This shows you the differences between two versions of the page.
— | manuals:server:mailserver-nixos [2020/05/05 19:25] (current) – created martyet | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Mailserver on NixOS ====== | ||
+ | |||
+ | For easy setup of mailserver we can go declarative way with nixos - we will go through setting up fully working mailserver instance together with proper DNS records. | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | * Postfix & Dovecot | ||
+ | * rspamd (spam filter) & clamav (virus scanning) | ||
+ | * opendkim | ||
+ | * sieve custom scripts | ||
+ | * user aliases & catch all & regular aliases | ||
+ | |||
+ | For proper deliverability we first of all need to configure [[manuals: | ||
+ | |||
+ | |||
+ | (below shown configuration is my own slightly modified for showcase purposes of functionality. So please dont forget to change values (highlighted) according to your needs. | ||
+ | |||
+ | < | ||
+ | { config, pkgs, ... }: | ||
+ | { | ||
+ | imports = [ | ||
+ | (builtins.fetchTarball { | ||
+ | url = " | ||
+ | sha256 = " | ||
+ | }) | ||
+ | ]; | ||
+ | |||
+ | |||
+ | # sets up path to sieve scripts | ||
+ | # services.dovecot2.sieveScripts = { | ||
+ | # before = "/ | ||
+ | # }; | ||
+ | |||
+ | mailserver = { | ||
+ | enable = true; | ||
+ | fqdn = "< | ||
+ | domains = [ " | ||
+ | |||
+ | # A list of all login accounts. To create the password hashes, use | ||
+ | # mkpasswd -m sha-512 "super secret password" | ||
+ | loginAccounts = { | ||
+ | " | ||
+ | hashedPassword = "< | ||
+ | |||
+ | aliases = [ | ||
+ | " | ||
+ | ]; | ||
+ | |||
+ | # Or we can set this to catch all mails going to whole martinmyska.cz domain.com | ||
+ | catchAll = [ | ||
+ | " | ||
+ | ]; | ||
+ | }; | ||
+ | " | ||
+ | hashedPassword = "< | ||
+ | |||
+ | # Or we can catch all mails going to completely another domain | ||
+ | catchAll = [ | ||
+ | " | ||
+ | ]; | ||
+ | }; | ||
+ | |||
+ | |||
+ | }; | ||
+ | # Extra virtual aliases. These are email addresses that are forwarded to | ||
+ | # loginAccounts addresses. | ||
+ | extraVirtualAliases = { | ||
+ | # address = forward address; | ||
+ | #" | ||
+ | }; | ||
+ | |||
+ | # Use Let's Encrypt certificates. Note that this needs to set up a stripped | ||
+ | # down nginx and opens port 80. | ||
+ | certificateScheme = 3; | ||
+ | |||
+ | # Enable IMAP and POP3 | ||
+ | enableImap = true; | ||
+ | enablePop3 = true; | ||
+ | enableImapSsl = true; | ||
+ | enablePop3Ssl = true; | ||
+ | |||
+ | # Enable the ManageSieve protocol | ||
+ | enableManageSieve = true; | ||
+ | |||
+ | # whether to scan inbound emails for viruses (note that this requires at least | ||
+ | # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) | ||
+ | virusScanning = true; | ||
+ | }; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | At last we need to properly configure our domain DNS records as follows: | ||
+ | |||
+ | |||
+ | ^ Domain | ||
+ | |**martinmyska.cz**| TXT | 1800 | | v=spf1 ip4:< | ||
+ | | _dmarc.**martinmyska.cz**|TXT | ||
+ | | mail._domainkey.**martinmyska.cz** |TXT | 1800 | | v=DKIM1; k=rsa; p=< | ||
+ | | mail.**martinmyska.cz** |A | 1800 | | <**IP address of your mailserver**> | ||
+ | | mail.**martinmyska.cz** |MX | 1800 |10 | mail.**martinmyska.cz** | ||