r-raymond / nixos-mailserver Goto Github PK

View Code? Open in Web Editor NEW

181.0 14.0 27.0 292 KB

A complete and Simple Nixos Mailserver

License: GNU General Public License v3.0

Nix 99.90% Shell 0.10%

nixos email nix

nixos-mailserver's People

Stargazers

Watchers

nixos-mailserver's Issues

Set up CI for the tests

I have no idea how to do that, any advice is welcome.

See if it's possible to leverage the nixcloud.email service if it lands in nixpkgs

Ref: NixOS/nixpkgs#29366

Unable to activate a Sieve script via ManageSieve

Hi, I'm migrating my mail server from Debian to nixos-mailserver and it mostly works great! Thanks for the project. :)

The only problem I've faced so far is broken activation of Sieve scripts. I was successfully able to upload a Sieve script with KMail, but trying to activate the scripts results in this error:

managesieve([email protected]): Error: sieve: file script: Failed to activate Sieve script: symlink(/var/sieve/[email protected]/default.sieve, /var/empty/.dovecot.sieve) failed: Operation not permitted

I'm using nixos-mailserver-2.0.4 on NixOS 17.09.

Thanks!

"You have new mail in /var/mail/root"

TL;DR: What to do with local mail?

Mails sent to root@localhost are delivered to /var/mail/root in maildir format.

How do we want to deal with those? I have seen failed cron jobs put mail there and it is a common mail address for anything system related to my knowledge. In any case: I strongly recommend that we deal with them.

I have triggered one using monit reload and having set root@localhost as mail address in monit's config.

Adding root@localhost to the list of mail aliases of a vmail user (`cfg.loginAccounts."[email protected]".aliases) does work and delivers the mail to that user. Do we want to facilitate this with maybe an extra option or a note in the documentation?

This is the relevant excerpt from journalctl. It shows that the mail is correctly processed by rspamd and rspamd is smart enough to figure out that it is local mail and thus skips a number of checks:

Feb 02 15:31:34 nixos monit[14520]: Reinitializing Monit -- control file '/etc/monitrc'
Feb 02 15:31:34 nixos monit[14520]: 'nixos' Monit reloaded
Feb 02 15:31:34 nixos postfix/smtpd[24067]: connect from localhost[::1]
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; accepted connection from mail.example.com; client: ::1:43480 (localhost)
Feb 02 15:31:34 nixos postfix/smtpd[24067]: 723EC160A4D: client=localhost[::1]
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; mlfi_data: queue id: <723EC160A4D>
Feb 02 15:31:34 nixos postfix/cleanup[24069]: 723EC160A4D: message-id=<1517585494.983509235@nixos>
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; mlfi_eom: tempfile=/tmp/msg.XX86zrtA, size=619
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; spamdscan: start scanning message on /run/rspamd/rspamd.sock
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; accept_socket: accepted connection from /run/rspamd/rspamd.sock port 0, task ptr: 00000000019FE510
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; rspamd_message_parse: loaded message; id: <1517585494.983509235@nixos>; queue-id: <723EC160A4D>; size: 619; checksum: <7d63541863656266f4031eb3a8ebab88>
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; spf_symbol_callback: skip SPF checks for local networks and authorized users
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl multi.uribl.com as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl dbl.spamhaus.org as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl sbl.spamhaus.org as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl multi.surbl.org as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl uribl.rambler.ru as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; lua; once_received.lua:71: Skipping once_received for authenticated user or local network
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl uribl.spameatingmonkey.net as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl fresh15.spameatingmonkey.net as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; surbl_test_url: disable surbl public.sarbl.org as it is reported to be offline
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; lua; dmarc.lua:99: skip DMARC checks for local networks and authorized users
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; bayes_classify: skip classification as ham class has not enough learns: 0, 200 required
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; rspamd_task_write_log: id: <1517585494.983509235@nixos>, qid: <723EC160A4D>, ip: ::1, from: <monit@nixos>, (default: F (no action): [0.40/15.00] [MID_RHS_NOT_FQDN(0.50){},MIME_GOOD(-0.10){text/plain;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},RCPT_COUNT_1(0.00){},RCVD_COUNT_2(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 619, time: 6.999ms real, 4.266ms virtual, dns req: 0, digest: <7d63541863656266f4031eb3a8ebab88>, rcpts: <root@localhost>, mime_rcpt: <root@localhost>
Feb 02 15:31:34 nixos rspamd[771]: <912d6c>; task; rspamd_protocol_http_reply: regexp statistics: 69 pcre regexps scanned, 1 regexps matched, 270 regexps total, 25 regexps cached, 3.37k bytes scanned using pcre, 3.37k bytes scanned total
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; spamdscan: finish scanning message on /run/rspamd/rspamd.sock
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; spamdscan: scan, time: 0.008, server: /run/rspamd/rspamd.sock, metric: default: [0.400 / 15.000], symbols: RCPT_COUNT_1(0.00)[], MIME_GOOD(-0.10)[text/plain], MID_RHS_NOT_FQDN(0.50)[], MID_RHS_MATCH_FROM(0.00)[], FROM_NO_DN(0.00)[], TO_DN_NONE(0.00)[], TO_MATCH_ENVRCPT_ALL(0.00)[], RCVD_COUNT_2(0.00)[], FROM_EQ_ENVFROM(0.00)[]
Feb 02 15:31:34 nixos rmilter[690]: <7a2a9b88db>; msg done: queue_id: <723EC160A4D>; message id: <1517585494.983509235@nixos>; ip: ::1; from: <monit@nixos>; rcpt: <root@localhost> (1 total); user: unauthorized; spam scan: no spam; virus scan: skipped, no av servers; dkim: not signed, ignored
Feb 02 15:31:34 nixos postfix/qmgr[23152]: 723EC160A4D: from=<monit@nixos>, size=681, nrcpt=1 (queue active)
Feb 02 15:31:34 nixos postfix/smtpd[24067]: disconnect from localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Feb 02 15:31:34 nixos postfix/local[24070]: 723EC160A4D: to=<root@localhost>, relay=local, delay=0.06, delays=0.05/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb 02 15:31:34 nixos postfix/qmgr[23152]: 723EC160A4D: removed

