mail2-nixos-config/dovecot.nix

{ config, lib, pkgs, ... }:

let
  dovecotSQL = pkgs.writeText "dovecot-sql.conf" ''
    driver = sqlite
    connect = ${config.variables.pfadminDataDir}/postfixadmin.db
    password_query = SELECT username AS user, password FROM mailbox WHERE username = '%Lu' AND active='1'
    user_query = SELECT username AS user FROM mailbox WHERE username = '%Lu' AND active='1'
  '';
  dovecotConfSSL = pkgs.writeText "dovecot.conf" ''
    ${lib.optionalString (config.variables.useSSL) ''
        ssl = yes
        ssl_cert = </var/lib/acme/dovecot2.${config.variables.myFQDN}/fullchain.pem
        ssl_key = </var/lib/acme/dovecot2.${config.variables.myFQDN}/key.pem
      ''
    }
  '';
  dovecotConf = pkgs.writeText "dovecot.conf" ''
    sendmail_path = /run/wrappers/bin/sendmail
    default_internal_user = dovecot2
    default_internal_group = dovecot2
    protocols = imap lmtp pop3 sieve

    # commented out due to a dovecot but in the most recent release
    #$ {lib.optionalString (config.variables.useSSL) '#'
    #    ssl = yes
    #    ssl_cert = </var/lib/acme/dovecot2.${config.variables.myFQDN}/fullchain.pem
    #    ssl_key = </var/lib/acme/dovecot2.${config.variables.myFQDN}/key.pem
    #  '#'
    #}
    !include_try /var/lib/dovecot/ssl-keys.conf

    disable_plaintext_auth = yes
    auth_mechanisms = plain login

    userdb {
        driver = sql
        args = ${dovecotSQL}
    }
    passdb {
        driver = sql
        args = ${dovecotSQL}
    }
    mail_home = ${config.variables.vmailBaseDir}/%Lu/
    mail_location = maildir:${config.variables.vmailBaseDir}/%Lu/Maildir
    mail_uid = ${toString config.variables.vmailUID}
    mail_gid = ${toString config.variables.vmailGID}

    service auth {
      unix_listener ${config.variables.dovecotAuthSocket} {
        user = ${config.services.postfix.user}
        group = ${config.services.postfix.group}
        mode = 0600
      }
    }

    service lmtp {
      unix_listener ${config.variables.dovecotLmtpSocket} {
        user = ${config.services.postfix.user}
        group = ${config.services.postfix.group}
        mode = 0600
      }
    }

    protocol lmtp {
      mail_plugins = sieve
    }

    protocol imap {
      mail_plugins = $mail_plugins imap_sieve
    }
    imap_idle_notify_interval = 29 mins

    namespace inbox {
      inbox = yes
      location =
      mailbox Drafts {
        special_use = \Drafts
        auto = subscribe
      }
      mailbox Junk {
        special_use = \Junk
        auto = subscribe
      }
      mailbox Sent {
        special_use = \Sent
        auto = subscribe
      }
      mailbox Trash {
        special_use = \Trash
        auto = subscribe
      }
      mailbox Archive {
        special_use = \Archive
        auto = subscribe
      }
      prefix =
    }

