Stalwart: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 14:

enable = true;

openFirewall = true;

credentials = {

mail-pw1 = /etc/stalwart/mail-pw1;

mail-pw2 = /etc/stalwart/mail-pw2;

acme-secret = /etc/stalwart/acme-secret;

};

settings = {

server = {

Line 57:

Line 62:

domains = [ "example.org" "mx1.example.org" ];

provider = "cloudflare";

secret = "%{file:/~~etc~~/stalwart/acme-secret}%";

secret = "%{file:/run/credentials/stalwart-mail.service/acme-secret}%";

};

session.auth = {

Line 72:

Line 77:

class = "individual";

name = "User 1";

secret = "%{file:/~~etc~~/stalwart/mail-pw1}%";

secret = "%{file:/run/credentials/stalwart-mail.service/mail-pw1}%";

email = [ "user1@example.org" ];

}

Line 78:

Line 83:

class = "individual";

name = "postmaster";

secret = "%{file:/~~etc~~/stalwart/mail-pw1}%";

secret = "%{file:/run/credentials/stalwart-mail.service/mail-pw1}%";

email = [ "postmaster@example.org" ];

}

Line 85:

Line 90:

authentication.fallback-admin = {

user = "admin";

secret = "%{file:/~~etc~~/stalwart/admin-pw}%";

secret = "%{file:/run/credentials/stalwart-mail.service/admin-pw}%";

};

Line 256:

Line 261:

class = "individual";

name = "User 1";

secret = "%{file:/~~etc~~/stalwart/mail-pw1}%";

secret = "%{file:/run/credentials/stalwart-mail.service/mail-pw1}%";

email = [ "user1@example.org" "user1real@example.org ];

}

Line 263:

Line 268:

};

};}}

=== Blocking mail sender address ===

If you don't want to receive any mails from a specific address, even not into your spam folder, you can add it to the spam-trap array.{{file|||3=services.stalwart-mail = {

settings = {

lookup = {

spam-trap = {

"malicious_sender1@spamhost.com" = "";

"malicious_sender2@spamhost.com" = "";

};

};|name=/etc/nixos/configuration.nix|lang=nix}}

== Tips and tricks ==

Line 361:

Line 376:

Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...].

==== deSEC.io ====

In case you want to update your TLSA records at deSEC you can use [https://codeberg.org/Cameo007/dyndns-tlsa-desec dyndns-tlsa-desec] ('''install via flake''') which checks your existing records and updates them if necessary. The certificate and key are taken from the specified directory (like your [[ACME]] directory)

It defaults to <code>3 1 1</code> but you can choose other values as described [[wikipedia:DNS-based_Authentication_of_Named_Entities#RR_data_fields|here]].<syntaxhighlight lang="nixos">

services.dyndns-tlsa-desec = {

enable = true;

api_token_file = config.age.secrets.dyndns-tlsa-desec-api-key.path;

tlsa_zones."example.com" = {

cert_path = "/var/lib/acme/example.com/";

records."_25._tcp.mail" = { };

};

</syntaxhighlight>The program is executed hourly per default but you can set the <code>interval</code> option to any [https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events systemd calendar event].<syntaxhighlight lang="nixos">

services.dyndns-tlsa-desec.interval = "5m"; # Every 5 minutes

</syntaxhighlight>

=== Sending from subaddresses ===

@@ Line 14: / Line 14: @@
    enable = true;
    openFirewall = true;
+  credentials = {
+    mail-pw1 = /etc/stalwart/mail-pw1;
+    mail-pw2 = /etc/stalwart/mail-pw2;
+    acme-secret = /etc/stalwart/acme-secret;
+  };
    settings = {
      server = {
@@ Line 57: / Line 62: @@
        domains = [ "example.org" "mx1.example.org" ];
        provider = "cloudflare";
-       secret = "%{file:/etc/stalwart/acme-secret}%";
+       secret = "%{file:/run/credentials/stalwart-mail.service/acme-secret}%";
      };
      session.auth = {
@@ Line 72: / Line 77: @@
            class = "individual";
            name = "User 1";
-           secret = "%{file:/etc/stalwart/mail-pw1}%";
+           secret = "%{file:/run/credentials/stalwart-mail.service/mail-pw1}%";
            email = [ "user1@example.org" ];
          }
@@ Line 78: / Line 83: @@
            class = "individual";
            name = "postmaster";
-           secret = "%{file:/etc/stalwart/mail-pw1}%";
+           secret = "%{file:/run/credentials/stalwart-mail.service/mail-pw1}%";
            email = [ "postmaster@example.org" ];
          }
@@ Line 85: / Line 90: @@
      authentication.fallback-admin = {
        user = "admin";
-       secret = "%{file:/etc/stalwart/admin-pw}%";
+       secret = "%{file:/run/credentials/stalwart-mail.service/admin-pw}%";
      };
    };
@@ Line 256: / Line 261: @@
            class = "individual";
            name = "User 1";
-           secret = "%{file:/etc/stalwart/mail-pw1}%";
+           secret = "%{file:/run/credentials/stalwart-mail.service/mail-pw1}%";
            email = [ "user1@example.org" "user1real@example.org ];
          }
@@ Line 263: / Line 268: @@
    };
 };}}
+=== Blocking mail sender address ===
+If you don't want to receive any mails from a specific address, even not into your spam folder, you can add it to the spam-trap array.{{file|||3=services.stalwart-mail = {
+  settings = {
+    lookup = {
+      spam-trap = {
+        "malicious_sender1@spamhost.com" = "";
+        "malicious_sender2@spamhost.com" = "";
+      };
+  };
+};|name=/etc/nixos/configuration.nix|lang=nix}}
 == Tips and tricks ==
@@ Line 361: / Line 376: @@
 Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...].
+==== deSEC.io ====
+In case you want to update your TLSA records at deSEC you can use [https://codeberg.org/Cameo007/dyndns-tlsa-desec dyndns-tlsa-desec] ('''install via flake''') which checks your existing records and updates them if necessary. The certificate and key are taken from the specified directory (like your [[ACME]] directory)
+It defaults to <code>3 1 1</code> but you can choose other values as described [[wikipedia:DNS-based_Authentication_of_Named_Entities#RR_data_fields|here]].<syntaxhighlight lang="nixos">
+services.dyndns-tlsa-desec = {
+  enable = true;
+  api_token_file = config.age.secrets.dyndns-tlsa-desec-api-key.path;
+  tlsa_zones."example.com" = {
+    cert_path = "/var/lib/acme/example.com/";
+    records."_25._tcp.mail" = { };
+  };
+};
+</syntaxhighlight>The program is executed hourly per default but you can set the <code>interval</code> option to any [https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events systemd calendar event].<syntaxhighlight lang="nixos">
+services.dyndns-tlsa-desec.interval = "5m"; # Every 5 minutes
+</syntaxhighlight>
 === Sending from subaddresses ===