Using getmail with SNM

I'm trying to setup getmail so that it fetches mail from some POP3 server, let's suppose Gmail, and delivers it to the IMAP mailbox.
But I'm neither having luck using

[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/deliver
arguments = ("-e", "-d", "[email protected]")
user = [email protected]
group = virtualMail

nor

[destination]
type = Maildir
path = /var/vmail/example.org/user/
user = [email protected]
group = virtualMail

Does someone have an idea how to configure getmail properly such that mail really gets delivered?
Both above methods don't yield any errors but mail doesn't show up in the INBOX.

Allow possibility to not use a hostPrefix

Testing mailing with mail-tester.com I get the following warning:

Your reverse DNS does not match with your sending domain.
Reverse DNS lookup or reverse DNS resolution (rDNS) is the determination of a domain name that is associated with a given IP address.
Some companies such as AOL will reject any message sent from a server without rDNS, so you must ensure that you have one.
You cannot associate more than one domain name with a single IP address.

This is because my reverse DNS resolves to example.com, but the mail was sent from mail.example.com. Apparently some services like AOL take offence to that and treat mail as spam or bounce it.

Whilst it is neat to have a mail.example.com, it would require having multiple IP addresses to work correctly with mail providers, one for the TLD and one for each subdomain. At least according to mail-tester.com. Please

However, simply using hostPrefix = ""; results in a bunch of errors relating to .example.com not being a valid domain.

The most feasible thing might be to use a lib.optional to make the hostPrefix optional for those who are worried about their reverse DNS.

Thoughts?

unbound requires ipv6

Hi, I upgraded the config and during the switch unbound failed to bind to ::1. I have (had) enableIPv6 = false, setting it to true does work, but maybe it should default to the ipv4 analogous if ipv6 is disabled, or assert ipv6 is enabled and fail loudly if it isn't

Nicolò

Notification when free space is low

Not sure how to tackle this the best, but I bet there are tools / services available that send an email to root@localhost when there is less than X GiB free space. I feel like this would make for a very nice addition to a mail server. Or this is a separate issue and should not be part of this repository. Thoughts?

postfix fails to deliver mail due to wrong policy_service setting

postfix logs "host/service mailstore.example.com/12340 not found: Name or service not known" when delivering mail:

Feb 22 23:17:39 turtle postfix/smtpd[4194]: Anonymous TLS connection established from mx.example.com[123.123.123.123]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 22 23:17:39 turtle postfix/smtpd[4194]: fatal: host/service mailstore.example.com/12340 not found: Name or service not known
Feb 22 23:17:40 turtle postfix/master[4175]: warning: process /nix/store/xz06496qy0yfacj83qv1h750zwjbg965-postfix-3.2.5/libexec/postfix/smtpd pid 4194 exit status 1
Feb 22 23:17:40 turtle postfix/master[4175]: warning: /nix/store/xz06496qy0yfacj83qv1h750zwjbg965-postfix-3.2.5/libexec/postfix/smtpd: bad command startup -- throttling

In addition to the log message postfix is unable to deliver mail.

See #86 (comment) for details.

The offending line instructs postfix to ask the policy server at mailstore.example.com at the given port. Or it would if there was any such server at that address. This would normally allow postfix to query dovecot if the mail may be delivered (due to the quota).

This line should at least read localhost or the fqdn instead of the example URL. I'm no expert with postfix and dovecot but I would suspect one can get this information not just via a network call but perhaps via unix sockets from dovecot.

