Table of Contents
Defined in /modules/services/mailserver.nix.
This NixOS module is a service that sets up the NixOS Simple Mailserver project. It integrates the upstream project with the SHB modules like the SSL module, the contract for secrets and the LLDAP module.
It also exposes an XML file which allows some email clients to auto configure themselves.
Setting up a self-hosted email server in this age can be quite time consuming because you need to maintain a good IP hygiene to avoid being marked as spam from the big players. To avoid needing to deal with this, this module provides the means to use an email provider (like Fastmail or ProtonMail) as a mere proxy. If you also setup the email provider using your own custom domain, this combination allows you to change email provider without needing to change your clients or notify your email correspondents and keep a backup of all your emails at the same time. The setup looks like so:
Domain --[ DNS records ]-> Email Provider --[ mbsync ]-> SHB Server
Internet <---------------- Email Provider <-[ postfix ]-- SHB Server
Configuring your domain name to point to your email provider is out of scope here. See the documentation for “custom domain” for you email provider, like for Fastmail and ProtonMail
To use an email provider as a proxy, use the shb.mailserver.imapSync and shb.mailserver.smtpRelay, options.
The following snippet assumes a few blocks have been setup already:
the secrets block with SOPS,
the shb.ssl block,
the shb.lldap block.
let
domain = "example.com";
username = "me@example.com";
in
{
imports = [
selfhostblocks.nixosModules.mailserver
];
shb.mailserver = {
enable = true;
inherit domain;
subdomain = "imap";
ssl = config.shb.certs.certs.letsencrypt."domain";
imapSync = {
syncTimer = "10s";
accounts.fastmail = {
host = "imap.fastmail.com";
port = 993;
inherit username;
password.result = config.shb.sops.secret."mailserver/imap/fastmail/password".result;
mapSpecialJunk = "Spam";
};
};
smtpRelay = {
host = "smtp.fastmail.com";
port = 587;
inherit username;
password.result = config.shb.sops.secret."mailserver/smtp/fastmail/password".result;
};
ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.lldap.ldapPort;
dcdomain = config.shb.lldap.dcdomain;
adminName = "admin";
adminPassword.result = config.shb.sops.secret."mailserver/ldap_admin_password".result;
account = "fastmail";
};
};
# Optionally add some mailboxes
mailserver.mailboxes = {
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
Archive = {
auto = "subscribe";
specialUse = "Archive";
};
};
shb.sops.secret."mailserver/smtp/fastmail/password".request =
config.shb.mailserver.smtpRelay.password.request;
shb.sops.secret."mailserver/imap/fastmail/password".request =
config.shb.mailserver.imapSync.accounts.fastmail.password.request;
shb.sops.secret."mailserver/ldap_admin_password" = {
request = config.shb.mailserver.ldap.adminPassword.request;
# This reuses the admin password set in the shb.lldap module.
settings.key = "lldap/user_password";
};
}
Secrets can be randomly generated with nix run nixpkgs#openssl -- rand -hex 64.
The user LDAP group is created automatically.
The disk layout has been purposely set to use slashes / for subfolders.
By experience, this works better with iOS mail.
Backing up your emails using the Restic block is done like so:
shb.restic.instances."mailserver" = {
request = config.shb.mailserver.backup;
settings = {
enable = true;
};
};
The name "mailserver" in the instances can be anything.
The config.shb.mailserver.backup option provides what directories to backup.
You can define any number of Restic instances to backup your emails multiple times.
You will then need to configure more options like the repository,
as explained in the restic documentation.
For Let’s Encrypt certificates, add:
let
domain = "example.com";
in
{
shb.certs.certs.letsencrypt.${domain}.extraDomains = [
"${config.shb.mailserver.subdomain}.${config.shb.mailserver.domain}"
];
}
To save the data folder in an impermanence setup, add:
{
shb.zfs.datasets."safe/mailserver/index".path = config.shb.mailserver.impermanence.index;
shb.zfs.datasets."safe/mailserver/mail".path = config.shb.mailserver.impermanence.mail;
shb.zfs.datasets."safe/mailserver/sieve".path = config.shb.mailserver.impermanence.sieve;
shb.zfs.datasets."safe/mailserver/dkim".path = config.shb.mailserver.impermanence.dkim;
}
To add a user USERNAME to the user group, add:
shb.lldap.ensureUsers.USERNAME.groups = [
config.shb.mailserver.ldap.userGroup
];
Debugging this will be certainly necessary.