    plugin {
      sieve_after = ${(pkgs.callPackage ./sieve-after.nix {}) }
      sieve_plugins = sieve_imapsieve sieve_extprograms
      # From elsewhere to Spam folder
      imapsieve_mailbox1_name = Junk
      imapsieve_mailbox1_causes = COPY
      imapsieve_mailbox1_before = file:${(pkgs.callPackage ./sieve-report-spam-ham.nix {})}/report-spam.sieve
      # From Spam folder to elsewhere
      imapsieve_mailbox2_name = *
      imapsieve_mailbox2_from = Junk
      imapsieve_mailbox2_causes = COPY
      imapsieve_mailbox2_before = file:${(pkgs.callPackage ./sieve-report-spam-ham.nix {})}/report-ham.sieve
      sieve_pipe_bin_dir = ${(pkgs.callPackage ./sieve-pipe-bin-dir.nix {})}
      sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
    }
  '';
in
{
  # Configure certificates...
  security = lib.mkIf config.variables.useSSL {
    acme.certs."dovecot2.${config.variables.myFQDN}" = {
      domain = "${config.variables.myFQDN}";
      group = "certs";
      postRun = "systemctl restart dovecot2.service";
      # cheat by getting the webroot from another certificate configured through nginx.
      webroot = config.security.acme.certs."${config.variables.myFQDN}".webroot;
    };
  };
  # Make sure at least the self-signed certs are available before trying to start postfix
  systemd.services.dovecot2.after = [ (lib.mkIf config.variables.useSSL "acme-selfsigned-certificates.target") "vmail-setup.service" ];
  # Setup dovecot
  networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
  services.dovecot2 = {
    enable = true;
    configFile = "${dovecotConf}";
    modules = [ pkgs.dovecot_pigeonhole ];
  };
  systemd.services."vmail-setup" = {
    serviceConfig.Type = "oneshot";
    wantedBy = [ "multi-user.target" ];
      script = ''
        mkdir -p ${config.variables.vmailBaseDir}
        chown -c ${config.variables.vmailUser}:${config.variables.vmailGroup} ${config.variables.vmailBaseDir}
        chmod -c 0700 ${config.variables.vmailBaseDir}
        # SSL workaround for dovecot...
        mkdir -p /var/lib/dovecot
        cat ${dovecotConfSSL} > /var/lib/dovecot/ssl-keys.conf
        chown root:root /var/lib/dovecot/ssl-keys.conf
        chmod 400 /var/lib/dovecot/ssl-keys.conf
      '';
  };
}
first import of mailserver config 2019-05-10 23:21:28 +02:00			`{ config, lib, pkgs, ... }:`

			`let`
			`dovecotSQL = pkgs.writeText "dovecot-sql.conf" ''`
			`driver = sqlite`
			`connect = ${config.variables.pfadminDataDir}/postfixadmin.db`
			`password_query = SELECT username AS user, password FROM mailbox WHERE username = '%Lu' AND active='1'`
			`user_query = SELECT username AS user FROM mailbox WHERE username = '%Lu' AND active='1'`
			`'';`
Workaround for a new bug in dovecot. This should allow postfixadmin to work again. The bug is described on the Dovecot ML: https://dovecot.org/pipermail/dovecot/2020-August/119642.html 2020-08-20 22:56:04 +02:00			`dovecotConfSSL = pkgs.writeText "dovecot.conf" ''`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`${lib.optionalString (config.variables.useSSL) ''`
			`ssl = yes`
			`ssl_cert = </var/lib/acme/dovecot2.${config.variables.myFQDN}/fullchain.pem`
			`ssl_key = </var/lib/acme/dovecot2.${config.variables.myFQDN}/key.pem`
			`''`
			`}`
Workaround for a new bug in dovecot. This should allow postfixadmin to work again. The bug is described on the Dovecot ML: https://dovecot.org/pipermail/dovecot/2020-August/119642.html 2020-08-20 22:56:04 +02:00			`'';`
			`dovecotConf = pkgs.writeText "dovecot.conf" ''`
			`sendmail_path = /run/wrappers/bin/sendmail`
			`default_internal_user = dovecot2`
			`default_internal_group = dovecot2`
			`protocols = imap lmtp pop3 sieve`

			`# commented out due to a dovecot but in the most recent release`
			`#$ {lib.optionalString (config.variables.useSSL) '#'`
			`# ssl = yes`
			`# ssl_cert = </var/lib/acme/dovecot2.${config.variables.myFQDN}/fullchain.pem`
			`# ssl_key = </var/lib/acme/dovecot2.${config.variables.myFQDN}/key.pem`
			`# '#'`
			`#}`
			`!include_try /var/lib/dovecot/ssl-keys.conf`
first import of mailserver config 2019-05-10 23:21:28 +02:00
dovecot: enforce use of encryption... 2019-06-13 16:02:47 +02:00			`disable_plaintext_auth = yes`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`auth_mechanisms = plain login`

			`userdb {`
			`driver = sql`
			`args = ${dovecotSQL}`
			`}`
			`passdb {`
			`driver = sql`
			`args = ${dovecotSQL}`
			`}`
			`mail_home = ${config.variables.vmailBaseDir}/%Lu/`
			`mail_location = maildir:${config.variables.vmailBaseDir}/%Lu/Maildir`
			`mail_uid = ${toString config.variables.vmailUID}`
			`mail_gid = ${toString config.variables.vmailGID}`

			`service auth {`
			`unix_listener ${config.variables.dovecotAuthSocket} {`
			`user = ${config.services.postfix.user}`
			`group = ${config.services.postfix.group}`
			`mode = 0600`
			`}`
			`}`

			`service lmtp {`
			`unix_listener ${config.variables.dovecotLmtpSocket} {`
			`user = ${config.services.postfix.user}`
			`group = ${config.services.postfix.group}`
			`mode = 0600`
			`}`
			`}`