[advice] Radicale config

This is more like an issue to help people who want to have their own CalDAV server and already have nixos-mailserver running. I have configured a Radicale server to use the same users as nixos-mailserver:

{ config, pkgs, lib, ... }:

with lib;

let
  mailAccounts = config.mailserver.loginAccounts;
  htpasswd = pkgs.writeText "radicale.users" (concatStrings
    (flip mapAttrsToList mailAccounts (mail: user:
      mail + ":" + user.hashedPassword + "\n"
    ))
  );

in {
  services.radicale = {
    enable = true;
    config = ''
      [auth]
      type = htpasswd
      htpasswd_filename = ${htpasswd}
      htpasswd_encryption = crypt
    '';
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "cal.example.com" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
            proxy_set_header  X-Script-Name /;
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass_header Authorization;
          '';
        };
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}

Expose rspamd's web interface

This depends on https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/mail/rspamd.nix getting an option for setting the controller password. Since neither rspamd.nix offers such an option nor a way to add extraConfig a change to that nix file has to be made.
Once this is done the web interface can be exposed which allows for more insight into what rspamd is doing.
It seems to be common practice to hide it behind a nginx proxy. An nginx server is required for easy let's encrypt certificates anyway, so I'd follow this practice.

Allow the setting of maildir folder names

v2.1 Release

I've added a release candidate for v2.1 six weeks ago, and there are no open bugs that I'm aware of right now that would prevent from releasing this as stable. If you have any concerns, let me know, otherwise I'll prepare a release this weekend.

README Question (B) Step 4

At the section (B) Step 4: Set SPF Records in README the SPF record in table below have the type TXT, also testing command dig goes with -t TXT as argument.
It seems to be wrong but I don't sure.

ACME certificate location

At least on NixOS 17.09, it appears the certs are in /var/lib/acme/${host} and not /var/lib/acme/acme-challenge/${host} and the private key is called key.pem and not privkey.pem

diff --git a/mail-server/common.nix b/mail-server/common.nix
index 0d15ce7..63fa3d7 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
              else if cfg.certificateScheme == 2
                   then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem"
                   else if cfg.certificateScheme == 3
-                       then "/var/lib/acme/acme-challenge/${cfg.hostPrefix}.${cfg.domain}/fullchain.pem"
+                       then "/var/lib/acme/${cfg.hostPrefix}.${cfg.domain}/fullchain.pem"
                        else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
 
   # key :: PATH
@@ -35,6 +35,6 @@ in
         else if cfg.certificateScheme == 2
              then "${cfg.certificateDirectory}/key-${cfg.domain}.pem"
               else if cfg.certificateScheme == 3
-                   then "/var/lib/acme/acme-challenge/${cfg.hostPrefix}.${cfg.domain}/privkey.pem"
+                   then "/var/lib/acme/${cfg.hostPrefix}.${cfg.domain}/key.pem"
                    else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
 }

Travis builds time out

The job exceeded the maximum time limit for jobs, and has been terminated.

Implement automatic backup system

Maybe with a local/offsite option using rsync

Upstream from my fork

I have created a mail setup for myself that started as a fork of this project but has diverged a great deal since then.

Some of the things I have implemented are:

Switched away from rmilter like #25 suggests
Awstats site for mail generated hourly like #35 suggests
Training of rspamd using imap_sieve. So moving to Junk trains as spam. Moving out of Junk trains ham
Uses OpenDKIM and pypolicyd-spf for DKIM signing and SPF checking
I am working on OpenDMARC support

And now I was wondering if you are interested in these changes?

They come with some caveats and issues.

Rspamd

A newer version of rspamd is needed to get rid of rmilter which is only in unstable so I override it in my config.

I needed more control over the rspamd service configuration so I have forked that into a rspamd2 module that should probably be upstreamed to nixpkgs. It supports socket activation and has much more control over worker configuration.

Awstats

Awstats package does not include tools dir so I had to override the package
The Awstats service in NixOS is geared towards apache stats so I made my own module that generates mail stats and a static site for it. That module doesn't have any security so everyone on the internet can see it. And it only works for one domain.

OpenDMARC

OpenDMARC is not in nixpkgs so I made my own package for it which should probably be upstreamed to nixpkgs.

For OpenDMARC to work it needs a mysql database. I tried to incorporate an sqlite patch someone had done but it was old and outdated.

Failing to log into IMAP

Just installed this module and found that I had to invoke

sudo passwd [email protected]

to allow "user1" to actually log in via IMAP. Shouldn't this be covered by the nix files already?

The error message (as given from dovecot to the IMAP client):

t NO [AUTHENTICATIONFAILED] Authentication failed.

I tested this with

openssl s_client -host mail.example.com -port 143 -starttls imap

Showing up in the logs was this (after I set various logging options in dovecot) (faithfully reproduction):

-- Logs begin at Fri 2017-08-11 19:29:05 UTC, end at Tue 2017-09-12 19:47:46 UTC. --
Sep 12 19:00:47 mail.example.com dovecot[2574]: auth: Debug: client in: AUTH        1        PLAIN        service=imap        secured        session=34c4qQJZDPq8wGJm        lip=111.111.111.111        rip=222.222.222.222        lport=143        rport=64012        resp=<hidden>
Sep 12 19:00:47 mail.example.com dovecot[2574]: auth-worker(2587): Debug: pam([email protected],222.222.222.222,<34c4qQJZDPq8wGJm>): lookup service=dovecot2
Sep 12 19:00:47 mail.example.com dovecot[2574]: auth-worker(2587): Debug: pam([email protected],222.222.222.222,<34c4qQJZDPq8wGJm>): #1/1 style=1 msg=Password:
Sep 12 19:00:47 mail.example.com auth[2587]: pam_unix(dovecot2:auth): check pass; user unknown
Sep 12 19:00:47 mail.example.com auth[2587]: pam_unix(dovecot2:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot [email protected] rhost=222.222.222.222
Sep 12 19:00:49 mail.example.com dovecot[2574]: auth-worker(2587): pam([email protected],222.222.222.222,<34c4qQJZDPq8wGJm>): pam_authenticate() failed: Authentication failure (password mismatch?)
Sep 12 19:00:51 mail.example.com dovecot[2574]: auth: Debug: client passdb out: FAIL        1        [email protected]

