aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
871 Commits 9 Branches 0 Tags
12ae5dd89b231a62b6fabebe376486bafd09f356
Commit Graph

871 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Gibb 12ae5dd89b support unhashed password files 2026-03-05 11:06:01 +00:00
Martin Weinelt e1afec5b08 tests: wait for rspamd-milter.sock in ldap and internal tests 
I've hit more races in these tests recently while running the test suite
on a much faster host system.
 2026-03-04 16:02:47 +01:00
Martin Weinelt ff91d3cf68 pre-commit: fix nixfmt-rfc-style name deprecation 
> warning: nixfmt-rfc-style is now the same as pkgs.nixfmt which should
> be used instead.
 2026-03-04 16:01:52 +01:00
Martin Weinelt 25eae48a09 tests: fix eicar test string escape 
This fixes a warning issued by the Lix evaluator:

> warning: \P is an ill-defined escape. You can drop the \ and simply
> write P instead. Use --extra-deprecated-features broken-string-escape
> to silence this warning.
 2026-03-04 15:53:30 +01:00
Martin Weinelt ea4dc17f4b Merge branch 'setup-guide-spf-mx' into 'master' 
docs: suggest mx to refer to mailserver in spf record

See merge request simple-nixos-mailserver/nixos-mailserver!481
 2026-02-26 00:13:36 +00:00
Martin Weinelt bd03afc003 Merge branch 'rspamd-duplicate-systemd' into 'master' 
postfix: fix duplicate systemd dependencies on rspamd

See merge request simple-nixos-mailserver/nixos-mailserver!479
 2026-02-26 00:10:48 +00:00
Martin Weinelt 034ca15318 docs: suggest mx to refer to mailserver in spf record 
Much more foolproof in simple setups, because it allows all servers
mentioned in a domains MX record to also send out mail, without having to
track them here manually again.
 2026-02-26 01:03:53 +01:00
Martin Weinelt 781e833633 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!480
 2026-02-09 17:51:47 +00:00
Martin Weinelt 9a104e245d flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/50b9238891e388c9fdc6a5c49e49c42533a1b5ce' (2025-11-24)
  → 'github:cachix/git-hooks.nix/a8ca480175326551d6c4121498316261cbb5b260' (2026-02-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/6a49303095abc094ee77dc243a9e351b642e8e75' (2025-11-28)
  → 'github:NixOS/nixpkgs/fff0554c67696d76a0cdd9cfe14403fbdbf1f378' (2026-02-09)
 2026-02-09 18:39:47 +01:00
Martin Weinelt 4345460d30 flake.nix: Update flake-compat repo 2026-01-29 19:14:06 +01:00
teutat3s 9b90a9837a rspamd: fix duplicate systemd dependencies 
These are also declared in mail-server/systemd.nix.
 2025-12-28 20:40:33 +01:00
Martin Weinelt 7d433bf898 Merge branch 'dovecot-hybrid-curve' into 'master' 
dovecot: update TLS requirements

See merge request simple-nixos-mailserver/nixos-mailserver!477
 2025-12-21 12:54:46 +00:00
Martin Weinelt 3579eb0001 dovecot: restrict TLS cipher suites 2025-12-19 04:00:47 +01:00
Martin Weinelt 1415623586 dovecot: support X25519MLKEM768 hybrid kex 2025-12-19 03:13:47 +01:00
Martin Weinelt 616a57af55 Merge branch 'certmgmt-next' into 'master' 
Switch to NixOS ACME module for certificate management

Closes #256 and #267

See merge request simple-nixos-mailserver/nixos-mailserver!457
 2025-12-19 01:58:52 +00:00
Martin Weinelt e437760341 treewide: replace/remove dovecot2 service name 
The unit name is now dovecot.service.
 2025-12-19 02:52:55 +01:00
Martin Weinelt 4bbe0d7bab Fix option reference in aliasesRegExp option 2025-12-19 02:36:28 +01:00
Martin Weinelt ff9b046f0f Stop recommending bcrypt everywhere 
By passing no method to mkpasswd we make it select the strongest cipher
that libxcrypt recommends.

