feat(service/self_host): the mail system working for the moment

2025-10-15 22:38:18 +02:00 · 2025-10-15 22:38:18 +02:00 · 4a8a781c9c
commit 4a8a781c9c
parent b10f611df7
1 changed files with 196 additions and 33 deletions
--- a/services/self_host/mail.nix
+++ b/services/self_host/mail.nix
@ -1,47 +1,210 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ config, pkgs, lib, ... }:

 let
  cfg = config.service.selfhost.mail;
+  mailjetSecrets = import ../../.mailjetcred.nix;
 in
 {
  config = lib.mkIf cfg {
-    services.rspamd.enable = true;
-    mailserver = {
+    users.users.vmail = {
+      isSystemUser = true;
+      home = "/var/vmail";
+      group = "vmail";
+      shell = "/run/current-system/sw/bin/nologin";
+    };
+    users.groups.vmail = {};
+    systemd.tmpfiles.rules = [
+      "d /var/vmail 0750 vmail vmail - -"
+      "d /var/spool/postfix 0755 postfix postfix - -"
+      "d /var/spool/postfix/private 0750 postfix postfix - -"
+      "d /run/dovecot 0755 dovecot dovecot - -"
+    ];
+
+    security.acme.certs."mail.enium.eu" = {
+      group = "nginx";
+      reloadServices = [ "postfix.service" "dovecot.service" ];
+    };
+    users.groups.nginx.members = [ "postfix" "dovecot" ];
+
+    services.postfix = {
      enable = true;
-      stateVersion = 3;
-      fqdn = "mail.enium.eu";
-      domains = [
-        "enium.eu"
-      ];
-      loginAccounts = {
-        "no-reply@enium.eu" = {
-          hashedPasswordFile = "/root/mail-passwd.txt";
+      rootAlias = "raphael@enium.eu";
+
+      settings = {
+        main = {
+          myhostname = "mail.enium.eu";
+          mydomain   = "enium.eu";
+          relayhost  = [
+            "[in-v3.mailjet.com]:587"
+          ];
+
+          mydestination = "localhost";
+          inet_interfaces = "all";
+          inet_protocols  = "ipv4";
+
+          smtp_sasl_auth_enable = "yes";
+          smtp_sasl_password_maps = "hash:/var/lib/postfix/sasl_passwd";
+          smtp_sasl_security_options = "noanonymous";
+          smtpd_sasl_type = "dovecot";
+          smtpd_sasl_path = "/run/dovecot/auth-client";
+
+          smtp_tls_security_level = "may";
+          smtp_tls_CAfile = "/etc/ssl/certs/ca-certificates.crt";
+          smtp_tls_session_cache_database = "btree:/var/lib/postfix/smtp_scache";
+          
+          virtual_mailbox_domains = "enium.eu";
+          virtual_transport = "lmtp:unix:/run/dovecot/lmtp";
+          virtual_mailbox_maps = "hash:/var/lib/postfix/vmailbox";
+
+          local_recipient_maps = "";
+
+          smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
+          smtpd_recipient_restrictions = "check_recipient_access hash:/var/lib/postfix/recipient_access";
+
+          smtpd_tls_cert_file = "/var/lib/acme/mail.enium.eu/fullchain.pem";
+          smtpd_tls_key_file  = "/var/lib/acme/mail.enium.eu/key.pem";
+
+          smtpd_milters = "unix:/run/rspamd/rspamd-milter.sock";
+          non_smtpd_milters = "unix:/run/rspamd/rspamd-milter.sock";
+          milter_protocol = "6";
+          milter_default_action = "accept";
+        };
+        master."submission" = {
+          type = "inet";
+          private = false;
+          chroot  = false;
+          command = "smtpd";
+          args = [
+            "-o" "smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
+            "-o" "smtpd_sasl_auth_enable=yes"
+            "-o" "smtpd_sasl_security_options=noanonymous"
+            "-o" "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login"
+            "-o" "smtpd_sender_restrictions=reject_sender_login_mismatch"
+            "-o" "smtpd_tls_auth_only=yes"
+            "-o" "smtpd_tls_security_level=encrypt"
+            "-o" "syslog_name=postfix/submission"
+          ];
        };
      };
-      certificateScheme = "acme-nginx";
+    };
+    environment.etc."postfix-sender_login".text = ''
+      raphael@enium.eu   raphael@enium.eu
+      no-reply@enium.eu   raphael@enium.eu
+    '';
+    environment.etc."postfix-sasl_passwd" = {
+      text = "[in-v3.mailjet.com]:587 ${mailjetSecrets.smtpUser}:${mailjetSecrets.smtpPass}\n";
+      mode = "0600";
+    };
+    environment.etc."postfix-recipient_access".text = ''
+      no-reply@enium.eu   REJECT 550 Cette adresse n’est pas autorise a recevoir de mail
+    '';
+    systemd.services.postfix.preStart = lib.mkMerge [
+      (lib.mkAfter ''
+        install -Dm600 /etc/postfix-sasl_passwd /var/lib/postfix/sasl_passwd
+        ${pkgs.postfix}/bin/postmap /var/lib/postfix/sasl_passwd
+      '')
+      (lib.mkAfter ''
+        install -Dm644 /etc/postfix-recipient_access /var/lib/postfix/recipient_access
+        ${pkgs.postfix}/bin/postmap /var/lib/postfix/recipient_access
+      '')
+      (lib.mkAfter ''
+        install -Dm644 /etc/postfix-sender_login /var/lib/postfix/sender_login
+        ${pkgs.postfix}/bin/postmap /var/lib/postfix/sender_login
+      '')
+      (lib.mkAfter ''
+        install -Dm644 /etc/postfix-vmailbox /var/lib/postfix/vmailbox
+        ${pkgs.postfix}/bin/postmap /var/lib/postfix/vmailbox
+      '')
+    ];
+
+    services.dovecot2 = {
+      enable = true;
+      enableImap = true;
+      mailLocation = "maildir:/var/vmail/%d/%n";
+      sslServerCert = "/var/lib/acme/mail.enium.eu/fullchain.pem";
+      sslServerKey  = "/var/lib/acme/mail.enium.eu/key.pem";
+      extraConfig = ''
+        disable_plaintext_auth = yes
+        auth_mechanisms = plain login
+        ssl = required
+        protocols = imap lmtp
+        base_dir = /run/dovecot
+
+        userdb {
+          driver = static
+          args = uid=vmail gid=vmail home=/var/vmail/%d/%n
+        }
+        passdb {
+          driver = passwd-file
+          args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
+        }
+
+        service imap-login {
+          inet_listener imap {
+            port = 0
+          }
+          inet_listener imaps {
+            port = 993
+            ssl = yes
+          }
+        }
+
+        service auth {
+          unix_listener auth-client {
+            mode = 0660
+            user = postfix
+            group = postfix
+          }
+        }
+        service lmtp {
+          unix_listener lmtp {
+            mode = 0660
+            user = postfix
+            group = postfix
+          }
+        }
+
+        protocol lmtp {
+        }
+      '';
    };

