]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { lib, pkgs, config, ... }: |
a929614f IB |
2 | let |
3 | sieve_bin = pkgs.runCommand "sieve_bin" { | |
4 | buildInputs = [ pkgs.makeWrapper ]; | |
5 | } '' | |
6 | cp -a ${./sieve_bin} $out | |
7 | chmod -R u+w $out | |
8 | patchShebangs $out | |
9 | for i in $out/*; do | |
10 | wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]} | |
11 | done | |
12 | ''; | |
13 | in | |
14 | { | |
8415083e | 15 | config = lib.mkIf config.myServices.mail.enable { |
1a64deeb IB |
16 | myServices.dns.zones."immae.eu".subdomains = |
17 | with config.myServices.dns.helpers; | |
18 | { | |
19 | imap = ips servers.eldiron.ips.main; | |
20 | pop3 = ips servers.eldiron.ips.main; | |
21 | }; | |
22 | ||
23 | myServices.chatonsProperties.services.email = { | |
24 | file.datetime = "2022-08-22T01:00:00"; | |
25 | service = { | |
26 | name = "E-mail account"; | |
27 | description = "Compte e-mail avec configuration imap et smtp/pop3"; | |
28 | logo = "https://www.dovecot.org/wp-content/uploads/2021/09/favicon.ico"; | |
29 | website = "https://mail.immae.eu/"; | |
30 | status.level = "OK"; | |
31 | status.description = "OK"; | |
32 | registration."" = ["MEMBER" "CLIENT"]; | |
33 | registration.load = "OPEN"; | |
34 | install.type = "PACKAGE"; | |
35 | }; | |
36 | software = { | |
37 | name = "Dovecot"; | |
38 | website = "https://www.dovecot.org/"; | |
39 | license.url = "https://github.com/dovecot/core/blob/main/COPYING"; | |
40 | license.name = "MIT and LGPLv2.1 Licenses"; | |
41 | version = pkgs.dovecot.version; | |
42 | source.url = "https://github.com/dovecot/core"; | |
43 | modules = ["roundcube" "rainloop"] ++ map (a: a.pname) config.services.dovecot2.modules; | |
44 | }; | |
45 | }; | |
850adcf4 | 46 | systemd.services.dovecot2.serviceConfig.Slice = "mail.slice"; |
4c4652aa IB |
47 | secrets.keys."dovecot/ldap" = { |
48 | user = config.services.dovecot2.user; | |
49 | group = config.services.dovecot2.group; | |
50 | permissions = "0400"; | |
51 | text = '' | |
52 | hosts = ${config.myEnv.mail.dovecot.ldap.host} | |
53 | tls = yes | |
54 | ||
55 | dn = ${config.myEnv.mail.dovecot.ldap.dn} | |
56 | dnpass = ${config.myEnv.mail.dovecot.ldap.password} | |
57 | ||
58 | auth_bind = yes | |
59 | ||
60 | ldap_version = 3 | |
61 | ||
62 | base = ${config.myEnv.mail.dovecot.ldap.base} | |
63 | scope = subtree | |
64 | ||
65 | pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} | |
66 | pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} | |
67 | ||
68 | user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} | |
69 | user_filter = ${config.myEnv.mail.dovecot.ldap.filter} | |
70 | iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} | |
71 | iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} | |
72 | ''; | |
73 | }; | |
8415083e IB |
74 | |
75 | users.users.vhost = { | |
76 | group = "vhost"; | |
77 | uid = config.ids.uids.vhost; | |
78 | }; | |
79 | users.groups.vhost.gid = config.ids.gids.vhost; | |
1a64deeb IB |
80 | users.users."${config.services.dovecot2.user}".extraGroups = [ "acme" ]; |
81 | ||
82 | nixpkgs.overlays = [ | |
83 | (self: super: { | |
84 | dovecot = super.dovecot.override { openldap = self.openldap_libressl_cyrus; }; | |
85 | }) | |
86 | ]; | |
8415083e IB |
87 | |
88 | # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous....... | |
89 | services.dovecot2 = { | |
90 | enable = true; | |
91 | enablePAM = false; | |
92 | enablePop3 = true; | |
93 | enableImap = true; | |
94 | enableLmtp = true; | |
95 | protocols = [ "sieve" ]; | |
96 | modules = [ | |
97 | pkgs.dovecot_pigeonhole | |
1a64deeb | 98 | pkgs.dovecot_fts_xapian |
8415083e IB |
99 | ]; |
100 | mailUser = "vhost"; | |
101 | mailGroup = "vhost"; | |
102 | createMailUser = false; | |
2053ddac IB |
103 | mailboxes = { |
104 | Trash = { auto = "subscribe"; specialUse = "Trash"; }; | |
105 | Junk = { auto = "subscribe"; specialUse = "Junk"; }; | |
106 | Sent = { auto = "subscribe"; specialUse = "Sent"; }; | |
107 | Drafts = { auto = "subscribe"; specialUse = "Drafts"; }; | |