			`protocol lmtp {`
			`mail_plugins = sieve`
			`}`

			`protocol imap {`
			`mail_plugins = $mail_plugins imap_sieve`
			`}`
imap_idle_notify_interval auf 29 mins setzen um bei Handys den Akku zu schonen 2019-06-28 20:40:33 +02:00			`imap_idle_notify_interval = 29 mins`
first import of mailserver config 2019-05-10 23:21:28 +02:00
			`namespace inbox {`
			`inbox = yes`
			`location =`
			`mailbox Drafts {`
			`special_use = \Drafts`
			`auto = subscribe`
			`}`
			`mailbox Junk {`
			`special_use = \Junk`
			`auto = subscribe`
			`}`
			`mailbox Sent {`
			`special_use = \Sent`
			`auto = subscribe`
			`}`
			`mailbox Trash {`
			`special_use = \Trash`
			`auto = subscribe`
			`}`
			`mailbox Archive {`
			`special_use = \Archive`
			`auto = subscribe`
			`}`
			`prefix =`
			`}`

			`plugin {`
			`sieve_after = ${(pkgs.callPackage ./sieve-after.nix {}) }`
			`sieve_plugins = sieve_imapsieve sieve_extprograms`
			`# From elsewhere to Spam folder`
			`imapsieve_mailbox1_name = Junk`
			`imapsieve_mailbox1_causes = COPY`
			`imapsieve_mailbox1_before = file:${(pkgs.callPackage ./sieve-report-spam-ham.nix {})}/report-spam.sieve`
			`# From Spam folder to elsewhere`
			`imapsieve_mailbox2_name = *`
			`imapsieve_mailbox2_from = Junk`
			`imapsieve_mailbox2_causes = COPY`
			`imapsieve_mailbox2_before = file:${(pkgs.callPackage ./sieve-report-spam-ham.nix {})}/report-ham.sieve`
			`sieve_pipe_bin_dir = ${(pkgs.callPackage ./sieve-pipe-bin-dir.nix {})}`
			`sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment`
			`}`
			`'';`
			`in`
			`{`
			`# Configure certificates...`
			`security = lib.mkIf config.variables.useSSL {`
			`acme.certs."dovecot2.${config.variables.myFQDN}" = {`
			`domain = "${config.variables.myFQDN}";`
Try throwing all certificates into the same group to avoid permission issues 2020-11-27 23:49:54 +01:00			`group = "certs";`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`postRun = "systemctl restart dovecot2.service";`
			`# cheat by getting the webroot from another certificate configured through nginx.`
			`webroot = config.security.acme.certs."${config.variables.myFQDN}".webroot;`
			`};`
			`};`
			`# Make sure at least the self-signed certs are available before trying to start postfix`
Workaround for a new bug in dovecot. This should allow postfixadmin to work again. The bug is described on the Dovecot ML: https://dovecot.org/pipermail/dovecot/2020-August/119642.html 2020-08-20 22:56:04 +02:00			`systemd.services.dovecot2.after = [ (lib.mkIf config.variables.useSSL "acme-selfsigned-certificates.target") "vmail-setup.service" ];`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`# Setup dovecot`
			`networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];`
			`services.dovecot2 = {`
			`enable = true;`
			`configFile = "${dovecotConf}";`
			`modules = [ pkgs.dovecot_pigeonhole ];`
			`};`
			`systemd.services."vmail-setup" = {`
			`serviceConfig.Type = "oneshot";`
			`wantedBy = [ "multi-user.target" ];`
			`script = ''`
			`mkdir -p ${config.variables.vmailBaseDir}`
			`chown -c ${config.variables.vmailUser}:${config.variables.vmailGroup} ${config.variables.vmailBaseDir}`
			`chmod -c 0700 ${config.variables.vmailBaseDir}`
Workaround for a new bug in dovecot. This should allow postfixadmin to work again. The bug is described on the Dovecot ML: https://dovecot.org/pipermail/dovecot/2020-August/119642.html 2020-08-20 22:56:04 +02:00			`# SSL workaround for dovecot...`
			`mkdir -p /var/lib/dovecot`
			`cat ${dovecotConfSSL} > /var/lib/dovecot/ssl-keys.conf`
			`chown root:root /var/lib/dovecot/ssl-keys.conf`
			`chmod 400 /var/lib/dovecot/ssl-keys.conf`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`'';`
			`};`
			`}`