A faithful reproduction of my config:

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./own/users.nix
      ./own/services/ssh.nix
      ./nixos-mailserver/default.nix
    ];

  config.mailserver = {
    enable = true;
    domain = "example.com";
    hostPrefix = "mail";
    loginAccounts = {
      user1 = {
        hashedPassword = "$6$B6f7I1Y2/$oKY9IMcwpICYLds7H6.PMqxDQsq0.Dz.eUZNzohQFyTVLDwUz1SBeEj0bd4oDgQuxdgQT.BhV5yYILfGUTCsl.";
      };
    };
    virtualAliases = {
      info = "user1";
      postmaster = "user1";
      abuse = "user1";
    };
  };
}

Version or hash pinning instructions

It would be nice to have the ability to include it in the system configuration using hash or at least revision pinning (like every other nix package).

I tried several ways (mkDerivation, fetchFromGithub, stage1 nixpkgs) but always ran into issues, mostly infinite recursion.

At the moment, I'm just using a git checkout in /etc/nixos, which is alright but not ideal IMO.

Move from rmilter to rspamd

With rmilter being deprecated, we should move the scanning system over to rspamd

How to disable insecure IMAP access

Is there the way to disallow the users non-SSL/TLS connection to IMAP server?
I mean how to allow only STARTTLS on 143 port.
Or I would like to disable 143 port at all.

Fix dkim signing for multiple domains

Redundancy

I'm a bit of a mail server newbie, what is the process to set up a redundant configuration with another server? Or should I just rely on monitoring and retries from the sending host? Should this something that can be integrated or made in another repo?

switching to the new configuration removes user then tries to chown with that user

I pulled the new master but when invoking nixos-rebuild switch I got the following error:

updating GRUB 2 menu...
stopping the following units: dovecot2.service, postfix.service
activating the configuration...
removing user ‘[email protected]’
setting up /etc...
removing obsolete symlink ‘/etc/pam.d/dovecot2’...
setting up tmpfiles
reloading the following units: dbus.service
starting the following units: dovecot2.service, postfix.service
warning: the following units failed: activate-virtual-mail-users.service

● activate-virtual-mail-users.service
   Loaded: loaded (/nix/store/aap7y02gl2cm1f4pk5jmlbmi7q9rm25a-unit-activate-virtual-mail-users.service/activate-virtual-mail-users.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-02-22 21:42:19 UTC; 2s ago
  Process: 22846 ExecStart=/nix/store/3wrhfxrqnyi554j43pdbv9mqm22axqr1-activate-virtual-mail-users (code=exited, status=1/FAILURE)
 Main PID: 22846 (code=exited, status=1/FAILURE)

Feb 22 21:42:18 turtle systemd[1]: Started activate-virtual-mail-users.service.
Feb 22 21:42:19 turtle 3wrhfxrqnyi554j43pdbv9mqm22axqr1-activate-virtual-mail-users[22846]: chown: invalid user: ‘[email protected]:virtualMail’
Feb 22 21:42:19 turtle systemd[1]: activate-virtual-mail-users.service: Main process exited, code=exited, status=1/FAILURE
Feb 22 21:42:19 turtle systemd[1]: activate-virtual-mail-users.service: Unit entered failed state.
Feb 22 21:42:19 turtle systemd[1]: activate-virtual-mail-users.service: Failed with result 'exit-code'.
warning: error(s) occurred while switching to the new configuration

Why does my user [email protected] get removed in the first place?

Any way to forward to non-local addresses?

I'm very much liking this batteries-included approach to mail service: thank you for writing and maintaining it.

I had a look at the docs and I skimmed the code though I can't claim I understand it well. Is there anyway to create an alias that forwards email to a remote address? For example, suppose SNM is serving my vanity domain bad.example.com and I want mail for [email protected] to be sent onto [email protected].

I thought I could use extraVirtualAliases for this but it checks the recipient is a valid login account. Which confuses me slightly because what does this do that adding an entry to loginAccounts._name_.aliases doesn't?

Postfix won't send mail because of invalid SMTP banner

postfix complains about it in the logs when you try to connect on TCP port 587:

Sep 12 20:32:53 mail.example.com postfix/smtpd[4855]: fatal: open dictionary: expecting "type:name" form instead of "smtpd_tls_auth_only"

In fact, this keeps postfix from replying with its banner, thus preventing any client to send mail.

This goes away when correctly indenting the extra config. The "# Extra Config" part is indented differently than the rest. This keeps nixos from stripping the whitespace correctly thus the resulting postfix config is indented which postfix does not like.