Replaces the example hashes with yescrypt hashes, which is the current
default.
 2025-12-19 02:36:28 +01:00
Martin Weinelt 33ba1ff52b Switch to NixOS ACME module for certificate management 
Drop most of the existing certificate handling, because we're effectively
duplicating functionality that NixOS offers for free with better
design, testing and maintainance than what we could provide downstream.

The remaining two options are to reference an
existing `security.acme.certs` configuration through
`mailserver.x509.useACMEHost` or to provide existing key material via
`mailserver.x509.certificateFile` and `mailserver.x509.privateKeyFile`.

Support for automatic creation of self-signed certificates has been
removed, because it is undesirable in public mail setups.

The updated setup guide now displays the recommended configuration that
relies on the NixOS ACME module, but requires further customization to
select a suitable challenge.

Co-Authored-By: Emily <git@emilylange.de>
 2025-12-19 02:36:28 +01:00
Martin Weinelt 18ee2a44ed docs: extract setup example into .nix file and include 
That way we get linting of the code for free.
 2025-12-19 02:17:32 +01:00
Martin Weinelt e2a99f33ea docs: allow referencing module options 2025-12-15 16:02:24 +01:00
Martin Weinelt 1ccd57f177 Merge branch 'dkim-ed25519-warn' into 'master' 
Warn about ED25519 DKIM usage

See merge request simple-nixos-mailserver/nixos-mailserver!473
 2025-12-03 12:02:16 +00:00
Martin Weinelt 0d27ef2912 Merge branch 'master' into 'master' 
docs: fix some typos in migrations guide

See merge request simple-nixos-mailserver/nixos-mailserver!472
 2025-12-01 22:17:23 +00:00
Martin Weinelt 7d359e3ff5 Warn about ED25519 DKIM usage 
There currently seems to be mixed support out there and we need to
support dual-signing first before we can recommend rolling out ED25519
DKIM keys.
 2025-12-01 23:16:02 +01:00
yeoldegrove f67ed85b3f docs: fix some typos 2025-12-01 22:16:18 +01:00
Martin Weinelt 76bd7a85e7 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!471
 2025-11-29 01:50:08 +00:00
Martin Weinelt e04e5b7ea6 assertions: bump mailserver version for release check 2025-11-29 02:43:16 +01:00
Martin Weinelt b8bffc8317 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/798ce8bfd0567bbd12ee633a88e53737969ec7d9' (2025-11-25)
  → 'github:NixOS/nixpkgs/6a49303095abc094ee77dc243a9e351b642e8e75' (2025-11-28)
 2025-11-29 02:42:26 +01:00
Martin Weinelt 1d1a590e91 Merge branch 'docs-roundcube' into 'master' 
docs: update roundcube example to use implicit TLS

Closes #336

See merge request simple-nixos-mailserver/nixos-mailserver!470
 2025-11-29 01:31:35 +00:00
emilylange b47decd71a docs: update roundcube example to use implicit TLS 
instead of explicit TLS (STARTTLS).

We disabled STARTTLS for IMAP by default in 54f37811dd
and we will likely do the same for (client) SMTP in the future.
 2025-11-28 21:53:41 +01:00
Martin Weinelt 0696fcbe9b migrations: strongly indicate dry runs 2025-11-26 20:21:56 +01:00
Martin Weinelt a38e14460f docs: don't recommend sudo to run the migration script 
The migration script tries switching EUID by itself and will error out
with a recommendation to try sudo if it cannot.
 2025-11-26 20:18:58 +01:00
Martin Weinelt 039389ee04 docs: recommend wcurl to grab the migration script 2025-11-26 19:57:31 +01:00
Martin Weinelt 9c22ac0154 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!469
 2025-11-25 13:19:18 +00:00
Martin Weinelt 760c23fb25 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/7275fa67fbbb75891c16d9dee7d88e58aea2d761' (2025-11-16)
  → 'github:cachix/git-hooks.nix/50b9238891e388c9fdc6a5c49e49c42533a1b5ce' (2025-11-24)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/094318ea16502a7a81ce90dd3638697020f030a2' (2025-11-19)
  → 'github:NixOS/nixpkgs/798ce8bfd0567bbd12ee633a88e53737969ec7d9' (2025-11-25)
 2025-11-25 14:05:20 +01:00
Martin Weinelt 8d35f004ee Release 25.11 2025-11-25 13:56:52 +01:00
Martin Weinelt 4987d275a9 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!468
 2025-11-19 15:06:18 +00:00
Martin Weinelt a35a181671 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/8e7576e79b88c16d7ee3bbd112c8d90070832885' (2025-11-06)
  → 'github:cachix/git-hooks.nix/7275fa67fbbb75891c16d9dee7d88e58aea2d761' (2025-11-16)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e5d07586ec39f74b390308f2e00040c23bdef530' (2025-11-09)
  → 'github:NixOS/nixpkgs/094318ea16502a7a81ce90dd3638697020f030a2' (2025-11-19)
 2025-11-19 15:52:23 +01:00
Martin Weinelt cbdf90f639 rspamd: fix DKIM signing for subdomains 
With the eSLD normalization feature in rspamd subdomains actually use the
DKIM key for their parent domain, which simplifies the setup if you serve
multiple subdomains.