The first issue you will encounter will probably be with mbsync
under the shb.mailserver.imapSync option
with the folder name mapping.
The 3 systemd services setup by this module are:
mbsync.service
dovecot.service
postfix.service
The 4 folders where state is stored are:
config.mailserver.indexDir = /var/lib/dovecot/indices
config.mailserver.mailDirectory = /var/vmail
config.mailserver.sieveDirectory = /var/sieve
config.mailserver.dkimKeyDirectory = /var/dkim
The ports opened by default in this module are:
Submissions: 465
Imap: 993
You will need to forward those ports on your router if you want to access to your emails from the internet.
The complete list can be found in the upstream repository.
Replace $USER and $PASSWORD by those used to connect to your email provider.
Yes, you will need to enter verbatim a LOGIN ... and b LIST "" "*".
$ nix run nixpkgs#openssl -- s_client -connect imap.fastmail.com:993 -crlf -quiet
a LOGIN $USER $password
b LIST "" "*"
Example output will be:
* LIST (\HasNoChildren) "/" INBOX
* LIST (\HasNoChildren \Drafts) "/" Drafts
* LIST (\HasNoChildren \Sent) "/" Sent
* LIST (\Noinferiors \HasNoChildren \Junk) "/" Spam
...
Here you can see the special folder \Junk is actually named Spam.
To handle this, set the .mapSpecial* options:
{
shb.mailserver.imapSync.accounts.<account> = {
mapSpecialJunk = "Spam";
};
}
Check the local folders to make sure the mapping is correct
and all folders are correctly downloaded.
For example, if the mapping above is wrong, you will see both a
Junk and Spam folder while if it is correct,
you will only see the Junk folder.
$ sudo doveadm mailbox list -u $USER
Junk
Trash
Drafts
Sent
INBOX
MyCustomFolder
The following command shows the number of messages in a folder:
$ sudo doveadm mailbox status -u $USER messages INBOX
INBOX messages=13591
If any folder is not appearing or has 0 message but should have some, it could mean dovecot is not setup correctly and assumes an incorrect folder layout. If that is the case, check the user config with:
$ sudo doveadm user $USER
field value
uid 5000
gid 5000
home /var/vmail/fastmail/$USER
mail maildir:~/mail:LAYOUT=fs
virtualMail
To test authentication to your dovecot instance, run:
$ nix run nixpkgs#openssl -- s_client -connect $SUBDOMAIN.$DOMAIN:993 -crlf -quiet
. LOGIN $USER $PASSWORD
You must here also enter the second line verbatim, replacing your user and password with the real one.
On success, you will see:
. OK [CAPABILITY IMAP4rev1 ...] Logged in
Otherwise, either if the password is wrong or, when using LDAP if the user is not part of the LDAP group, you will see:
. NO [AUTHENTICATIONFAILED] Authentication failed.
To test the postfix instance, run:
$ swaks \
--server $SUBDOMAIN.$DOMAIN \
--port 465 \
--tls-on-connect \
--auth LOGIN \
--auth-user $USER \
--auth-password '$PASSWORD' \
--from $USER \
--to $USER
Try once with a wrong password and once with a correct one. The former should log:
<~* 535 5.7.8 Error: authentication failed: (reason unavailable)
This module was tested with:
the iOS mail mobile app,
Thunderbird on NixOS.
The iOS mail app is pretty finicky. If downloading emails does not work, make sure the certificate used includes the whole chain:
$ openssl s_client -connect $SUBDOMAIN.$DOMAIN:993 -showcerts
Normally, the other options are setup correctly but if it fails for you, feel free to open an issue.
shb.mailserver.enable
Whether to enable SHB’s nixos-mailserver module.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword
Admin user password.
Type: null or (submodule)
Default:
null
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default: { mode = 0400; owner = services.postfix.user; group = root; restartUnits = [ dovecot.service ]; }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.request.owner
Linux user owning the secret file.
