module/stalwart-mail: Init initial version

1 files changed, 477 insertions, 0 deletions

diff --git a/modules/by-name/st/stalwart-mail/settings.nix b/modules/by-name/st/stalwart-mail/settings.nix
new file mode 100644
index 0000000..0f382ee
--- /dev/null
+++ b/modules/by-name/st/stalwart-mail/settings.nix
@@ -0,0 +1,477 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.vhack.stalwart-mail;
+in {
+  config.services.stalwart-mail.settings = lib.mkIf cfg.enable {
+    signature."ed25519" = lib.mkIf (cfg.security != null) {
+      private-key = "%{file:${config.age.secrets.stalwartMailDkim.path}}%";
+      domain = "${cfg.fqdn}";
+      selector = "ed-default";
+      headers = ["From" "To" "Cc" "Date" "Subject" "Message-ID" "Organization" "MIME-Version" "Content-Type" "In-Reply-To" "References" "List-Id" "User-Agent" "Thread-Topic" "Thread-Index"];
+      algorithm = "ed25519-sha256";
+      canonicalization = "relaxed/relaxed"; # TODO: What does this do? <2025-02-07>
+      expire = "50d";
+      report = true;
+    };
+
+    auth = {
+      iprev = {
+        verify = "relaxed";
+      };
+      spf = {
+        verify = {
+          ehlo = "relaxed";
+          mail-from = "relaxed";
+        };
+      };
+      dmarc = {
+        verify = "relaxed";
+      };
+      arc = {
+        seal = lib.mkIf (cfg.security != null) "ed25519";
+        verify = "relaxed";
+      };
+      dkim = {
+        verify = "relaxed";
+
+        # Ignore insecure dkim signed messages (i.e., messages containing both
+        # signed and appended not-signed content.)
+        strict = true;
+
+        sign = lib.mkIf (cfg.security != null) "['ed25519']";
+      };
+    };
+    report = {
+      domain = "${cfg.fqdn}";
+      submitter = "'${cfg.fqdn}'";
+      analysis = {
+        addresses = ["dmarc@*" "abuse@*"];
+        forward = true;
+        store = "30d";
+      };
+      tls.aggregate = {
+        from-name = "'TLS Report'";
+        from-address = "'noreply-tls@${cfg.fqdn}'";
+        org-name = "'Foss Syndicate Mail Handling'";
+        contact-info = "'admin@vhack.eu'";
+        send = "daily";
+        max-size = 26214400; # 25 MiB
+        sign = lib.mkIf (cfg.security != null) "['ed25519']";
+      };
+      dmarc = {
+        aggregate = {
+          from-name = "'DMARC Report'";
+          from-address = "'noreply-dmarc@${cfg.fqdn}'";
+          org-name = "'Foss Syndicate Mail Handling'";
+          contact-info = "'admin@vhack.eu'";
+          send = "weekly";
+          max-size = 26214400; # 25MiB
+          sign = lib.mkIf (cfg.security != null) "['ed25519']";
+        };
+        from-name = "'Report Subsystem'";
+        from-address = "'noreply-dmarc@${cfg.fqdn}'";
+        subject = "'DMARC Authentication Failure Report'";
+        send = "1/1d";
+        sign = lib.mkIf (cfg.security != null) "['ed25519']";
+      };
+      spf = {
+        from-name = "'Report Subsystem'";
+        from-address = "'noreply-spf@${cfg.fqdn}'";
+        subject = "'SPF Authentication Failure Report'";
+        send = "1/1d";
+        sign = lib.mkIf (cfg.security != null) "['ed25519']";
+      };
+      dkim = {
+        from-name = "'Report Subsystem'";
+        from-address = "'noreply-dkim@${cfg.fqdn}'";
+        subject = "'DKIM Authentication Failure Report'";
+        send = "1/1d";
+        sign = lib.mkIf (cfg.security != null) "['ed25519']";
+      };
+      dsn = {
+        from-name = "'Mail Delivery Subsystem'";
+        from-address = "'MAILER-DAEMON@${cfg.fqdn}'";
+        sign = lib.mkIf (cfg.security != null) "['ed25519']";
+      };
+    };
+    queue = {
+      schedule = {
+        retry = "[2m, 5m, 10m, 15m, 30m, 1h, 2h]";
+        notify = "[2h, 7h, 1d, 3d]";
+        expire = "5d";
+      };
+      outbound = {
+        tls = {
+          starttls = "require";
+          allow-invalid-certs = false;
+          ip-strategy = "ipv6_then_ipv4";
+        };
+      };
+    };
+    resolver = {
+      type = "system";
+      preserve-intermediates = true;
+      concurrency = 2;
+      timeout = "5s";
+      attempts = 2;
+      try-tcp-on-error = true;
+      public-suffix = [
+        "file://${pkgs.publicsuffix-list}/share/publicsuffix/public_suffix_list.dat"
+      ];
+    };
+
+    spam-filter = {
+      enable = true;
+      header = {
+        status = {
+          enable = true;
+          name = "X-Spam-Status";
+        };
+        result = {
+          enable = true;
+          name = "X-Spam-Result";
+        };
+      };
+      bayes = {
+        enable = true;
+
+        # Learn from users putting mail into JUNK or taking mail out of it.
