Maddy: Difference between revisions

(8 intermediate revisions by 2 users not shown)

Line 70:

</nowiki>}}

Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module.

Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module or manual client tools like [[Certbot]].

=== DNS records ===

Line 124:

=== MTA-STS ===

MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can ~~[[Category:Web_Servers use others~~ too]].

MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can other Web Servers too.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 157:

</syntaxhighlight>

Add the key to a new TLSA record in your nameserver

Or you can generate it directly from the TLS-certificate that you are using with maddy:<syntaxhighlight lang="console">

# openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | sha256sum

</syntaxhighlight>Add the key to a new TLSA record in your nameserver

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 214:

Line 216:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

{ options, lib, ... }: {

~~services.rspamd.enable = true;~~

services.maddy.config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {

Line 223:

}

}''] options.services.maddy.config.default;

services.rspamd = {

enable = true;

locals."dkim_signing.conf".text = ''

selector = "default";

domain = "project-insanity.org";

path = "/var/lib/maddy/dkim_keys/$domain_$selector.key";

'';

};

systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];

[...]

Line 228:

Line 239:

The second part in this example replaces a part in the default config of the Maddy module and inserts the rspamd check to the message pipeline as described in the [https://maddy.email/reference/checks/rspamd upstream documentation].

The [[rspamd]] article also has some notes on how to achieve training for spam/ham mails using an additional helper script.

=== Mail attachement size ===

Line 241:

Line 254:

''dmarc yes

max_message_size 64M''] options.services.maddy.config.default;

[...]

</nowiki>}}

=== Alias addresses ===

The following example will add an alias <code>mailA@example.org</code> for the local mail address <code>mailB@example.org</code> meaning that every mail send to <code>mailA</code> will get delivered to <code>mailB</code>.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

{ options, lib, ... }: {

services.maddy.config = builtins.replaceStrings [

"optional_step file /etc/maddy/aliases"

] [

"optional_step static {

entry mailA@example.org mailB@example.org

}"] options.services.maddy.config.default;

[...]

Line 320:

Line 350:

== See also ==

* [https://maddy.email Maddy homepage and documentation]

* [Imapsync], useful tool to migrate mailboxes to a new server

* [[Stalwart]], an open-source, all-in-one mail server solution that supports JMAP, IMAP4, and SMTP protocols

* [https://nixos-mailserver.readthedocs.io/en/latest Simple NixOS Mailserver]

* [[Imapsync]], useful tool to migrate mailboxes to a new server

[[Category:Mail Server]]

[[Category:Server]]

@@ Line 70: / Line 70: @@
 </nowiki>}}
-Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module.
+Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module or manual client tools like [[Certbot]].
 === DNS records ===
@@ Line 124: / Line 124: @@
 === MTA-STS ===
-MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]].
+MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can other Web Servers too.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 157: / Line 157: @@
 </syntaxhighlight>
-Add the key to a new TLSA record in your nameserver
+Or you can generate it directly from the TLS-certificate that you are using with maddy:<syntaxhighlight lang="console">
+# openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | sha256sum
+</syntaxhighlight>Add the key to a new TLSA record in your nameserver
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 214: / Line 216: @@
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
 { options, lib, ... }: {
-services.rspamd.enable = true;
 services.maddy.config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {
@@ Line 223: / Line 223: @@
      }
    }''] options.services.maddy.config.default;
+services.rspamd = {
+  enable = true;
+  locals."dkim_signing.conf".text = ''
+    selector = "default";
+    domain = "project-insanity.org";
+    path = "/var/lib/maddy/dkim_keys/$domain_$selector.key";
+  '';
+};
+systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
 [...]
@@ Line 228: / Line 239: @@
 The second part in this example replaces a part in the default config of the Maddy module and inserts the rspamd check to the message pipeline as described in the [https://maddy.email/reference/checks/rspamd upstream documentation].
+The [[rspamd]] article also has some notes on how to achieve training for spam/ham mails using an additional helper script.
 === Mail attachement size ===
@@ Line 241: / Line 254: @@
    ''dmarc yes
     max_message_size 64M''] options.services.maddy.config.default;
+[...]
+</nowiki>}}
+=== Alias addresses ===
+The following example will add an alias <code>mailA@example.org</code> for the local mail address <code>mailB@example.org</code> meaning that every mail send to <code>mailA</code> will get delivered to <code>mailB</code>.
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{ options, lib, ... }: {
+services.maddy.config = builtins.replaceStrings [
+  "optional_step file /etc/maddy/aliases"
+] [
+  "optional_step static {
+     entry mailA@example.org mailB@example.org
+   }"] options.services.maddy.config.default;
 [...]
@@ Line 320: / Line 350: @@
 == See also ==
 * [https://maddy.email Maddy homepage and documentation]
-* [Imapsync], useful tool to migrate mailboxes to a new server
+* [[Stalwart]], an open-source, all-in-one mail server solution that supports JMAP, IMAP4, and SMTP protocols
+* [https://nixos-mailserver.readthedocs.io/en/latest Simple NixOS Mailserver]
+* [[Imapsync]], useful tool to migrate mailboxes to a new server
 [[Category:Mail Server]]
+[[Category:Server]]