Maddy: Difference between revisions
imported>Onny Add note on Imapsync |
m Add alternate way of generating TLSA |
||
(8 intermediate revisions by 2 users not shown) | |||
Line 70: | Line 70: | ||
</nowiki>}} | </nowiki>}} | ||
Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module. | Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module or manual client tools like [[Certbot]]. | ||
=== DNS records === | === DNS records === | ||
Line 124: | Line 124: | ||
=== MTA-STS === | === MTA-STS === | ||
MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can | MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can other Web Servers too. | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
Line 157: | Line 157: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Add the key to a new TLSA record in your nameserver | Or you can generate it directly from the TLS-certificate that you are using with maddy:<syntaxhighlight lang="console"> | ||
# openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | sha256sum | |||
</syntaxhighlight>Add the key to a new TLSA record in your nameserver | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
Line 214: | Line 216: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
{ options, lib, ... }: { | { options, lib, ... }: { | ||
services.maddy.config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing { | services.maddy.config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing { | ||
Line 223: | Line 223: | ||
} | } | ||
}''] options.services.maddy.config.default; | }''] options.services.maddy.config.default; | ||
services.rspamd = { | |||
enable = true; | |||
locals."dkim_signing.conf".text = '' | |||
selector = "default"; | |||
domain = "project-insanity.org"; | |||
path = "/var/lib/maddy/dkim_keys/$domain_$selector.key"; | |||
''; | |||
}; | |||
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ]; | |||
[...] | [...] | ||
Line 228: | Line 239: | ||
The second part in this example replaces a part in the default config of the Maddy module and inserts the rspamd check to the message pipeline as described in the [https://maddy.email/reference/checks/rspamd upstream documentation]. | The second part in this example replaces a part in the default config of the Maddy module and inserts the rspamd check to the message pipeline as described in the [https://maddy.email/reference/checks/rspamd upstream documentation]. | ||
The [[rspamd]] article also has some notes on how to achieve training for spam/ham mails using an additional helper script. | |||
=== Mail attachement size === | === Mail attachement size === | ||
Line 241: | Line 254: | ||
''dmarc yes | ''dmarc yes | ||
max_message_size 64M''] options.services.maddy.config.default; | max_message_size 64M''] options.services.maddy.config.default; | ||
[...] | |||
</nowiki>}} | |||
=== Alias addresses === | |||
The following example will add an alias <code>mailA@example.org</code> for the local mail address <code>mailB@example.org</code> meaning that every mail send to <code>mailA</code> will get delivered to <code>mailB</code>. | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
{ options, lib, ... }: { | |||
services.maddy.config = builtins.replaceStrings [ | |||
"optional_step file /etc/maddy/aliases" | |||
] [ | |||
"optional_step static { | |||
entry mailA@example.org mailB@example.org | |||
}"] options.services.maddy.config.default; | |||
[...] | [...] | ||
Line 320: | Line 350: | ||
== See also == | == See also == | ||
* [https://maddy.email Maddy homepage and documentation] | * [https://maddy.email Maddy homepage and documentation] | ||
* [Imapsync], useful tool to migrate mailboxes to a new server | * [[Stalwart]], an open-source, all-in-one mail server solution that supports JMAP, IMAP4, and SMTP protocols | ||
* [https://nixos-mailserver.readthedocs.io/en/latest Simple NixOS Mailserver] | |||
* [[Imapsync]], useful tool to migrate mailboxes to a new server | |||
[[Category:Mail Server]] | [[Category:Mail Server]] | ||
[[Category:Server]] |