NixOS Wiki

Stalwart: Difference between revisions

← Older edit
VisualWikitext
Onny (talk | contribs)
261 edits
No edit summary
Xor (talk | contribs)
1 edit
typo 127.0.01
 
(15 intermediate revisions by 2 users not shown)
Line 2: Line 2:


== Setup ==
== Setup ==
The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission ports (<code>25, 465</code>) and IMAPS port (<code>993</code>) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.{{Note|Parts of this module are not yet stable will be available with the upcoming NixOS release 24.11.}}{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission (<code>25, 465</code>), IMAPS (<code>993</code>) and JMAP ports (8080/443) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.
 
{{file|/etc/nixos/configuration.nix|nix|3=environment.etc = {
  "stalwart/mail-pw1".text = "foobar";
  "stalwart/mail-pw2".text = "foobar";
  "stalwart/admin-pw".text = "foobar";
  "stalwart/acme-secret".text = "secret123";
};
 
services.stalwart-mail = {
   enable = true;
   enable = true;
   package = pkgs.stalwart-mail;
   package = pkgs.stalwart-mail;
Line 8: Line 17:
   settings = {
   settings = {
     server = {
     server = {
       hostname = "example.org";
       hostname = "mx1.example.org";
       tls = {
       tls = {
         enable = true;
         enable = true;
Line 28: Line 37:
         jmap = {
         jmap = {
           bind = "[::]:8080";
           bind = "[::]:8080";
           url = "https://mail.tuxtux.com.co";
           url = "https://mail.example.org";
           protocol = "jmap";
           protocol = "jmap";
         };
         };
Line 45: Line 54:
       challenge = "dns-01";
       challenge = "dns-01";
       contact = "user1@example.org";
       contact = "user1@example.org";
       domains = [ "example.org" ];
       domains = [ "example.org" "mx1.example.org" ];
       provider = "cloudflare";
       provider = "cloudflare";
       secret = "****";
       secret = "%{file:/etc/stalwart/acme-secret}%";
     };
     };
     session.auth = {
     session.auth = {
Line 61: Line 70:
       principals = [
       principals = [
         {
         {
           class = "admin";
           class = "individual";
           name = "User 1";
           name = "User 1";
           secret = "foobar";
           secret = "%{file:/etc/stalwart/mail-pw1}%";
           email = [ "user1@example.org" ];
           email = [ "user1@example.org" ];
         }
         }
Line 69: Line 78:
           class = "individual";
           class = "individual";
           name = "postmaster";
           name = "postmaster";
           secret = "foobar";
           secret = "%{file:/etc/stalwart/mail-pw1}%";
           email = [ "postmaster@example.org" ];
           email = [ "postmaster@example.org" ];
         }
         }
       ];
       ];
    };
    authentication.fallback-admin = {
      user = "admin";
      secret = "%{file:/etc/stalwart/admin-pw}%";
     };
     };
   };
   };
Line 82: Line 95:
     "webadmin.example.org" = {
     "webadmin.example.org" = {
       extraConfig = ''
       extraConfig = ''
         reverse_proxy http://127.0.01:8080
         reverse_proxy http://127.0.0.1:8080
       '';
       '';
       serverAliases = [
       serverAliases = [
Line 88: Line 101:
         "autoconfig.example.org"
         "autoconfig.example.org"
         "autodiscover.example.org"
         "autodiscover.example.org"
        "mail.example.org"
       ];
       ];
     };
     };
   };
   };
};}}TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].
};}}
 
TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].


== Configuration ==
== Configuration ==
=== DNS records ===
Before adding required records to the example domain <code>example.org</code>, we need to register the domain on the Stalwart server.<syntaxhighlight lang="shell">
stalwart-cli --url https://webadmin.example.org domain create example.org
</syntaxhighlight>Authenticate using the fallback-admin password.
Review the list of which DNS records are required including their values for the mail server to work at https://webadmin.example.org/manage/directory/domains/tuxtux.com.co/view. Especially following records are essential:
* Record type: A, Name: example.org
* Record type: AAAA, Name: example.org
* Record type: CNAME, Name: autoconfig Value: example.org
* Record type: CNAME, Name: autodiscover, Value: example.org
* Record type: CNAME, Name: mail, Value: example.org
* Record type: CNAME, Name: mta-sts, Value: example.org
* Record type: CNAME, Name: mail, Value: example.org
* Record type: CNAME, Name: webadmin, Value: example.org
* Record type: MX, Name: example.org, Value: mx1.example.org
* Record type: SRV, Name: _imaps._tcp
* Record type: SRV, Name: _submissions._tcp
* Record type: TLSA, Name: _25._tcp.example.org., Value: Only the one starting with "3 1 1" required
* Record type: TLSA, Name: _25._tcp.mx1.example.org., Value: Only the one starting with "3 1 1" required
* Record type: TXT, Name: 202409e._domainkey
* Record type: TXT, Name: 202409r._domainkey
* Record type: TXT, Name: _dmarc
* Record type: TXT, Name: mx1
* Record type: TXT, Name: _smtp._tls
* Record type: TXT, Name: example.org


=== DNSSEC ===
=== DNSSEC ===
Line 105: Line 148:


== Tips and tricks ==
== Tips and tricks ==
=== Test mail server ===
You can use several online tools to test your mail server configuration:
* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.
* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.
* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.


=== Unsecure setup for testing environments ===
=== Unsecure setup for testing environments ===
The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
   enable = true;
   enable = true;
  # Use newer, latest version in NixOS 24.05
  package = pkgs.stalwart-mail;
   settings = {
   settings = {
     server = {
     server = {
Retrieved from "https://wiki.nixos.org/wiki/Stalwart"