NixOS Wiki

Stalwart: Difference between revisions

← Older edit
VisualWikitext
Onny (talk | contribs)
261 edits
Enable administrative web interface
Xor (talk | contribs)
1 edit
typo 127.0.01
 
(23 intermediate revisions by 2 users not shown)
Line 2: Line 2:


== Setup ==
== Setup ==
The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission (<code>25, 465</code>), IMAPS (<code>993</code>) and JMAP ports (8080/443) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.
{{file|/etc/nixos/configuration.nix|nix|3=environment.etc = {
  "stalwart/mail-pw1".text = "foobar";
  "stalwart/mail-pw2".text = "foobar";
  "stalwart/admin-pw".text = "foobar";
  "stalwart/acme-secret".text = "secret123";
};
services.stalwart-mail = {
  enable = true;
  package = pkgs.stalwart-mail;
  openFirewall = true;
  settings = {
    server = {
      hostname = "mx1.example.org";
      tls = {
        enable = true;
        implicit = true;
      };
      listener = {
        smtp = {
          protocol = "smtp";
          bind = "[::]:25";
        };
        submissions = {
          bind = "[::]:465";
          protocol = "smtp";
        };
        imaps = {
          bind = "[::]:993";
          protocol = "imap";
        };
        jmap = {
          bind = "[::]:8080";
          url = "https://mail.example.org";
          protocol = "jmap";
        };
        management = {
          bind = [ "127.0.0.1:8080" ];
          protocol = "http";
        };
      };
    };
    lookup.default = {
      hostname = "mx1.example.org";
      domain = "example.org";
    };
    acme."letsencrypt" = {
      directory = "https://acme-v02.api.letsencrypt.org/directory";
      challenge = "dns-01";
      contact = "user1@example.org";
      domains = [ "example.org" "mx1.example.org" ];
      provider = "cloudflare";
      secret = "%{file:/etc/stalwart/acme-secret}%";
    };
    session.auth = {
      mechanisms = "[plain]";
      directory = "'in-memory'";
    };
    storage.directory = "in-memory";
    session.rcpt.directory = "'in-memory'";
    queue.outbound.next-hop = "'local'";
    directory."imap".lookup.domains = [ "example.org" ];
    directory."in-memory" = {
      type = "memory";
      principals = [
        {
          class = "individual";
          name = "User 1";
          secret = "%{file:/etc/stalwart/mail-pw1}%";
          email = [ "user1@example.org" ];
        }
        {
          class = "individual";
          name = "postmaster";
          secret = "%{file:/etc/stalwart/mail-pw1}%";
          email = [ "postmaster@example.org" ];
        }
      ];
    };
    authentication.fallback-admin = {
      user = "admin";
      secret = "%{file:/etc/stalwart/admin-pw}%";
    };
  };
};
services.caddy = {
  enable = true;
  virtualHosts = {
    "webadmin.example.org" = {
      extraConfig = ''
        reverse_proxy http://127.0.0.1:8080
      '';
      serverAliases = [
        "mta-sts.example.org"
        "autoconfig.example.org"
        "autodiscover.example.org"
        "mail.example.org"
      ];
    };
  };
};}}
TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].
== Configuration ==
=== DNS records ===
Before adding required records to the example domain <code>example.org</code>, we need to register the domain on the Stalwart server.<syntaxhighlight lang="shell">
stalwart-cli --url https://webadmin.example.org domain create example.org
</syntaxhighlight>Authenticate using the fallback-admin password.
Review the list of which DNS records are required including their values for the mail server to work at https://webadmin.example.org/manage/directory/domains/tuxtux.com.co/view. Especially following records are essential:
* Record type: A, Name: example.org
* Record type: AAAA, Name: example.org
* Record type: CNAME, Name: autoconfig Value: example.org
* Record type: CNAME, Name: autodiscover, Value: example.org
* Record type: CNAME, Name: mail, Value: example.org
* Record type: CNAME, Name: mta-sts, Value: example.org
* Record type: CNAME, Name: mail, Value: example.org
* Record type: CNAME, Name: webadmin, Value: example.org
* Record type: MX, Name: example.org, Value: mx1.example.org
* Record type: SRV, Name: _imaps._tcp
* Record type: SRV, Name: _submissions._tcp
* Record type: TLSA, Name: _25._tcp.example.org., Value: Only the one starting with "3 1 1" required
* Record type: TLSA, Name: _25._tcp.mx1.example.org., Value: Only the one starting with "3 1 1" required
* Record type: TXT, Name: 202409e._domainkey
* Record type: TXT, Name: 202409r._domainkey
* Record type: TXT, Name: _dmarc
* Record type: TXT, Name: mx1
* Record type: TXT, Name: _smtp._tls
* Record type: TXT, Name: example.org
=== DNSSEC ===
Ensure that DNSSEC is enabled for your primary and mail server domain. It can be enabled by your domain provider.
For example, check if DNSSEC is working correctly for your new TLSA record
# nix shell nixpkgs#dnsutils --command delv _25._tcp.mx1.example.org TLSA @1.1.1.1
; fully validated
_25._tcp.mx1.example.org. 10800 IN TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238
_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==
== Tips and tricks ==
=== Test mail server ===
You can use several online tools to test your mail server configuration:
* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.
* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.
* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.
=== Unsecure setup for testing environments ===
The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
   enable = true;
   enable = true;
  # Use newer, latest version in NixOS 24.05
  package = pkgs.stalwart-mail;
   settings = {
   settings = {
     server = {
     server = {
Line 48: Line 201:
   };
   };
};}}
};}}
== Configuration ==
=== Administrative web frontend ===
{{Note|The module is not yet part of the latest NixOS stable release and will be available with version 24.11.}}Add following listener to enable the administrative web frontend.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
  enable = true;
  settings.server.listener = {
    "management" = {
      bind = [ "[::]:8080" ];
      protocol = "http";
    };
  };
};}}It will be accessible on http://localhost:8080 and authentication is done with the one of the credentials specified above (normal inbox user or administrative role).
Please note that this example snippet is for testing purpose and without further configuration the management web interface will run unencrypted on all interfaces which is unsecure.


== See also ==
== See also ==
Retrieved from "https://wiki.nixos.org/wiki/Stalwart"