108 | }; | |
8415083e | 109 | mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap"; |
1a64deeb | 110 | sslServerCert = "/etc/dovecot/fullchain.pem"; |
8415083e | 111 | sslServerKey = "/var/lib/acme/mail/key.pem"; |
1a64deeb | 112 | sslCACert = "/etc/dovecot/fullchain.pem"; |
8415083e | 113 | extraConfig = builtins.concatStringsSep "\n" [ |
5153eb54 IB |
114 | # For printer which doesn’t support elliptic curve |
115 | '' | |
1a64deeb | 116 | ssl_alt_cert = </etc/dovecot/fullchain-rsa.pem |
5153eb54 IB |
117 | ssl_alt_key = </var/lib/acme/mail-rsa/key.pem |
118 | '' | |
119 | ||
8415083e IB |
120 | '' |
121 | postmaster_address = postmaster@immae.eu | |
122 | mail_attribute_dict = file:%h/dovecot-attributes | |
123 | imap_idle_notify_interval = 20 mins | |
124 | namespace inbox { | |
125 | type = private | |
126 | separator = / | |
127 | inbox = yes | |
128 | list = yes | |
129 | } | |
130 | '' | |
131 | ||
089f5093 IB |
132 | # ACL |
133 | '' | |
134 | mail_plugins = $mail_plugins acl | |
135 | plugin { | |
136 | acl = vfile:${pkgs.writeText "dovecot-acl" '' | |
137 | Backup/* owner lrp | |
138 | ''} | |
139 | acl_globals_only = yes | |
140 | } | |
141 | '' | |
142 | ||
8415083e IB |
143 | # Full text search |
144 | '' | |
145 | # needs to be bigger than any mailbox size | |
146 | default_vsz_limit = 2GB | |
147 | mail_plugins = $mail_plugins fts fts_xapian | |
148 | plugin { | |
149 | plugin = fts fts_xapian | |
150 | fts = xapian | |
151 | fts_xapian = partial=2 full=20 | |
152 | fts_autoindex = yes | |
153 | fts_autoindex_exclude = \Junk | |
154 | fts_autoindex_exclude2 = \Trash | |
155 | fts_autoindex_exclude3 = Virtual/* | |
156 | } | |
157 | '' | |
158 | ||
159 | # Antispam | |
160 | # https://docs.iredmail.org/dovecot.imapsieve.html | |
161 | '' | |
162 | # imap_sieve plugin added below | |
163 | ||
a929614f | 164 | plugin { |
8415083e IB |
165 | sieve_plugins = sieve_imapsieve sieve_extprograms |
166 | imapsieve_url = sieve://127.0.0.1:4190 | |
167 | ||
304a7dac | 168 | sieve_before = file:${./sieve_scripts}/backup.sieve;bindir=/var/lib/vhost/.sieve_bin |
089f5093 | 169 | |
8415083e IB |
170 | # From elsewhere to Junk folder |
171 | imapsieve_mailbox1_name = Junk | |
172 | imapsieve_mailbox1_causes = COPY APPEND | |
173 | imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin | |
174 | ||
175 | # From Junk folder to elsewhere | |
176 | imapsieve_mailbox2_name = * | |
177 | imapsieve_mailbox2_from = Junk | |
178 | imapsieve_mailbox2_causes = COPY | |
179 | imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin | |
180 | ||
95ca3110 IB |
181 | # From anywhere to NoJunk folder |
182 | imapsieve_mailbox3_name = NoJunk | |
183 | imapsieve_mailbox3_causes = COPY APPEND | |
184 | imapsieve_mailbox3_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin | |
185 | ||
8415083e IB |
186 | sieve_pipe_bin_dir = ${sieve_bin} |
187 | ||
188 | sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment | |
a929614f | 189 | } |
8415083e IB |
190 | '' |
191 | # Services to listen | |
192 | '' | |
193 | service imap-login { | |
194 | inet_listener imap { | |
195 | } | |
196 | inet_listener imaps { | |
197 | } | |
a929614f | 198 | } |
8415083e IB |
199 | service pop3-login { |
200 | inet_listener pop3 { | |
201 | } | |
202 | inet_listener pop3s { | |
203 | } | |
a929614f | 204 | } |
8415083e | 205 | service imap { |
a929614f | 206 | } |
8415083e | 207 | service pop3 { |
a929614f | 208 | } |
8415083e IB |
209 | service auth { |
210 | unix_listener auth-userdb { | |
211 | } | |
212 | unix_listener ${config.services.postfix.config.queue_directory}/private/auth { | |
213 | mode = 0666 | |
214 | } | |
a929614f | 215 | } |
8415083e | 216 | service auth-worker { |
a929614f | 217 | } |
8415083e IB |
218 | service dict { |
219 | unix_listener dict { | |
220 | } | |
a929614f | 221 | } |
8415083e IB |
222 | service stats { |
223 | unix_listener stats-reader { | |
224 | user = vhost | |
225 | group = vhost | |
226 | mode = 0660 | |
227 | } | |
228 | unix_listener stats-writer { | |