Support architectures else than x86_64

I setting up mail server on i686 machine and I have a next problem:

error: Package ‘colm-0.13.0.5’ in /nix/store/vyq2psym0rrjnfqpj4cribp2wka7s05x-nixos-17.09.2873.4c3c0e824aa/nixos/pkgs/development/compilers/colm/default.nix:22 is not supported on ‘i686-linux’, refusing to evaluate.

vmail.group defined multiple times

I get:
error: The unique option users.users.vmail.group' is defined multiple times, in /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/config/users-groups.nix' and `/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/config/users-groups.nix'.
(use ‘--show-trace’ to show detailed location information)

Opening port 80 when using certificateScheme=3

I set up a nixos-mailserver with automatic LE certificates. But when I ran nixos-rebuild, the acme-example.org service failed, because Let's Encrypt wasn't able to connect to my server (timeout).
When I set

networking.firewall.allowedTCPPorts = [ 80 ];

it works like a charm.

First of all, it took some time to figure this out.Therefore, I think we should automatically open port 80 when using certificateScheme = 3.
Second, I don't know if that's possible but it would be nice if the port was only kept open during the certification process, supposed one doesn't open it manually via networking.firewall.

Use overlays

A very nice example on how to use this is there:
https://github.com/yegortimoshenko/nixos-overlay

Turn off Spam reject by postfix?

I'd like postfix to not reject spam messages for if they are classified as spam wrongly I will be unable to see them. I believe it'd be better if they are accepted by postfix only to then be classified as spam by rspamd and put into the Junk folder for later review.

I ran into this behaviour while running fetchmail which every once in a while said this:

fetchmail: SMTP error: 554 5.7.1 Spam message rejected; If this is not spam contact abuse
fetchmail: mail from [email protected] bounced to [email protected]
fetchmail: SMTP listener refused delivery

Thoughts?

rmilter.socket: Socket service rmilter.service already active, refusing

When building a new deployment target, sometimes the build fails with the following journalctl log

Sep 13 07:19:49 mail.example.com systemd[1]: rmilter.socket: Socket service rmilter.service already active, refusing.
Sep 13 07:19:49 mail.example.com systemd[1]: Failed to listen on Rmilter service socket.
Sep 13 07:19:49 mail.example.com systemd[1]: Started Extra networking commands..
Sep 13 07:19:49 mail.example.com systemd[1]: Started Rmilter Service.
Sep 13 07:19:49 mail.example.com rmilter[1522]: rmilter is configured to work with legacy memcached cache, please con
Sep 13 07:19:50 mail.example.com rmilter[1522]: maxsize is not set, no limits on size of scanned mail
Sep 13 07:19:50 mail.example.com rmilter[1522]: rmilter: Unable to set close-on-exec: Bad file descriptor
Sep 13 07:19:50 mail.example.com rmilter[1522]: rmilter: Unable to create listening socket on conn fd:3
Sep 13 07:19:50 mail.example.com rmilter[1522]: Unable to open listening socket
Sep 13 07:19:50 mail.example.com systemd[1]: rmilter.service: Main process exited, code=exited, status=69/n/a
Sep 13 07:19:50 mail.example.com systemd[1]: rmilter.service: Unit entered failed state.
Sep 13 07:19:50 mail.example.com systemd[1]: rmilter.service: Failed with result 'exit-code'.

Remove clamav from systemPackages

I don't need virus scanning feature, but as I see the clamav package will be installed anyway:
environment.nix#L25

As you can see in clamav service clamav.nix#L79 youself because it will be installed when service enabled clamav.nix#L23. So I suggest simply remove it from systemPackages.

Build of v2.1 is failing

However, the tests seem to succeed.

Add a log analyzer

Maybe awstats is a good candidate

User defined sieve scripts

This is on the list of future plans in the readme and it's something I want so I'll write about what I've tried. There are several ways to do this but I don't know what's best for this repo.

We need to put a file called ~/.dovecot.sieve in the user's home directory. We can do this:

Declaratively using home-manager. This would require creating a home directory for each user and probably setting their shell. At the moment we're doing this:

nixos-mailserver/mail-server/users.nix

Line 34 in 50a3fa9

isNormalUser = false;

so in /etc/passwd each user's home directory is set to /var/empty and shell is nologin.

A problem with this approach is that home-manager chokes on this line when the username contains the @ character: https://github.com/rycee/home-manager/blob/1e0862eab5825f64aa724de57e20e8022af7f29f/nixos/default.nix#L41

This can be worked around by changing the first argument to writeScript to just activate, but then systemd will choke when the generated activation unit references a user with an @ character in their name:

Note that restrictions on the user/group name syntax are enforced: the specified name must consist only of the characters a-z, A-Z, 0-9, "" and "-", except for the first character which must be one of a-z, A-Z or "" (i.e. numbers and "-" are not permitted as first character). The user/group name must have at least one character, and at most 31. These restrictions are enforced in order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux systems.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html

So if we were going to do that, we wouldn't be able to have users like user@domain, we'd have to change it to some other symbol that systemd accepts and figure out how to get dovecot to deliver to that name.

