nixos-config/modules/mailserver/dovecot.nix

# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  cfg = config.sbruder.mailserver;
  postfixCfg = config.services.postfix;

  passdb = pkgs.writeText "dovecot-users"
    (lib.concatMapStringsSep
      "\n"
      ({ address, passwordHash, ... }: "${address}:{BLF-CRYPT}${passwordHash}")
      cfg.users);
in
lib.mkIf cfg.enable {
  services.dovecot2 = {
    enable = true;

    modules = with pkgs; [ dovecot_pigeonhole ];

    enableLmtp = true;
    enablePAM = false;
    protocols = [ "sieve" ];

    mailUser = "vmail";
    mailGroup = "vmail";
    mailLocation = "maildir:${cfg.storage}/%d/%n";

    sslServerCert = "${cfg.certDir}/fullchain.pem";
    sslServerKey = "${cfg.certDir}/key.pem";

    mailboxes = {
      Archive = { specialUse = "Archive"; auto = "subscribe"; };
      Sent = { specialUse = "Sent"; auto = "subscribe"; };
      Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
      Trash = { specialUse = "Trash"; auto = "subscribe"; };
      Spam = { specialUse = "Junk"; auto = "subscribe"; };
    };

    sieveScripts = {
      before = pkgs.writeText "spam.sieve" ''
        require "fileinto";

        if header :is "X-Spam" "Yes" {
            fileinto "Spam";
        }
      '';
    };

    extraConfig = ''
      # generated 2021-02-04, Mozilla Guideline v5.6, Dovecot 2.3.13, OpenSSL 1.1.1i, intermediate configuration
      # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.13&config=intermediate&openssl=1.1.1i&guideline=5.6
      ssl = required
      ssl_min_protocol = TLSv1.2
      ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
      ssl_prefer_server_ciphers = no

      protocol imap {
        mail_plugins = $mail_plugins imap_sieve
      }

      protocol lmtp {
        mail_plugins = $mail_plugins sieve
      }

      service imap-login {
        inet_listener imap {
        }
      }

      service lmtp {
        unix_listener dovecot-lmtp {
          mode = 0600
          user = ${postfixCfg.user}
          group = ${postfixCfg.group}
        }
      }

      passdb {
        driver = passwd-file
        args = username_format=%u ${passdb}
      }

      userdb {
        driver = static
        args = uid=vmail gid=vmail home=${cfg.storage}/%d/%n
      }

      service auth {
        unix_listener auth {
          mode = 0660
          user = ${postfixCfg.user}
          group = ${postfixCfg.group}
        }
      }

      lda_mailbox_autosubscribe = yes
      lda_mailbox_autocreate = yes

      plugin {
        sieve_plugins = sieve_imapsieve sieve_extprograms
        sieve = file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve

        ${lib.optionalString cfg.spam.enable ''
        imapsieve_mailbox1_name = Spam
        imapsieve_mailbox1_causes = COPY
        imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve

        imapsieve_mailbox2_name = *
        imapsieve_mailbox2_from = Spam
        imapsieve_mailbox2_causes = COPY
        imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
        sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
        ''}

        sieve_global_extensions = +vnd.dovecot.pipe
      }

      service managesieve-login {
        inet_listener sieve {
          port = 4190
        }
      }
    '';
  };
  systemd.services.dovecot2 = {
    wants = [ "acme-finished-${cfg.fqdn}.target" ];
    after = [ "acme-finished-${cfg.fqdn}.target" ];

    preStart = lib.mkIf cfg.spam.enable
      (lib.mkAfter
        (lib.concatStrings
          (lib.mapAttrsToList
            (name: content: ''
              cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}
            '')
            {
              "learn-spam.sieve" = ''
                require ["vnd.dovecot.pipe", "copy", "imapsieve"];
                pipe :copy "rspamc" ["learn_spam"];
              '';
              "learn-ham.sieve" = ''
                require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

                if environment :matches "imap.mailbox" "*" {
                    set "mailbox" "''${1}";
                }

                if string "''${mailbox}" "Trash" {
                    stop;
                }

                pipe :copy "rspamc" ["learn_ham"];
              '';
            })));
  };

  networking.firewall.allowedTCPPorts = [
    143 # IMAP
    993 # IMAP (implicit TLS)
    4190 # ManageSieve
  ];

  security.acme.certs."${cfg.fqdn}".postRun = ''
    if systemctl is-active dovecot2; then
        systemctl --no-block reload dovecot2
    fi
  '';
}
Relicense This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually. 2024-01-06 01:19:35 +01:00			`# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`

mailserver: Separate into multiple files 2023-05-31 13:11:12 +02:00			`{ config, lib, pkgs, ... }:`
			`let`
			`cfg = config.sbruder.mailserver;`
			`postfixCfg = config.services.postfix;`

			`passdb = pkgs.writeText "dovecot-users"`
			`(lib.concatMapStringsSep`
			`"\n"`
			`({ address, passwordHash, ... }: "${address}:{BLF-CRYPT}${passwordHash}")`
			`cfg.users);`
			`in`
			`lib.mkIf cfg.enable {`
			`services.dovecot2 = {`
			`enable = true;`