We however currently create DKIM key pairs for every given domain
name, no matter if it is a second-level domain or subdomain for one, so
disabling eSLD normalization aligns with the current intent behind our
configuration.

In the future it would be nice if we could reuse the parent domain DKIM
key for all its subdomains, but that requires some thought on how to
achieve that normalization in nixos-mailserver first.

Reapplies 1a3a618a30 to the correct
configuration file.
 2025-11-16 19:29:16 +01:00
Martin Weinelt b88e6182f0 Revert "rspamd: fix DKIM signing for subdomains" 
This reverts commit 1a3a618a30.

This went into the wrong configuration file unfortunately
 2025-11-16 19:26:22 +01:00
Martin Weinelt b946f74261 mail-server/common: fix eval 
CI has a shitty failure mode where jobs that don't eval get removed and
hydra-cli will still exit cleanly.
 2025-11-16 18:41:47 +01:00
Martin Weinelt 345cbc11df Merge branch 'remove-dovecot-service-name-workaround' into 'master' 
Remove dovecot service name compat code

See merge request simple-nixos-mailserver/nixos-mailserver!467
 2025-11-16 17:29:57 +00:00
Martin Weinelt 1cb4295b74 Remove dovecot service name compat code 2025-11-16 18:18:22 +01:00
Martin Weinelt db66559815 Merge branch 'srs' into 'master' 
Add support for sender rewriting for forwards using postsrsd

See merge request simple-nixos-mailserver/nixos-mailserver!431
 2025-11-16 14:00:07 +00:00
Martin Weinelt 17c6816f67 Merge branch 'rspamd-dmarc-no-esld' into 'master' 
rspamd: fix DKIM signing for subdomains

See merge request simple-nixos-mailserver/nixos-mailserver!465
 2025-11-16 13:57:30 +00:00
Martin Weinelt 1a3a618a30 rspamd: fix DKIM signing for subdomains 
With the eSLD normalization feature in rspamd subdomains actually use the
DKIM key for their parent domain, which simplifies the setup if you serve
multiple subdomains.

We however currently create DKIM key pairs for every given domain
name, no matter if it is a second-level domain or subdomain for one, so
disabling eSLD normalization aligns with the current intent behind our
configuration.

In the future it would be nice if we could reuse the parent domain DKIM
key for all its subdomains, but that requires some thought on how to
achieve that normalization in nixos-mailserver first.
 2025-11-16 14:55:41 +01:00
Martin Weinelt 61cff94a28 scripts/generate-options: prefer defaultText over default 2025-11-11 13:45:03 +01:00
Martin Weinelt eeda8ba39e Add support for sender rewriting using postsrsd 
With SRS we support forwarding of mails without (fully) breaking SPF
alignment.
 2025-11-11 13:45:03 +01:00
Martin Weinelt b633223a33 Merge branch 'postfix-warnings' into 'master' 
postfix: resolve main/master option deprecation

See merge request simple-nixos-mailserver/nixos-mailserver!464
 2025-11-10 02:03:19 +00:00
Martin Weinelt edb7b661e4 postfix: resolve main/master option deprecation 2025-11-10 02:56:51 +01:00