Declaratively using a bunch of activation scripts, and making our own per-domain passwd and shadow files. I've done this here: https://github.com/eqyiel/deployments/blob/477c1706d2710662aa2849be8139b8069b899973/realms/tsumugi.rkm.id.au/mail-server.nix#L291-L317

This way, the virtual users don't need to have system accounts and their home directory according to dovecot can just be ${mailDirectory}/domain/user (where their mail currently sits).

Imperatively, using the manage-sieve protocol. This would still require either setting a real (/etc/passwd) or virtual (${mailDirectory}/domain/passwd, as described above) home directory for each user. This requires opening port 4190 (dovecot is already serving it in the current configuration).

I'm leaning towards the second option but it would be good to get some feedback!

Update to 17.03

Thunderbird complains about username / password

I wanted to test this but Thundebird just keeps complaining:

"Configuration could not be verified - is the username or password wrong?"

I tried to use the full email as username and also just the left-hand side of the @. Also I tried a long password and a short simple one. I just couldn't login

IMP Port 143, STARTTLS, Normal Password
SMTP Port 587, STARTTLS, Normal Password

Optional Greylisting for some email addresses

Enabling greylisting for mail addresses that do get SPAM mails would drastically reduce the number of SPAM mails received on that address since spammers usually do not try to resend mail that could not be delivered. This is in contrast to legitimate mail providers who do try to resend mail.

Greylisting works by pretending (for a while) to be unable to receive email. If a sender then retries in a specified interval to send mail again the recipient will continue to reject that mail for a while longer. If no more attempt to redeliver it within a short period of time has been made, the recipients will resume its regular course of action and accept mails from that provider normally again.

This is especially useful for people who use one mail address per account registered so they can see where their SPAM mails are coming from. They then could turn greylisting on for those addresses that started to receive SPAM mails.

Move documentation to wiki

Postfix has wrong hostname

After setting up a mailserver (tag v2.0.1) and setting my FQDN in mailserver.fqdn, which is $hostname.$domain for me, Postfix was sending mails from $hostname.localdomain. Also configuring services.postfix.hostname = "$hostname.$domain"; solved this issue for me.
However, I think that this extra line of configuration shouldn't be necessary and should be done by this mailserver.

Thanks for all the good work!

Postfix won't send mail: 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]

Tested with:

swaks --to [email protected] --from [email protected] --server mail.example.com:587 --tls -a --protect-prompt -au [email protected]

All I get is 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected] by postfix. Here's a faithful reproduction of the logs:

-- Logs begin at Fri 2017-08-11 19:29:05 UTC, end at Thu 2017-09-14 07:52:37 UTC. --
Sep 14 07:47:48 mail.example.com dovecot[961]: auth: Debug: client in: AUTH        1        LOGIN        service=smtp        nologin        lip=111.111.111.111        rip=222.222.222.222        secured
Sep 14 07:47:48 mail.example.com dovecot[961]: auth: Debug: client passdb out: CONT        1        VXNlcm5hbWU6
Sep 14 07:47:48 mail.example.com dovecot[961]: auth: Debug: client in: CONT<hidden>
Sep 14 07:47:48 mail.example.com dovecot[961]: auth: Debug: client passdb out: CONT        1        UGFzc3dvcmQ6
Sep 14 07:47:48 mail.example.com dovecot[961]: auth: Debug: client in: CONT<hidden>
Sep 14 07:47:48 mail.example.com dovecot[961]: auth-worker(7520): Debug: Loading modules from directory: /etc/dovecot/modules/auth
Sep 14 07:47:48 mail.example.com dovecot[961]: auth-worker(7520): Debug: pam([email protected],222.222.222.222): lookup service=dovecot2
Sep 14 07:47:48 mail.example.com dovecot[961]: auth-worker(7520): Debug: pam([email protected],222.222.222.222): #1/1 style=1 msg=Password:
Sep 14 07:47:48 mail.example.com dovecot[961]: auth: Debug: client passdb out: OK        1        [email protected]
Sep 14 07:47:48 mail.example.com rmilter[665]: <3274bcd880>; mlfi_envfrom: client is authenticated as: [email protected]
Sep 14 07:47:48 mail.example.com rmilter[665]: <3274bcd880>; cannot add signature for domain example.com: not found
Sep 14 07:47:48 mail.example.com postfix/smtpd[7516]: NOQUEUE: reject: RCPT from hostname-given-by-isp[222.222.222.222]: 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<client-helo-name>
Sep 14 07:47:48 mail.example.com postfix/smtpd[7516]: disconnect from hostname-given-by-isp[222.222.222.222] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7

A quick google search revealed that this line was missing in the config:

virtual_mailbox_maps = hash:/etc/postfix/vaccounts

it's being set to the same value as this option:

smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";

However, the issue is not resolved by this. What am I missing?

Error when using variables in sieve script

Hi there,

the configuration fails to build when using variables in sieve scripts.