			`modules = with pkgs; [ dovecot_pigeonhole ];`

			`enableLmtp = true;`
			`enablePAM = false;`
mailserver: Add ManageSieve 2023-08-01 15:19:24 +02:00			`protocols = [ "sieve" ];`
mailserver: Separate into multiple files 2023-05-31 13:11:12 +02:00
			`mailUser = "vmail";`
			`mailGroup = "vmail";`
			`mailLocation = "maildir:${cfg.storage}/%d/%n";`

			`sslServerCert = "${cfg.certDir}/fullchain.pem";`
			`sslServerKey = "${cfg.certDir}/key.pem";`

			`mailboxes = {`
			`Archive = { specialUse = "Archive"; auto = "subscribe"; };`
			`Sent = { specialUse = "Sent"; auto = "subscribe"; };`
			`Drafts = { specialUse = "Drafts"; auto = "subscribe"; };`
			`Trash = { specialUse = "Trash"; auto = "subscribe"; };`
			`Spam = { specialUse = "Junk"; auto = "subscribe"; };`
			`};`

			`sieveScripts = {`
			`before = pkgs.writeText "spam.sieve" ''`
			`require "fileinto";`

			`if header :is "X-Spam" "Yes" {`
			`fileinto "Spam";`
			`}`
			`'';`
			`};`

			`extraConfig = ''`
			`# generated 2021-02-04, Mozilla Guideline v5.6, Dovecot 2.3.13, OpenSSL 1.1.1i, intermediate configuration`
			`# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.13&config=intermediate&openssl=1.1.1i&guideline=5.6`
			`ssl = required`
			`ssl_min_protocol = TLSv1.2`
			`ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`
			`ssl_prefer_server_ciphers = no`

			`protocol imap {`
			`mail_plugins = $mail_plugins imap_sieve`
			`}`

			`protocol lmtp {`
			`mail_plugins = $mail_plugins sieve`
			`}`

			`service imap-login {`
			`inet_listener imap {`
			`}`
			`}`

			`service lmtp {`
			`unix_listener dovecot-lmtp {`
			`mode = 0600`
			`user = ${postfixCfg.user}`
			`group = ${postfixCfg.group}`
			`}`
			`}`

			`passdb {`
			`driver = passwd-file`
			`args = username_format=%u ${passdb}`
			`}`

			`userdb {`
			`driver = static`
			`args = uid=vmail gid=vmail home=${cfg.storage}/%d/%n`
			`}`

			`service auth {`
			`unix_listener auth {`
			`mode = 0660`
			`user = ${postfixCfg.user}`
			`group = ${postfixCfg.group}`
			`}`
			`}`

			`lda_mailbox_autosubscribe = yes`
			`lda_mailbox_autocreate = yes`

			`plugin {`
			`sieve_plugins = sieve_imapsieve sieve_extprograms`
mailserver: Add ManageSieve 2023-08-01 15:19:24 +02:00			`sieve = file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve`
mailserver: Separate into multiple files 2023-05-31 13:11:12 +02:00
			`${lib.optionalString cfg.spam.enable ''`
			`imapsieve_mailbox1_name = Spam`
			`imapsieve_mailbox1_causes = COPY`
			`imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve`

			`imapsieve_mailbox2_name = *`
			`imapsieve_mailbox2_from = Spam`
			`imapsieve_mailbox2_causes = COPY`
			`imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve`
			`sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin`
			`''}`

			`sieve_global_extensions = +vnd.dovecot.pipe`
			`}`
mailserver: Add ManageSieve 2023-08-01 15:19:24 +02:00
			`service managesieve-login {`
			`inet_listener sieve {`
			`port = 4190`
			`}`
			`}`
mailserver: Separate into multiple files 2023-05-31 13:11:12 +02:00			`'';`
			`};`
			`systemd.services.dovecot2 = {`
			`wants = [ "acme-finished-${cfg.fqdn}.target" ];`
			`after = [ "acme-finished-${cfg.fqdn}.target" ];`

			`preStart = lib.mkIf cfg.spam.enable`
			`(lib.mkAfter`
			`(lib.concatStrings`
			`(lib.mapAttrsToList`
			`(name: content: ''`
			`cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}`
			`'')`
			`{`
			`"learn-spam.sieve" = ''`
			`require ["vnd.dovecot.pipe", "copy", "imapsieve"];`
			`pipe :copy "rspamc" ["learn_spam"];`
			`'';`
			`"learn-ham.sieve" = ''`
			`require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];`

			`if environment :matches "imap.mailbox" "*" {`
			`set "mailbox" "''${1}";`
			`}`

			`if string "''${mailbox}" "Trash" {`
			`stop;`
			`}`

			`pipe :copy "rspamc" ["learn_ham"];`
			`'';`
			`})));`
			`};`

			`networking.firewall.allowedTCPPorts = [`
			`143 # IMAP`
			`993 # IMAP (implicit TLS)`
mailserver: Add ManageSieve 2023-08-01 15:19:24 +02:00			`4190 # ManageSieve`
mailserver: Separate into multiple files 2023-05-31 13:11:12 +02:00			`];`

			`security.acme.certs."${cfg.fqdn}".postRun = ''`
			`if systemctl is-active dovecot2; then`
			`systemctl --no-block reload dovecot2`
			`fi`
			`'';`
			`}`