Type: string
Default: services.postfix.user
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"dovecot.service"
]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminPassword.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.adminUsername
Admin username.
postmaster will be made an alias of this user.
Type: null or string
Default:
null
Example:
"admin"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup
Backup emails, index and sieve.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request
Request part of the backup contract.
Options set by the requester module enforcing how to backup files.
Type: submodule
Default: { user = virtualMail; sourceDirectories = [ config.mailserver.indexDir config.mailserver.mailDirectory config.mailserver.sieveDirectory ] ; excludePatterns = [ ]; hooks.beforeBackup = [ ]; hooks.afterBackup = [ ]; };
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request.excludePatterns
File patterns to exclude.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request.hooks
Hooks to run around the backup.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request.hooks.afterBackup
Hooks to run after backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request.hooks.beforeBackup
Hooks to run before backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request.sourceDirectories
Directories to backup.
Type: non-empty (list of string)
Default: [ config.mailserver.indexDir config.mailserver.mailDirectory config.mailserver.sieveDirectory ]
Example:
"/var/lib/vaultwarden"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.request.user
Unix user doing the backups.
Type: string
Default:
"virtualMail"
Example:
"vaultwarden"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.result
Result part of the backup contract.
Options set by the provider module that indicates the name of the backup and restore scripts.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.result.backupService
Name of service backing up the database.
This script can be ran manually to backup the database:
$ systemctl start backup.service
Type: string
Default:
"backup.service"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backup.result.restoreScript
Name of script that can restore the database. One can then list snapshots with:
$ restore snapshots
And restore the database with:
$ restore restore latest
Type: string
Default:
"restore"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM
Backup dkim directory.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request
Request part of the backup contract.
Options set by the requester module enforcing how to backup files.
Type: submodule
Default: { user = services.rspamd.user; sourceDirectories = [ config.mailserver.dkimKeyDirectory ] ; excludePatterns = [ ]; hooks.beforeBackup = [ ]; hooks.afterBackup = [ ]; };
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request.excludePatterns
File patterns to exclude.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request.hooks
Hooks to run around the backup.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request.hooks.afterBackup
Hooks to run after backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request.hooks.beforeBackup
Hooks to run before backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request.sourceDirectories
Directories to backup.
Type: non-empty (list of string)
Default: [ config.mailserver.dkimKeyDirectory ]
Example:
"/var/lib/vaultwarden"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.request.user
Unix user doing the backups.
Type: string
Default: services.rspamd.user
Example:
"vaultwarden"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.result
Result part of the backup contract.
Options set by the provider module that indicates the name of the backup and restore scripts.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.result.backupService
Name of service backing up the database.
This script can be ran manually to backup the database:
$ systemctl start backup.service
Type: string
Default:
"backup.service"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.backupDKIM.result.restoreScript
Name of script that can restore the database. One can then list snapshots with:
$ restore snapshots
And restore the database with:
$ restore restore latest
Type: string
Default:
"restore"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.domain
domain under which imap and smtp functions will be served.
Type: string
Example:
"mydomain.com"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync
Synchronize one or more email providers through IMAP to your dovecot2 instance.
This allows you to backup that email provider and centralize your accounts in this dovecot2 instance.
Type: null or (submodule)
Default:
null
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts
Accounts to sync emails from using IMAP.
Emails will be stored under ${config.mailserver.mailDirectory}/${name}/${username}
Type: attribute set of (submodule)
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.host
Hostname of the email’s provider IMAP server.
Type: string
Example:
"imap.fastmail.com"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.mapSpecialDrafts
Drafts special folder name on far side.
You only need to change this if mbsync logs the following error:
Error: ... far side box Drafts cannot be opened
Type: string
Default:
"Drafts"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.mapSpecialJunk
Junk special folder name on far side.
You only need to change this if mbsync logs the following error:
Error: ... far side box Junk cannot be opened
Type: string
Default:
"Junk"
Example:
"Spam"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.mapSpecialSent
Sent special folder name on far side.
You only need to change this if mbsync logs the following error:
Error: ... far side box Sent cannot be opened
Type: string
Default:
"Sent"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.mapSpecialTrash
Trash special folder name on far side.