229 | user = vhost | |
230 | group = vhost | |
231 | mode = 0660 | |
232 | } | |
a929614f | 233 | } |
8415083e IB |
234 | '' |
235 | ||
236 | # Authentification | |
237 | '' | |
238 | first_valid_uid = ${toString config.ids.uids.vhost} | |
239 | disable_plaintext_auth = yes | |
240 | passdb { | |
241 | driver = ldap | |
242 | args = ${config.secrets.fullPaths."dovecot/ldap"} | |
243 | } | |
244 | userdb { | |
98f8f4de IB |
245 | driver = ldap |
246 | args = ${config.secrets.fullPaths."dovecot/ldap"} | |
8415083e IB |
247 | } |
248 | '' | |
a929614f | 249 | |
8415083e IB |
250 | # Zlib |
251 | '' | |
252 | mail_plugins = $mail_plugins zlib | |
253 | plugin { | |
254 | zlib_save_level = 6 | |
255 | zlib_save = gz | |
256 | } | |
257 | '' | |
a929614f | 258 | |
8415083e IB |
259 | # Sieve |
260 | '' | |
261 | plugin { | |
262 | sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve | |
263 | } | |
264 | service managesieve-login { | |
265 | } | |
266 | service managesieve { | |
267 | } | |
268 | '' | |
269 | ||
270 | # Virtual mailboxes | |
271 | '' | |
272 | mail_plugins = $mail_plugins virtual | |
273 | namespace Virtual { | |
274 | prefix = Virtual/ | |
275 | location = virtual:~/Virtual | |
276 | } | |
277 | '' | |
a929614f | 278 | |
8415083e IB |
279 | # Protocol specific configuration |
280 | # Needs to come last if there are mail_plugins entries | |
281 | '' | |
282 | protocol imap { | |
089f5093 | 283 | mail_plugins = $mail_plugins imap_sieve imap_acl |
8415083e IB |
284 | } |
285 | protocol lda { | |
286 | mail_plugins = $mail_plugins sieve | |
287 | } | |
288 | '' | |
289 | ]; | |
290 | }; | |
291 | networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ]; | |
292 | system.activationScripts.dovecot = { | |
293 | deps = [ "users" ]; | |
294 | text ='' | |
295 | install -m 0755 -o vhost -g vhost -d /var/lib/vhost | |
296 | ''; | |
297 | }; | |
298 | ||
98f8f4de IB |
299 | services.cron.systemCronJobs = let |
300 | cron_script = pkgs.writeScriptBin "cleanup-imap-folders" '' | |
5dc338f0 | 301 | ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX "Backup/*" NOT FLAGGED BEFORE 8w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB" |
cecfa2f6 IB |
302 | ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Junk SEEN NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB" |
303 | ${pkgs.dovecot}/bin/doveadm expunge -A MAILBOX Trash NOT FLAGGED BEFORE 4w 2>&1 > /dev/null | grep -v "Mailbox doesn't exist:" | grep -v "Info: Opening DB" | |
98f8f4de IB |
304 | ''; |
305 | in | |
306 | [ | |
307 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" | |
308 | ]; | |
5153eb54 IB |
309 | security.acme.certs."mail-rsa" = { |
310 | postRun = '' | |
311 | systemctl restart dovecot2.service | |
312 | ''; | |
1a64deeb | 313 | extraDomainNames = [ "imap.immae.eu" "pop3.immae.eu" ]; |
5153eb54 | 314 | }; |
5400b9b6 | 315 | security.acme.certs."mail" = { |
8415083e IB |
316 | postRun = '' |
317 | systemctl restart dovecot2.service | |
318 | ''; | |
1a64deeb | 319 | extraDomainNames = [ "imap.immae.eu" "pop3.immae.eu" ]; |
a929614f | 320 | }; |
1a64deeb IB |
321 | myServices.monitoring.fromMasterActivatedPlugins = [ "imap" "tcp" ]; |
322 | myServices.monitoring.fromMasterObjects.service = [ | |
323 | { | |
324 | service_description = "imap connection works"; | |
325 | host_name = config.hostEnv.fqdn; | |
326 | use = "external-service"; | |
327 | check_command = "check_imap_connection"; | |
328 | ||
329 | servicegroups = "webstatus-remote-services,webstatus-email"; | |
330 | _webstatus_name = "IMAP"; | |
331 | _webstatus_url = "imap.immae.eu"; | |
332 | } | |
333 | ||
334 | { | |
335 | service_description = "imap SSL is up to date"; | |
336 | host_name = config.hostEnv.fqdn; | |
337 | use = "external-service"; | |
338 | check_command = ["check_tcp_ssl" "993"]; | |
339 | ||
340 | servicegroups = "webstatus-ssl"; | |
341 | _webstatus_name = "IMAP"; | |
342 | _webstatus_url = "imap.immae.eu"; | |
343 | } | |
344 | ||
345 | ]; | |
a929614f IB |
346 | }; |
347 | } | |
348 |