doesn't exist:" \| grep -v "Info: Opening DB"
98f8f4de IB	267	'';
	268	in
	269	[
	270	"0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
	271	];
5400b9b6	272	security.acme.certs."mail" = {
8415083e IB	273	postRun = ''
	274	systemctl restart dovecot2.service
	275	'';
	276	extraDomains = {
	277	"imap.immae.eu" = null;
	278	"pop3.immae.eu" = null;
	279	};
a929614f IB	280	};
	281	};
	282	}
	283