nixos-config/mastus/mail.nix

{ config, pkgs, ... }:

{
  # services.opensmtpd = {
  #   enable = true;
  #   serverConfiguration = ''
  #     listen on 0.0.0.0
  #     filter sa spamassassin "-s accept"
  #     accept for any deliver to lmtp localhost:24
  #   '';
  #   procPackages = [ pkgs.opensmtpd-extras ];
  # };

  services.postfix = {
    enable = true;
    postmasterAlias = "gebner";
    rootAlias = "gebner";
    extraAliases = ''
      ge: gebner
      cutintro: gebner
      gebne: gebner
    '';
    hostname = "mastus.gebner.org";
    sslCert = "/var/lib/acme/gebner.org/fullchain.pem";
    sslKey = "/var/lib/acme/gebner.org/key.pem";

    destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
      "mastus.gebner.org" "localhost" ];

    extraConfig = ''
      mailbox_command = ${pkgs.procmail}/bin/procmail

      smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
      smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
      smtpd_tls_protocols=!SSLv2,!SSLv3
      smtp_tls_protocols=!SSLv2,!SSLv3

      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth
      smtpd_sasl_auth_enable = yes
      smtpd_tls_auth_only = yes

      # Google sucks, https://serverfault.com/questions/832945/how-to-contact-gmail-team-regarding-block
      smtp_address_preference = ipv4

      message_size_limit = 81920000
      mailbox_size_limit = 81920000

      # Do not send spam bounces
      # http://www.postfix.org/ADDRESS_VERIFICATION_README.html
      smtpd_recipient_restrictions =
        permit_mynetworks permit_sasl_authenticated
        reject_unauth_destination
        reject_unknown_recipient_domain
        reject_unverified_recipient
    '';

    extraMasterConf = ''
      submission inet n - n - - smtpd
    '';
  };

  services.dovecot2 = {
    enable = true;
    enablePop3 = false;
    mailLocation = "maildir:~/mail";
    sslCACert = "/var/lib/acme/gebner.org/fullchain.pem";
    sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem";
    sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem";
    extraConfig = ''
      ssl_protocols = !SSLv2 !SSLv3

      service auth {
        unix_listener /var/lib/postfix/queue/private/auth {
          mode = 0660
          user = postfix
          group = postfix
        }
      }
    '';
  };
  systemd.services.dovecotSslKey = rec {
    wantedBy = [ "dovecot2.service" ];
    before = wantedBy;
    after = [ "acme-gebner.org.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = "yes";
    };
    script = ''
      cd /var/lib/acme
      mkdir -p gebner.org-dovecot
      cp gebner.org/key.pem gebner.org-dovecot/key.pem
      chown dovecot2 gebner.org-dovecot/key.pem
    '';
  };

  services.spamassassin.enable = true;
  systemd.services.setupSpamassassin = {
    wantedBy = [ "spamd.service" ];
    after = [ "network.target" ];
    path = [ pkgs.spamassassin ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = "yes";
    };
    script = ''
      if [ ! -d /etc/spamassassin ]; then
        cp -rv ${pkgs.spamassassin}/share/spamassassin /etc/
        sa-update
      fi
    '';
  };

  environment.systemPackages = with pkgs; [
    spamassassin
    procmail
    mailutils
  ];
}