diff --git a/services/mail.nix b/services/mail.nix index 90c6b0b..5d4c0d7 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -1,161 +1,163 @@ { config, pkgs, lib, sources, ... }: { - imports = [ - sources.nixos-mailserver.outPath - ]; + imports = [ sources.nixos-mailserver.outPath ]; # reduce log spam - systemd.services.rspamd.serviceConfig.LogLevelMax = 3; # this is set to error because rspamd regularly complains about not enough learns + systemd.services.rspamd.serviceConfig.LogLevelMax = + 3; # this is set to error because rspamd regularly complains about not enough learns systemd.services.postfix.serviceConfig.LogLevelMax = 5; # = notice systemd.services.dovecot2.serviceConfig.LogLevelMax = 5; # = notice # stop postfix from dying if rspamd hiccups systemd.services.postfix.unitConfig = { - Requires = lib.mkForce "dovecot2.service opendkim.service"; + Requires = lib.mkForce "dovecot2.service opendkim.service"; }; mailserver = { mailDirectory = "/persist/mail"; enable = true; fqdn = "mail.hacc.space"; - domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ]; + monitoring = { + enable = true; + alertAddress = "admin@hacc.space"; + }; + domains = [ + "hacc.space" + "muc.hacc.space" + "hacc.earth" + "4future.dev" + "4futu.re" + "infra4future.de" + ]; loginAccounts = { - "hexchen@hacc.space".hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/"; - "hexchen@hacc.space".aliases = [ "postmaster@hacc.space" "abuse@hacc.space" "hexchen@infra4future.de" ]; + "hexchen@hacc.space".hashedPassword = + "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/"; - "octycs@hacc.space".hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg."; - "octycs@hacc.space".aliases = [ "markus@hacc.space" ]; + "octycs@hacc.space".hashedPassword = + "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg."; + "octycs@hacc.space".aliases = [ "markus@hacc.space" ]; - "raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; + "raphael@hacc.space".hashedPassword = + "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; - "schweby@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; + "schweby@hacc.space".hashedPassword = + "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; - "zauberberg@hacc.space".hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0"; - "zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ]; + "zauberberg@hacc.space".hashedPassword = + "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0"; + "zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ]; - "stuebinm@hacc.space".hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB."; + "stuebinm@hacc.space".hashedPassword = + "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB."; - "lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/"; - "lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ]; + "lenny@hacc.space".hashedPassword = + "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/"; + "lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ]; - "finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m."; + "finance@muc.hacc.space".hashedPassword = + "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m."; - # service accounts - "noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; - "newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1"; - "gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1"; - "noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV."; - "discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/"; + "noreply@hacc.space" = { + hashedPassword = + "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; + aliases = [ "noreply@*" ]; + sendOnly = true; + }; }; extraVirtualAliases = { - # address = forward address; + # address = forward address; - # -- International -- - # info/contact: main entrypoint, anyone can read or reply to this. - "info@hacc.space" = [ - "hexchen@hacc.space" - "octycs@hacc.space" - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - "stuebinm@hacc.space" - "lenny@hacc.space" - ]; - # admin: current people with access to the mail server and knowledge on how to use it - "admin@hacc.space" = [ - "hexchen@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - ]; - # voc: hacc video operation center, various streaming-related things - "voc@hacc.space" = [ - "hexchen@hacc.space" - "schweby@hacc.space" - "octycs@hacc.space" - "stuebinm@hacc.space" - "zauberberg@hacc.space" - "lenny@hacc.space" - "raphael@hacc.space" - ]; + # -- International -- + # info/contact: main entrypoint, anyone can read or reply to this. + "info@hacc.space" = [ + "hexchen@hacc.space" + "octycs@hacc.space" + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + "stuebinm@hacc.space" + "lenny@hacc.space" + ]; - # -- Regional: Germany -- - # board of hacc e.V. - "vorstand@hacc.space" = [ - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - ]; - # members of hacc e.V. - "mitglieder@hacc.space" = [ - "hexchen@hacc.space" - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - "lenny@hacc.space" - "octycs@hacc.space" - "stuebinm@hacc.space" - ]; + # admin: current people with access to the mail server and knowledge on how to use itâ„¢ + "admin@hacc.space" = + [ "hexchen@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; - # -- Regional: Munich -- - "muc@hacc.space" = [ - "hexchen@hacc.space" - "octycs@hacc.space" - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - "stuebinm@hacc.space" - "lenny@hacc.space" - ]; + # voc: hacc video operation center, various streaming-related things + "voc@hacc.space" = [ + "hexchen@hacc.space" + "schweby@hacc.space" + "octycs@hacc.space" + "stuebinm@hacc.space" + "zauberberg@hacc.space" + "lenny@hacc.space" + "raphael@hacc.space" + ]; - # -- c3 world operation centre -- - "world@muc.hacc.space" = [ - "hexchen@hacc.space" - "stuebinm@hacc.space" - ]; + # -- Regional: Germany -- + # board of hacc e.V. + "vorstand@hacc.space" = + [ "raphael@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + + # members of hacc e.V. + "mitglieder@hacc.space" = [ + "hexchen@hacc.space" + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + "lenny@hacc.space" + "octycs@hacc.space" + "stuebinm@hacc.space" + ]; + + # -- Regional: Munich -- + "muc@hacc.space" = [ + "hexchen@hacc.space" + "octycs@hacc.space" + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + "stuebinm@hacc.space" + "lenny@hacc.space" + ]; }; # Use Let's Encrypt certificates. Note that this needs to set up a stripped # down nginx and opens port 80. certificateScheme = 3; - # Enable IMAP and POP3 - enableImap = true; - enablePop3 = true; - enableImapSsl = true; - enablePop3Ssl = true; + # Only allow implict TLS + enableImap = false; + enablePop3 = false; # Enable the ManageSieve protocol enableManageSieve = true; - # whether to scan inbound emails for viruses (note that this requires at least - # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) - virusScanning = false; }; - services.postfix.submissionOptions.smtpd_sender_restrictions = lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit"; - services.postfix.submissionsOptions.smtpd_sender_restrictions = lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit"; + + services.postfix.submissionOptions.smtpd_sender_restrictions = + lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit"; + services.postfix.submissionsOptions.smtpd_sender_restrictions = + lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit"; + services.postfix.virtual = '' + postmaster@* admin@hacc.space + absue@* admin@hacc.space + contact@* info@hacc.space @4future.dev @hacc.space @4futu.re @hacc.space @hacc.earth @hacc.space - @discuss.infra4future.de discuss@infra4future.de - admin@infra4future.de admin@hacc.space - noreply@infra4future.de admin@hacc.space - lukas@infra4future.de zauberberg@hacc.space - info@infra4future.de admin@hacc.space - postmaster@infra4future.de admin@hacc.space - voc@infra4future.de voc@hacc.space - haccvoc@infra4future.de voc@hacc.space - contact@hacc.space info@hacc.space - himmel@hacc.space admin@hacc.space - divoc-patches@muc.hacc.space world@muc.hacc.space + @infra4future.de @hacc.space + haccvoc@* voc@hacc.space ''; systemd.services.alps = { enable = true; - script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465"; + script = + "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465"; serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps"; serviceConfig.Restart = "always"; requiredBy = [ "multi-user.target" ];