{ lib, config, pkgs, ... }:
let
hostname = "mail.${config.networking.domain}";
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
uris = ldap://localhost
dn = uid=search, ou=users, dc=ifsr, dc=de
auth_bind = yes
!include ${config.sops.secrets."dovecot_ldap_search".path}
ldap_version = 3
scope = subtree
base = dc=ifsr, dc=de
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_filter = (&(objectClass=posixAccount)(uid=%n))
'';
in
{
networking.firewall.allowedTCPPorts = [
993 # IMAPS
4190 # Managesieve
];
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
services.dovecot2 = {
enable = true;
enableImap = true;
enableQuota = true;
quotaGlobalPerUser = "10G";
enableLmtp = true;
enablePAM = false;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
protocols = [ "imap" "sieve" ];
mailPlugins = {
globally.enable = [ "listescape" ];
perProtocol = {
imap = {
enable = [ "imap_sieve" "imap_filter_sieve" ];
};
lmtp = {
enable = [ "sieve" ];
};
};
};
mailboxes = {
Spam = {
auto = "subscribe";
specialUse = "Junk";
autoexpunge = "60d";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
Archive = {
auto = "no";
specialUse = "Archive";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
mailUser = "vmail";
mailGroup = "vmail";
sieve = {
# just pot something in here to prevent empty strings
extensions = [ "notify" ];
pipeBins = map lib.getExe [
(pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham")
(pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam")
];
plugins = [
"sieve_imapsieve"
"sieve_extprograms"
];
scripts = {
before = pkgs.writeText "spam.sieve" ''
require "fileinto";
if anyof(
header :contains "x-spam-flag" "yes",
header :contains "X-Spam-Status" "Yes"){
fileinto "Spam";
}
'';
};
};
imapsieve.mailbox = [
{
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
name = "Spam";
causes = [ "COPY" "APPEND" "FLAG" ];
before = ./report-spam.sieve;
}
{
# From Junk folder to elsewhere
name = "*";
from = "Spam";
causes = [ "COPY" ];
before = ./report-ham.sieve;
}
];
extraConfig = ''
auth_username_format = %Ln
passdb {
driver = ldap
args = ${dovecot-ldap-args}
}
userdb {
driver = ldap
args = ${dovecot-ldap-args}
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
}
namespace inbox {
separator = /
inbox = yes
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
client_limit = 1
}
plugin {
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
listescape_char = "\\"
}
'';
};
}