{ flake, config, pkgs, lib, ... }: let dkimDNSb12fio = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; ''; in { age.secrets."b12f.io-dkim-private-rsa" = { file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age"; path = "/var/lib/maddy/dkim_keys/b12f.io_default.key"; mode = "400"; owner = "maddy"; }; age.secrets."mail@b12f.io-password" = { file = "${flake.self}/secrets/mail@b12f.io-password.age"; mode = "400"; owner = "maddy"; }; security.acme.certs = { "mail.b12f.io" = { reloadServices = [ "maddy" ]; group = "maddy"; }; "mta-sts.b12f.io" = {}; }; services.nginx.virtualHosts = { "mta-sts.b12f.io" = { forceSSL = true; useACMEHost = "mta-sts.b12f.io"; locations."/" = { root = pkgs.runCommand "create-well-known-mta-sts" {} '' mkdir -p "$out/.well-known" echo " version: STSv1 mode: enforce max_age: 604800 mx: mail.b12f.io " > "$out/.well-known/mta-sts.txt" ''; tryFiles = "$uri $uri/ =404"; }; }; }; systemd.tmpfiles.rules = [ "d '/run/maddy' 0750 maddy maddy - -" ]; system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] '' mkdir -p /var/lib/maddy/dkim_keys echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns ''; services.maddy = { enable = true; openFirewall = true; hostname = "mail.b12f.io"; primaryDomain = "b12f.io"; ensureAccounts = [ "mail@b12f.io" ]; ensureCredentials = { # Do not use this in production. This will make passwords world-readable # in the Nix store "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path; }; tls = { loader = "file"; certificates = [ { keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem"; } ]; }; config = '' # Minimal configuration with TLS disabled, adapted from upstream example # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf # Do not use this in production! auth.pass_table local_authdb { table sql_table { driver sqlite3 dsn credentials.db table_name passwords } } storage.imapsql local_mailboxes { driver sqlite3 dsn imapsql.db } table.chain local_rewrites { optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3" optional_step static { entry postmaster postmaster@$(primary_domain) } optional_step file /etc/maddy/aliases } msgpipeline local_routing { check { rspamd { api_path http://localhost:11334 } } destination b12f.io { modify { replace_rcpt regexp ".*" "mail@b12f.io" } deliver_to &local_mailboxes } destination postmaster $(local_domains) { modify { replace_rcpt &local_rewrites } deliver_to &local_mailboxes } default_destination { reject 550 5.1.1 "User doesn't exist" } } smtp tcp://0.0.0.0:25 { limits { all rate 20 1s all concurrency 10 } dmarc yes check { require_mx_record dkim spf } source $(local_domains) { reject 501 5.1.8 "Use Submission for outgoing SMTP" } default_source { destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { reject 550 5.1.1 "User doesn't exist" } } } submission tcp://0.0.0.0:587 { limits { all rate 50 1s } auth &local_authdb source $(local_domains) { check { authorize_sender { prepare_email &local_rewrites user_to_email identity } } destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { modify { dkim $(primary_domain) $(local_domains) default } deliver_to &remote_queue } } default_source { reject 501 5.1.8 "Non-local sender domain" } } target.remote outbound_delivery { limits { destination rate 20 1s destination concurrency 10 } mx_auth { dane mtasts { cache fs fs_dir mtasts_cache/ } local_policy { min_tls_level encrypted min_mx_level none } } } target.queue remote_queue { target &outbound_delivery autogenerated_msg_domain $(primary_domain) bounce { destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { reject 550 5.0.0 "Refusing to send DSNs to non-local addresses" } } } imap tcp://0.0.0.0:143 { auth &local_authdb storage &local_mailboxes } ''; }; services.rspamd = { enable = true; locals."dkim_signing.conf".text = '' enabled = false; ''; }; systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ]; }