raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(self_host): adding a configuration to rspamd

Browse source
This commit is contained in:
Raphael 2025-10-27 18:02:13 +01:00
parent 886b9da521
commit 309970da6d
No known key found for this signature in database
1 changed files with 95 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

94
services/self_host/mail.nix
View file

@ -12,6 +12,9 @@ let
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
environment.systemPackages = [
pkgs.dovecot_pigeonhole
];
users.users.vmail = { users.users.vmail = {
isSystemUser = true; isSystemUser = true;
home = "/var/vmail"; home = "/var/vmail";
@ -88,6 +91,7 @@ in
non_smtpd_milters = "unix:/run/rspamd/rspamd.sock"; non_smtpd_milters = "unix:/run/rspamd/rspamd.sock";
milter_protocol = "6"; milter_protocol = "6";
milter_default_action = "accept"; milter_default_action = "accept";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
}; };
master."submission" = { master."submission" = {
type = "inet"; type = "inet";
@ -139,14 +143,17 @@ in
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
enableImap = true; enableImap = true;
enableLmtp = true;
enablePAM = false;
mailLocation = "maildir:/var/vmail/%d/%n"; mailLocation = "maildir:/var/vmail/%d/%n";
sslServerCert = "/var/lib/acme/mail.enium.eu/fullchain.pem"; sslServerCert = "/var/lib/acme/mail.enium.eu/fullchain.pem";
sslServerKey = "/var/lib/acme/mail.enium.eu/key.pem"; sslServerKey = "/var/lib/acme/mail.enium.eu/key.pem";
extraConfig = '' extraConfig = ''
disable_plaintext_auth = yes
auth_mechanisms = plain login
ssl = required
protocols = imap lmtp protocols = imap lmtp
auth_mechanisms = plain login
disable_plaintext_auth = yes
base_dir = /run/dovecot base_dir = /run/dovecot
userdb { userdb {
@ -175,7 +182,9 @@ in
group = postfix group = postfix
} }
} }
service lmtp { service lmtp {
# si Postfix attend un autre chemin, on ajustera ici
unix_listener lmtp { unix_listener lmtp {
mode = 0660 mode = 0660
user = postfix user = postfix
@ -183,7 +192,15 @@ in
} }
} }
# Sieve exécuté à la livraison (LMTP)
protocol lmtp { protocol lmtp {
mail_plugins = $mail_plugins sieve
}
plugin {
sieve = file:~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/
} }
''; '';
}; };
@ -239,13 +256,82 @@ in
services.rspamd = { services.rspamd = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
worker "controller" {
bind_socket = "127.0.0.1:11334";
password = "admin";
};
worker "normal" {
bind_socket = "127.0.0.1:11333";
};
worker "rspamd_proxy" {
bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
self_scan = yes;
};
};
actions {
reject = 12;
add_header = 6;
greylist = 4;
};
milter { milter {
unix_socket = "/run/rspamd/milter.sock";
unix_permissions = 0660; unix_permissions = 0660;
user = "rspamd"; user = "rspamd";
group = "postfix"; group = "postfix";
} };
classifier "bayes" {
backend = "redis";
servers = "127.0.0.1:6381";
autolearn = true;
min_learns = 200;
new_schema = true;
cache = true;
statfile {
symbol = "BAYES_HAM";
spam = false;
};
statfile {
symbol = "BAYES_SPAM";
spam = true;
};
learn_condition = <<EOD
return function(task)
return true
end
EOD;
};
rbl {
enabled = true;
rbls = {
spamhaus = {
symbol = "RBL_SPAMHAUS";
rbl = "zen.spamhaus.org";
};
barracuda = {
symbol = "RBL_BARRACUDA";
rbl = "b.barracudacentral.org";
};
};
};
''; '';
}; };
services.redis.servers.rspamd = {
enable = true;
port = 6381;
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.enium.eu"; hostName = "mail.enium.eu";