+        account = {
+          enable = true;
+        };
+      };
+
+      # Fetch the newest spam-filter rules not from github, but from the nix
+      # package.
+      resource = "file://${cfg.package.passthru.spamfilter}/spam-filter.toml";
+      auto-update = false;
+    };
+
+    webadmin = {
+      # Fetch the newest webadmin bundle not from github, but from the nix
+      # package.
+      resource = "file://${cfg.package.passthru.webadmin}/webadmin.zip";
+      auto-update = false;
+      path = "/var/cache/stalwart-mail";
+    };
+
+    session = {
+      milter = {
+        # TODO: Add this <2025-02-07>
+        # "clamav" = {
+        #   enable = true;
+        #   hostname = "127.0.0.1";
+        #   port = 15112;
+        #   tls = false;
+        #   allow-invalid-certs = false;
+        # };
+      };
+      ehlo = {
+        require = true;
+      };
+      rcpt = {
+        directory = "'in-memory'";
+        catch-all = true;
+        subaddressing = true;
+      };
+      data = {
+        spam-filter = true;
+        add-headers = {
+          received = true;
+          received-spf = true;
+          auth-results = true;
+          message-id = true;
+          date = true;
+          return-path = true;
+          delivered-to = true;
+        };
+        auth = {
+          mechanisms = ["LOGIN" "PLAIN"];
+          directory = "'in-memory'";
+          require = true;
+          must-match-sender = true;
+          errors = {
+            total = 3;
+            wait = "5s";
+          };
+        };
+      };
+      extensions = {
+        pipelining = true;
+        chunking = true;
+        requiretls = true;
+        no-soliciting = "";
+        dsn = [
+          {
+            "if" = "!is_empty(authenticated_as)";
+            "then" = true;
+          }
+          {"else" = false;}
+        ];
+        future-release = [
+          {
+            "if" = "!is_empty(authenticated_as)";
+            "then" = "7d";
+          }
+          {"else" = false;}
+        ];
+        deliver-by = [
+          {
+            "if" = "!is_empty(authenticated_as)";
+            "then" = "15d";
+          }
+          {"else" = false;}
+        ];
+        mt-priority = [
+          {
+            "if" = "!is_empty(authenticated_as)";
+            "then" = "mixer";
+          }
+          {"else" = false;}
+        ];
+        vrfy = [
+          {
+            "if" = "!is_empty(authenticated_as)";
+            "then" = true;
+          }
+          {"else" = false;}
+        ];
+        expn = [
+          {
+            "if" = "!is_empty(authenticated_as)";
+            "then" = true;
+          }
+          {"else" = false;}
+        ];
+      };
+    };
+
+    jmap = {
+      account = {
+        purge.frequency = "0 0 *";
+      };
+      protocol = {
+        changes.max-history = "14d";
+      };
+      email = {
+        # NOTE(@bpeetz): We probably want to enable the auto-deletion of emails in
+        # the "Junk" and "Deleted" items mail folders, but this should be
+        # communicated to the users. <2025-02-07>
+        auto-expunge = false;
+      };
+      mailbox = {
+        max-depth = 50;
+        max-name-length = 255;
+      };
+      folders = let
+        mkFolder = name: {
+          inherit name;
+          create = true;
+          subscribe = true;
+        };
+      in {
+        inbox = mkFolder "inbox";
+        drafts = mkFolder "drafts";
+        sent = mkFolder "sent";
+        trash = mkFolder "trash";
+        archive = mkFolder "archive";
+        junk = mkFolder "junk";
+        shared = {name = "shared";};
+      };
+    };
+    imap = {
+      auth = {
+        # Allow password login over non tls connection
+        allow-plain-text = false;
+      };
+    };
+
+    server = {
+      hostname = cfg.fqdn;
+
+      listener = {
+        # TODO(@bpeetz): Add this <2025-02-08>
+        # # HTTP (used for jmap)
+        # "http" = {
+        #   bind = ["[::]:8080"];
+        #   protocol = "http";
+        #   tls.implicit = true;
+        # };
+
+        # IMAP
+        "imap" = {
+          bind = ["[::]:993"];
+          protocol = "imap";
+          tls.implicit = true;
+        };
+        # SMTP
+        "smtp" = {
+          bind = ["[::]:465"];
+          protocol = "smtp";
+          tls.implicit = true;
+        };
+
+        # # POP3 (should be disabled, unless there is a real reason to use it)
