Maddy

From NixOS Wiki
Revision as of 19:53, 5 August 2022 by imported>Onny (Easier DNS setup)

Maddy is a composable, modern mail server written in Go. It includes everything required to manage users, inboxes, send and receive mails while supporting all important secure protocols and standards.

Installation

Note: Following example describes the usage of an experimental module which is still being reviewed as an open PR and might not be ready for production.

The following example enables the Maddy mail server listening on mail delivery SMTP/Submission ports (25, 587) and IMAP/IMAPS ports (143/993) for mail clients to connect to. The server is configured to send and receive mails for the primary domain example.org.

/etc/nixos/configuration.nix
services.maddy = {
  enable = true;
  openFirewall = true;
  primaryDomain = "example.org";
  tls = {
    certPath = /var/lib/acme/example.org/example.org.crt;
    keyPath = /var/lib/acme/example.org/example.org.key;
  };
  imap = {
    port = 143;
    tlsEnable = true;
    tlsPort = 993;
  };
};

TLS certificates can be obtained by using services like certbot or the acme service. Please reference their documentation on how to configure it to acquire the certificates.

Configuration

DNS records

It is possibly easier to configure our own authoritative-only DNS server, which provides important configuration information to other mail servers and clients. For details about the meaning of the specific DNS records or manual setup instructions see the Maddy setup tutorial.

/etc/nixos/configuration.nix
services.nsd = {
  enable = true;
  interfaces = [
    "0.0.0.0"
    "::"
  ]; 
  zones."example.org.".data = ''
    @ SOA ns.example.org noc.example.org 666 7200 3600 1209600 3600
    @ A 1.2.3.4
    @ AAAA abcd::eeff
    @ MX 10 mx1
    mx1 A 1.2.3.4
    mx1 AAAA abcd::eeff
    @ TXT "v=spf1 mx ~all"
    mx1 TXT "v=spf1 mx ~all"
    _dmarc TXT "v=DMARC1; p=quarantine; ruf=mailto:postmaster@example.org
    _mta-sts TXT "v=STSv1; id=1"
    _smtp._tls TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
    default._domainkey TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="
  '';
};

Update the IPv4 and IPv6 addresses after <code>A</code> and <code>AAAA</code> to the one which points to the publc IP addresses of your mail server. The last entry is used by the <code>DKIM</code> authentication mechanism which enables recipients to verify the authenticity of mails send by your server. Create the following DNS record by using the value of the file Maddy generated on first startup <code>/var/lib/maddy/dkim_keys/example.org_default.dns</code>.

Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that.

=== Managing users and inboxes ===

Creating credentials and inboxes for a specific account. The first command creates the user <code>postmaster@example.org</code> and will prompt for a password.

<syntaxhighlight lang="console">
# maddyctl creds create postmaster@example.org
# maddyctl imap-acct create postmaster@example.org
</syntaxhighlight>

=== Spam filtering ===

You can enable and use [[rspamd]] spam filtering daemon

{{file|/etc/nixos/configuration.nix|nix|<nowiki>
services.rspamd.enable = true;

Add following check part to your Maddy configuration at the beginning of the section msgpipeline local_routing as referenced by the default config.

msgpipeline local_routing {

  check {
    rspamd
  }

  [...]

Autoconfig

Since Maddy does not support this feature yet, you can run an additional web service which provides autoconfig or autodiscover files for various mail clients like Thunderbird, iOS Mail or Outlook, so you don't have to manually configure your server settings into these apps. In this example, we're going to tell the clients, that our mail server is running on the domain example.org and which IMAP/SMTP ports to use

/etc/nixos/configuration.nix
services.go-autoconfig = {
  enable = true;
  domain = "autoconfig.example.org";
  imap = {
    server = "example.org";
    port = 993;
  };
  smtp = {
    server = "example.org";
    port = 587;
  };
};

After that the autoconfig service based on program go-autoconfig will listen on http://localhost:1323 , serving the configuration informations used by the clients.

You can use your preferred web server, for example Caddy to proxy this service to an outside facing domain like https://autoconfig.example.org

/etc/nixos/configuration.nix
caddy = {                                  
  enable = true;                                              
  virtualHosts."autoconfig.example.org".extraConfig = ''
    reverse_proxy http://localhost:1323              
  '';             
};

You need DNS SRV-record called _autodiscover._tcp.example.org on example.org to get Outlook and Thunderbird working:

# dig SRV _autodiscover._tcp.example.org
;; ANSWER SECTION:
_autodiscover._tcp.example.org 3600 IN SRV 0 0 443 autoconfig.example.org

Of course autoconfig.example.org domain should point to your server running the SSL enabled web service.