You only need to change this if mbsync logs the following error:
Error: ... far side box Trash cannot be opened
Type: string
Default:
"Trash"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password
Password used to login to the email’s provider IMAP server.
The password could be an “app password” like for Fastmail
Type: submodule
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.request.owner
Linux user owning the secret file.
Type: string
Default:
"virtualMail"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"mbsync.service"
]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.password.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.port
Port of the email’s provider IMAP server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
993
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.sslType
Connection security method.
Type: one of “IMAPS”, “STARTTLS”
Default:
"IMAPS"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.timeout
Connect and data timeout.
Type: signed integer
Default:
120
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.accounts.<name>.username
Username used to login to the email’s provider IMAP server.
Type: string
Example:
"userA@fastmail.com"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.debug
Enable verbose mbsync logging.
Type: boolean
Default:
false
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.imapSync.syncTimer
Systemd timer for when imap sync job should happen.
This timer is not scheduling the job at regular intervals. After a job finishes, the given amount of time is waited then the next job is started.
The default is set deliberatily slow to not spam you when setting up your mailserver. When everything works, you will want to reduce it to 10s or something like that.
Type: string
Default:
"5m"
Example:
"10s"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.impermanence
Path to save when using impermanence setup.
Type: attribute set of string
Default:
{
index = config.mailserver.indexDir;
mail = config.mailserver.mailDirectory;
sieve = config.mailserver.sieveDirectory;
dkim = config.mailserver.dkimKeyDirectory;
}
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap
LDAP Integration.
Enabling this app will create a new LDAP configuration or update one that exists with the given host.
Type: null or (submodule)
Default:
{ }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.enable
Whether to enable LDAP app…
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.account
Select one account from those defined in shb.mailserver.imapSync.accounts
to login with.
Using LDAP, you can only connect to one account. This limitation could maybe be lifted, feel free to post an issue if you need this.
Type: string
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminName
Admin user of the LDAP server.
Type: string
Default:
"admin"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword
LDAP server admin password.
Type: submodule
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.request.owner
Linux user owning the secret file.
Type: string
Default:
"nextcloud"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"dovecot.service"
]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.adminPassword.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.dcdomain
dc domain for ldap.
Type: string
Example:
"dc=mydomain,dc=com"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.host
Host serving the LDAP server.
Type: string
Default:
"127.0.0.1"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.port
Port of the service serving the LDAP server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
389
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ldap.userGroup
Group users must belong to to be able to use mails.
Type: string
Default:
"mail_user"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay
Proxy outgoing emails through an email provider.
In short, this can help you avoid having your outgoing emails marked as spam. See the manual for a lengthier explanation.
Type: null or (submodule)
Default:
null
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.host
Hostname of the email’s provider SMTP server.
Type: string
Example:
"smtp.fastmail.com"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password
Password used to login to the email’s provider IMAP server.
The password could be an “app password” like for Fastmail
Type: submodule
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default: { mode = 0400; owner = services.postfix.user; group = root; restartUnits = [ postfix.service ]; }
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.request.owner
Linux user owning the secret file.
Type: string
Default: services.postfix.user
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"postfix.service"
]
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.password.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.port
Port of the email’s provider SMTP server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
587
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.smtpRelay.username
Username used to login to the email’s provider SMTP server.
Type: string
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ssl
Path to SSL files
Type: null or (open submodule of anything)
Default:
null
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ssl.paths
Paths where the files for the certificate will be located.
This option is the contract output of the shb.certs.certs SSL block.
Type: open submodule of anything
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ssl.paths.cert
Path to the cert file.
Type: absolute path
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ssl.paths.key
Path to the key file.
Type: absolute path
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.ssl.systemdService
Systemd oneshot service used to generate the certificate. Ends with the .service suffix.
Use this if downstream services must wait for the certificates to be generated before starting.
Type: string
Example:
"cert-generator.service"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|
shb.mailserver.subdomain
Subdomain under which imap and smtp functions will be served.
Type: string
Default:
"imap"
Declared by:
<selfhostblocks/modules/services/mailserver.nix>
|