+        # "pop3" = {
+        #   bind = ["[::]:995"];
+        #   protocol = "pop3";
+        #   tls.implicit = true;
+        # };
+
+        # # LMTP
+        # "lmtp" = {
+        #   bind = ["[::]:24"];
+        #   protocol = "lmtp";
+        # };
+
+        # ManageSieve
+        "managesieve" = {
+          bind = ["[::]:4190"];
+          protocol = "managesieve";
+          tls.implicit = true;
+        };
+      };
+
+      tls = {
+        enable = true;
+
+        # Expect the client connection to be encrypted from the start (i.e.,
+        # without STARTTLS)
+        implicit = true;
+
+        certificate = "default";
+      };
+
+      # TODO(@bpeetz): Configure that <2025-02-07>
+      # http = {
+      #   url = "";
+      #   allowed-endpoint = ["404"];
+      # };
+
+      auto-ban = {
+        # Ban if the same IP fails to login 10 times in a day
+        rate = "10/1d";
+
+        # Ban the login for an user account, if different IP-Addresses tried and
+        # failed to login 100 times in single day
+        auth.rate = "100/1d";
+
+        abuse.rate = "35/1d";
+
+        loiter.rate = "150/1d";
+
+        scan.rate = "150/1d";
+      };
+
+      cache = let
+        MiB = 1024 * 1024;
+      in {
+        access-token.size = 10 * MiB;
+        http-auth.size = 1 * MiB;
+        permission.size = 5 * MiB;
+        account.size = 10 * MiB;
+        mailbox.size = 10 * MiB;
+        thread.size = 10 * MiB;
+        bayes.size = 10 * MiB;
+        dns = {
+          txt.size = 5 * MiB;
+          mx.size = 5 * MiB;
+          ptr.size = 1 * MiB;
+          ipv4.size = 5 * MiB;
+          ipv6.size = 5 * MiB;
+          tlsa.size = 1 * MiB;
+          mta-sts.size = 1 * MiB;
+          rbl.size = 5 * MiB;
+        };
+      };
+    };
+
+    tracer = {
+      # NOTE(@bpeetz):
+      # We are using the console logger, because that has nice color output.
+      # Simply using the console should be fine, as systemd pipes that to the journal
+      # either way. <2025-02-08>
+      console = {
+        enable = true;
+        ansi = true;
+        level = "info";
+        type = "console";
+      };
+    };
+
+    store = {
+      "rocksdb-data" = {
+        type = "rocksdb";
+        path = "${cfg.dataDirectory}/storage/data";
+        compression = "lz4";
+
+        # Perform “maintenance” every day at 3 am local time.
+        purge.frequency = "0 3 *";
+      };
+      "rocksdb-full-text-search" = {
+        type = "rocksdb";
+        path = "${cfg.dataDirectory}/storage/full-text-search";
+        compression = "lz4";
+
+        # Perform “maintenance” every day at 2 am local time.
+        purge.frequency = "0 2 *";
+      };
+      "file-system" = {
+        type = "fs";
+        path = "${cfg.dataDirectory}/storage/blobs";
+        depth = 2;
+        compression = "lz4";
+
+        # Perform “maintenance” every day at 5:30 am local time.
+        purge.frequency = "30 5 *";
+      };
+      "redis" = {
+        type = "redis";
+        redis-type = "single";
+        urls = "unix://${config.services.redis.servers."stalwart-mail".unixSocket}";
+        timeout = "10s";
+
+        # Perform “maintenance” every day at 2:30 am local time.
+        purge.frequency = "30 2 *";
+      };
+    };
+    storage = {
+      # PostgreSQL is an option, but this is recommended for single node
+      # configurations.
+      data = "rocksdb-data";
+
+      # We could also re-use the data storage backend for that.
+      blob = "file-system";
+
+      full-text.default-language = "en";
+      fts = "rocksdb-full-text-search";
+
+      directory = "in-memory";
+
+      lookup = "redis";
+
+      # NOTE(@bpeetz): This will encrypt all emails with the users pgp key (if it
+      # can be determined.) This is a wonderful feature, but quite tiresome, if
+      # the user intends to read their email without a their pgp key present (for
+      # example via their smartphone.) <2025-02-07>
+      encryption.enable = false;
+    };
+
+    directory."in-memory" = {
+      type = "memory";
+      inherit (cfg) principals;
+    };
+
+    certificate = {
+      "default" = {
+        cert = "%{file:${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem}%";
+        private-key = "%{file:${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem}%";
+        default = true;
+      };
+    };
+  };
+}