-    services = {
-      roundcube = {
-        enable = true;
-        hostName = "mail.enium.eu";
-        extraConfig = ''
-          					$config['smtp_host'] = "tls://mail.enium.eu";
-          					$config['smtp_user'] = "%u";
-          					$config['smtp_pass'] = "%p";
-          				'';
-      };
-      nginx = {
-        virtualHosts."mail.enium.eu" = {
-          forceSSL = true;
-          enableACME = true;
-        };
-      };
+    systemd.services.dovecot.after = [
+      "postfix-setup.service"
+      "postfix.service"
+    ];
+    systemd.services.dovecot.requires = [
+      "postfix-setup.service"
+    ];
+
+    # doveadm pw -s SHA512-CRYPT
+    environment.etc."dovecot/users".text = ''
+      raphael@enium.eu:{SHA512-CRYPT}$6$rIsn6/dLJ6MbITx5$vMo82dgkQZoV8BQIaO6Bs9J86ZjgcJ.LqMuIqnXVfuBRgZOqY/YiURBUOcS1P2wAo5h4TCFkKExfcjjX1reUU.
+    '';
+    environment.etc."postfix-vmailbox".text = ''
+      raphael@enium.eu   enium.eu/raphael/
+    '';
+
+    services.nginx.virtualHosts."mail.enium.eu" = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    services.rspamd.enable = true;
+
+    services.roundcube = {
+      enable = true;
+      hostName = "mail.enium.eu";
+      extraConfig = ''
+        $config['smtp_host'] = "tls://mail.enium.eu";
+        $config['smtp_port'] = 587;
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+        $config['smtp_auth_type'] = "LOGIN";
+        $config['imap_host'] = "ssl://mail.enium.eu";
+        $config['default_port'] = 993;
+        $config['username_domain'] = 'enium.eu';
+      '';
    };
  };
 }