This is the configuration I use:
loginAccounts= { "[email protected]" = { hashedPassword = "password"; catchAll = [ "example.com" ]; sieveScript = '' require ["fileinto", "variables", "mailbox"]; if address :matches ["To", "Cc"] ["*.example.com"] { fileinto :create "catcher.''${2}"; } ''; }; };

This leads to the following "activate-virtual-mail-user" script:
`...
cat << EOF > "/var/sieve/[email protected]"
require ["fileinto", "variables", "mailbox"];
if address :matches ["To", "Cc"] "*.m1k3y.de" {
fileinto :create "${1}";
stop;
}

EOF`

which ends in an error "activate-virtual-mail-users: line 21: 1: unbound variable"

As far as I can see the problem here is the resulting ${1} in the script, that gets interpreted instead of
being printed.

rspamd fails to resolve domains

On my server rspamd fills up the log with lines like these roughly once per minute:

Jan 03 18:10:00 nixos rspamd[800]: <cd3m9g>; monitored; rspamd_monitored_dns_mon: cannot make request to resolve 1.0.0.127.zen.spamhaus.org
Jan 03 18:10:02 nixos rspamd[800]: <cd3m9g>; monitored; rspamd_monitored_dns_mon: cannot make request to resolve 1.0.0.127.zen.spamhaus.org
Jan 03 18:10:04 nixos rspamd[800]: <zp979p>; monitored; rspamd_monitored_dns_mon: cannot make request to resolve 1.0.0.127.bl.ipv6.spameatingmonkey.net
Jan 03 18:10:05 nixos rspamd[800]: <o7e1zp>; monitored; rspamd_monitored_dns_mon: cannot make request to resolve 1.0.0.127.list.dnswl.org
Jan 03 18:10:10 nixos rspamd[800]: <thbugu>; monitored; rspamd_monitored_dns_mon: cannot make request to resolve facebook.uribl.rambler.ru

I've only found rspamd/rspamd#1553 mentioning this and it suggests a config error.
Is anyone else getting these log messages?

Is this going to see any more love?

the nix files as they are fail to processed. Are you planning to work on this more?

dovecot not building on latest unstable

nix-info:

system: "x86_64-linux"
host os: Linux 4.9.76, NixOS, 18.03pre125130.3a763b91963 (Impala)
multi-user?: yes
sandbox: yes
version: nix-env (Nix) 1.11.16
channels(gitlab-runner): "nixpkgs-18.03pre117013.aebdc892d6"
channels(nixo): ""
channels(root): "nixos-18.03pre126729.2e4aded3669"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs

sudo nixos-rebuild switch --upgrade

Install prefix . : /nix/store/74vz1k4m7zkrb91iba5418hhy4s3mx8w-dovecot-pigeonhole-0.4.21                                                                                                 [69/4910]
script drivers . : file dict                                                                                                                                                             [68/4910]
                 : -ldap                                                                                                                                                                 [67/4910]
building                                                                                                                                                                                 [66/4910]
build flags: -j1 -l1 SHELL=/nix/store/i0ay05pqkbnvpfijm52mmlrp6kmkl80c-bash-4.4-p12/bin/bash                                                                                             [65/4910]
make  all-recursive                                                                                                                                                                      [64/4910]
make[1]: Entering directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21'                                                                               [63/4910]
Making all in .                                                                                                                                                                          [62/4910]
make[2]: Entering directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21'                                                                               [61/4910]
/nix/store/i0ay05pqkbnvpfijm52mmlrp6kmkl80c-bash-4.4-p12/bin/bash ./update-version.sh . .                                                                                                [60/4910]
make[2]: Leaving directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21'                                                                                [59/4910]
Making all in src                                                                                                                                                                        [58/4910]
make[2]: Entering directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21/src'                                                                           [57/4910]
Making all in lib-sieve                                                                                                                                                                  [56/4910]
make[3]: Entering directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21/src/lib-sieve'                                                                 [55/4910]
Making all in util                                                                                                                                                                       [54/4910]
make[4]: Entering directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21/src/lib-sieve/util'                                                            [53/4910]
/nix/store/i0ay05pqkbnvpfijm52mmlrp6kmkl80c-bash-4.4-p12/bin/bash ../../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../..  -I/nix/store/nc8ml8r56lyvpfyncnmifd3gyw[52/4910]
vecot-2.3.0/include/dovecot   -DMODULEDIR=\""/nix/store/74vz1k4m7zkrb91iba5418hhy4s3mx8w-dovecot-pigeonhole-0.4.21/lib/dovecot"\"   -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY[51/4910]
D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/nix[50/4910]
6jirs629q5csg2dxkkb4ibiahgx8ri-openssl-1.0.2n-dev/include  -I../../.. -c -o edit-mail.lo edit-mail.c                                                                                     [49/4910]
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../../.. -I/nix/store/nc8ml8r56lyvpfyncnmifd3gywciwx9k-dovecot-2.3.0/include/dovecot -DMODULEDIR=\"/nix/store/74vz1k4m7zkrb91iba5418hhy4s3mx[48/4910]
t-pigeonhole-0.4.21/lib/dovecot\" -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -[47/4910]
scripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/nix/store/pj6jirs629q5csg2dxkkb4ibiahgx8ri-openssl-1.0.2n-dev/include -I../../.. -c edit-mail.c  -fPI[46/4910]
o .libs/edit-mail.o                                                                                                                                                                      [45/4910]
edit-mail.c: In function 'edit_mail_wrap':                                                                                                                                               [44/4910]
edit-mail.c:235:14: error: too few arguments to function 'mailbox_transaction_begin'                                                                                                     [43/4910]
  raw_trans = mailbox_transaction_begin(raw_box, 0);                                                                                                                                     [42/4910]
              ^~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                  [41/4910]
In file included from /nix/store/nc8ml8r56lyvpfyncnmifd3gywciwx9k-dovecot-2.3.0/include/dovecot/mail-storage-private.h:7:0,                                                              [40/4910]
                 from edit-mail.c:16:                                                                                                                                                    [39/4910]
/nix/store/nc8ml8r56lyvpfyncnmifd3gywciwx9k-dovecot-2.3.0/include/dovecot/mail-storage.h:652:1: note: declared here                                                                      [38/4910]
 mailbox_transaction_begin(struct mailbox *box,                                                                                                                                          [37/4910]
 ^~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                               [36/4910]
edit-mail.c: In function 'edit_mail_set_cache_corrupted':                                                                                                                                [35/4910]
edit-mail.c:1662:2: error: too few arguments to function 'edmail->wrapped->v.set_cache_corrupted'                                                                                        [34/4910]
  edmail->wrapped->v.set_cache_corrupted(&edmail->wrapped->mail, field);                                                                                                                 [33/4910]
  ^~~~~~                                                                                                                                                                                 [32/4910]
edit-mail.c: In function 'edit_mail_set_cache_corrupted_reason':                                                                                                                         [31/4910]
edit-mail.c:1671:20: error: 'struct mail_vfuncs' has no member named 'set_cache_corrupted_reason'; did you mean 'set_cache_corrupted'?                                                   [30/4910]
  edmail->wrapped->v.set_cache_corrupted_reason                                                                                                                                          [29/4910]
                    ^                                                                                                                                                                    [28/4910]
edit-mail.c: At top level:                                                                                                                                                               [27/4910]
edit-mail.c:1701:2: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types]                                                                                [26/4910]
  edit_mail_get_real_mail,                                                                                                                                                               [25/4910]
  ^~~~~~~~~~~~~~~~~~~~~~~
edit-mail.c:1701:2: note: (near initialization for 'edit_mail_vfuncs.get_backend_mail')
edit-mail.c:1708:2: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types]
  edit_mail_set_cache_corrupted,
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
edit-mail.c:1708:2: note: (near initialization for 'edit_mail_vfuncs.set_cache_corrupted')
edit-mail.c:1710:2: warning: excess elements in struct initializer
  edit_mail_set_cache_corrupted_reason
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
edit-mail.c:1710:2: note: (near initialization for 'edit_mail_vfuncs')
edit-mail.c: In function 'edit_mail_istream_create':
edit-mail.c:2156:9: error: too few arguments to function 'i_stream_create'
  return i_stream_create(&edstream->istream, wrapped, -1);
         ^~~~~~~~~~~~~~~
In file included from edit-mail.c:9:0:
/nix/store/nc8ml8r56lyvpfyncnmifd3gywciwx9k-dovecot-2.3.0/include/dovecot/istream-private.h:77:1: note: declared here
 i_stream_create(struct istream_private *stream, struct istream *parent, int fd,
 ^~~~~~~~~~~~~~~
edit-mail.c:2157:1: warning: control reaches end of non-void function [-Wreturn-type]
 }
 ^
make[4]: *** [Makefile:482: edit-mail.lo] Error 1
make[4]: Leaving directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21/src/lib-sieve/util'
make[3]: *** [Makefile:850: all-recursive] Error 1
make[3]: Leaving directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21/src/lib-sieve'
make[2]: *** [Makefile:426: all-recursive] Error 1
make[2]: Leaving directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21/src'
make[1]: *** [Makefile:741: all-recursive] Error 1
make[1]: Leaving directory '/tmp/nix-build-dovecot-pigeonhole-0.4.21.drv-0/dovecot-2.2-pigeonhole-0.4.21'
make: *** [Makefile:600: all] Error 2
builder for ‘/nix/store/5k0a297nib68zcxpsv49z0x6iafa7nd8-dovecot-pigeonhole-0.4.21.drv’ failed with exit code 2
cannot build derivation ‘/nix/store/ij5r480jxvd6h320vjxxfxm6qdzn2kvb-dovecot-modules.drv’: 1 dependencies couldn't be built

[Project] Add caldav and carddav to SNM

Questions:

As part of SNM or as downstream packages?

Catch-all aliases

Hi, first of all thanks for this great project. I already deployed it in small-scale production.

I was wondering if you have any plans for catch-all aliases/forwarders; or if I can, perhaps, contribute this?

r-raymond / nixos-mailserver Goto Github PK

nixos-mailserver's People

Stargazers

Watchers

Forkers

nixos-mailserver's Issues

Rspamd

Awstats

OpenDMARC

Recommend Projects

Recommend Topics

Recommend Org