User Tools

Site Tools


manuals:server:mailserver-nixos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

manuals:server:mailserver-nixos [2020/05/05 21:25] (current)
martyet created
Line 1: Line 1:
 +====== Mailserver on NixOS ======
 +
 +For easy setup of mailserver we can go declarative way with nixos - we will go through setting up fully working mailserver instance together with proper DNS records.
 +
 +[[https://​gitlab.com/​simple-nixos-mailserver/​nixos-mailserver|nixos mailserver]] is nix package containing these services:
 +
 +  * Postfix & Dovecot ​
 +  * rspamd (spam filter) & clamav (virus scanning)
 +  * opendkim ​
 +  * sieve custom scripts
 +  * user aliases & catch all & regular aliases
 +
 +For proper deliverability we first of all need to configure [[manuals:​vps:​rdns|reverse dns record (PTR)]] (this domain is also used as fqdn in this how-to). With this we can proceed to configuration on vps (placed in configuration.nix config file) accordingly:​
 +
 +
 +(below shown configuration is my own slightly modified for showcase purposes of functionality. So please dont forget to change values (highlighted) according to your needs.
 +
 +<​code>​
 +{ config, pkgs, ... }:
 +{
 +  imports = [
 +    (builtins.fetchTarball {
 +      url = "​https://​gitlab.com/​simple-nixos-mailserver/​nixos-mailserver/​-/​archive/​v2.3.0/​nixos-mailserver-v2.3.0.tar.gz";​ # for up-to-date tar please follow gitlab repository on link above
 +      sha256 = "​0lpz08qviccvpfws2nm83n7m2r8add2wvfg9bljx9yxx8107r919";​
 +    })
 +  ];
 +
 +
 +# sets up path to sieve scripts
 +#  services.dovecot2.sieveScripts = {
 +#    before = "/​etc/​nixos/​mailserver/​sieve/​vpsf.sieve";​
 +#  };
 +
 +  mailserver = {
 +    enable = true;
 +    fqdn = "<​your-rDNS-ready-domain-here>";​
 +    domains = [ "​martinmyska.cz"​ "​domain.cz"​ "​domain2.cz"​];​ # here we specify hosted domains
 +
 +    # A list of all login accounts. To create the password hashes, use
 +    # mkpasswd -m sha-512 "super secret password"​
 +    loginAccounts = {
 +        "​martin@martinmyska.cz"​ = {
 +            hashedPassword = "<​your-sha512-password-here>";​
 +
 +            aliases = [
 +                "​myska@martinmyska.cz"​ # alias where to look for other emails (not a mailbox address)
 +            ];
 +
 +            # Or we can set this to catch all mails going to whole martinmyska.cz domain.com
 +            catchAll = [
 +                "​martinmyska.cz"​
 +            ];
 +        };
 +        "​info@domain.cz"​ = {
 +            hashedPassword = "<​your-sha512-password-here>";​
 +
 +            # Or we can catch all mails going to completely another domain
 +            catchAll = [
 +                "​domain2.cz"​
 +            ];
 +        };
 +
 +
 +    };
 +    # Extra virtual aliases. These are email addresses that are forwarded to
 +    # loginAccounts addresses.
 +    extraVirtualAliases = {
 +        # address = forward address;
 +        #"​abuse@example.com"​ = "​user1@example.com";​
 +    };
 +
 +    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
 +    # down nginx and opens port 80.
 +    certificateScheme = 3;
 +
 +    # Enable IMAP and POP3
 +    enableImap = true;
 +    enablePop3 = true;
 +    enableImapSsl = true;
 +    enablePop3Ssl = true;
 +
 +    # Enable the ManageSieve protocol
 +    enableManageSieve = true;
 +
 +    # whether to scan inbound emails for viruses (note that this requires at least
 +    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
 +    virusScanning = true;
 +  };
 +}
 +</​code>​
 +
 +At last we need to properly configure our domain DNS records as follows:
 +
 +
 +^ Domain ​         ^Type          ^ TTL          ^ Priority ​         ^ Value          ^
 +|**martinmyska.cz**| TXT        | 1800        |         | v=spf1 ip4:<​**IP address of mailserver**>​ -all        |
 +| _dmarc.**martinmyska.cz**|TXT ​       | 1800        |         | v=DMARC1; p=none ​       |
 +| mail._domainkey.**martinmyska.cz** |TXT        | 1800        |         | v=DKIM1; k=rsa; p=<​**your key from ** /​var/​dkim/<​your-domain>​.**txt** ​       |
 +| mail.**martinmyska.cz** |A        | 1800        |         | <**IP address of your mailserver**> ​       |
 +| mail.**martinmyska.cz** |MX        | 1800        |10         | mail.**martinmyska.cz** ​       |
  
manuals/server/mailserver-nixos.txt · Last modified: 2020/05/05 21:25 by martyet