aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
947 Commits 9 Branches 0 Tags
854cb3ad3a391fde06ff26eca28c481817bdb278
Commit Graph

947 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Martin Weinelt ed6d699eb4 Merge branch 'nuke-sha1' into 'master' 
postfix: disable SHA1 for SMTP connections

See merge request simple-nixos-mailserver/nixos-mailserver!420
 2025-06-18 16:54:39 +00:00
Martin Weinelt 64aca4f2ce postfix: disable SHA1 for SMTP connections 2025-06-18 06:58:42 +02:00
Martin Weinelt 217ec6008a Merge branch 'fast-tests' into 'master' 
📉 Make tests fast

See merge request simple-nixos-mailserver/nixos-mailserver!419
 2025-06-18 00:01:53 +00:00
Martin Weinelt 0774c93ae6 tests: make rspamd not block on dns queries 
These will never suceed while running the tests in the Nix sandbox, and
skipping them leads to very noticable (~51%) speedups.

Before:
```
Benchmark 1: nix build .#hydraJobs.x86_64-linux.external-unstable --rebuild
  Time (mean ± σ):     151.737 s ±  1.074 s    [User: 0.310 s, System: 0.289 s]
  Range (min … max):   150.321 s … 153.512 s    10 runs
```

After:
```
Benchmark 1: nix build .#hydraJobs.x86_64-linux.external-unstable --rebuild
  Time (mean ± σ):     74.010 s ±  0.746 s    [User: 0.269 s, System: 0.266 s]
  Range (min … max):   72.814 s … 75.190 s    10 runs
```
 2025-06-17 22:04:46 +02:00
Martin Weinelt f08ee8da38 tests: provide a second cpu core 
Provides a small (~7.5%) reduction in the test runtime measured for the external
test:

Before:
```
Benchmark 1: nix build .#hydraJobs.x86_64-linux.external-unstable --rebuild
  Time (mean ± σ):     151.737 s ±  1.074 s    [User: 0.310 s, System: 0.289 s]
  Range (min … max):   150.321 s … 153.512 s    10 runs
```

After:
```
Benchmark 1: nix build .#hydraJobs.x86_64-linux.external-unstable --rebuild
  Time (mean ± σ):     140.647 s ±  1.092 s    [User: 0.331 s, System: 0.296 s]
  Range (min … max):   138.536 s … 142.298 s    10 runs
```
 2025-06-17 22:04:08 +02:00
Martin Weinelt cf6ef5e9ca Create per service debug logging toggles 
Enabling the rspamd debug log drowns out everything else and should be
selected explicitly as needed.

The external test does not require it and removing it makes it much
(~40.5%) faster, since it now does not block on terminal output anymore.

Before:
```
Benchmark 1: nix build .#hydraJobs.x86_64-linux.external-unstable --rebuild
  Time (mean ± σ):     151.737 s ±  1.074 s    [User: 0.310 s, System: 0.289 s]
  Range (min … max):   150.321 s … 153.512 s    10 runs
```

After:
```
Benchmark 1: nix build .#hydraJobs.x86_64-linux.external-unstable --rebuild
  Time (mean ± σ):     90.531 s ±  0.557 s    [User: 0.054 s, System: 0.045 s]
  Range (min … max):   89.579 s … 91.278 s    10 runs
```
 2025-06-17 22:02:31 +02:00
Martin Weinelt 7405122dde Merge branch 'postfix-config' into 'master' 
postfix: migrate more options to services.postfix.config

See merge request simple-nixos-mailserver/nixos-mailserver!418
 2025-06-16 05:34:22 +00:00
Martin Weinelt 6652b57dda postfix: rearrange smtpd_tls_chain_files option 2025-06-16 07:27:03 +02:00
Martin Weinelt c8f809fa76 postfix: migrate more options to services.postfix.config 
I'm working on deprecating the top-level options, that configure main.cf
upstream in nixpkgs. With this change we stay ahead of the curve.

The `networks_style` option already defaults to `host` since Postfix 3.0,
so I dropped the setting.

```
$ postconf -d | grep networks_style
mynetworks_style = ${{$compatibility_level} <level {2} ? {subnet} : {host}}
````
 2025-06-16 07:03:49 +02:00
Martin Weinelt 5c1b9921e6 Merge branch 'suggest-dmarc' into 'master' 
Suggest that folks enable DMARC reporting

See merge request simple-nixos-mailserver/nixos-mailserver!377
 2025-06-15 23:15:19 +00:00
Martin Weinelt 67b0a7e946 Merge branch 'cleanup' into 'master' 
treewide: remove global `with lib` and overly broad `with cfg`

See merge request simple-nixos-mailserver/nixos-mailserver!416
 2025-06-15 03:48:33 +00:00
Martin Weinelt a2152f9807 treewide: remove overly broad with cfg 
Makes it really hard to follow references and we were being explicit in
most places already anyway.
 2025-06-15 05:39:20 +02:00
Martin Weinelt fb56bcf747 treewide: remove global with lib 
Instead inherit required functions from lib.
 2025-06-15 05:08:47 +02:00
Martin Weinelt b555b3e8dc Merge branch 'cleanup' into 'master' 
Format with nixfmt, drop redundant parentheses

See merge request simple-nixos-mailserver/nixos-mailserver!415
 2025-06-15 02:45:24 +00:00
Martin Weinelt 1a7f3d718c treewide: reformat with nixfmt-rfc-style 2025-06-15 03:39:44 +02:00
Martin Weinelt 03433d472f flake.nix: enable nixfmt-rfc-style hook and formatter 2025-06-15 03:34:20 +02:00
Martin Weinelt c7497cd5f6 treewide: remove redundant parenthesis in nix code 2025-06-15 03:28:48 +02:00
Martin Weinelt 5f592b5960 Merge branch 'crypto-v2' into 'master' 
postfix, dovecot: modernize and comment TLS settings

See merge request simple-nixos-mailserver/nixos-mailserver!413
 2025-06-14 22:52:29 +00:00
Martin Weinelt 21ce4b4ff8 dovecot: disable Diffie-Hellman support 
Recommended in the modern recommendation by Mozilla. Support for elliptic
curves is widespread and they are much faster.
 2025-06-15 00:22:58 +02:00
Martin Weinelt efebf59b13 dovecot: configure preferred elliptic curves 2025-06-15 00:22:57 +02:00
Martin Weinelt 4fd9508d41 postfix: drop tls_random_source config 
The setting already defaults to /dev/urandom.
 2025-06-15 00:22:57 +02:00
Martin Weinelt 3828b00dea postfix: configure preferred curves and disable FFDHE 
This aligns with the intermediate configuration recommended by Mozilla.
 2025-06-15 00:22:57 +02:00
Martin Weinelt e27326d317 postfix: refactor and prune TLS settings 
- Groups settings between server and client
- Uses a range comparator for supported TLS versions
- Prune excluded primitives to what affects the supported TLS versions
 2025-06-15 00:22:57 +02:00
Martin Weinelt 23cc9a3996 Merge branch 'postfix-cert-key' into 'master' 
postfix: configure cert/key using smtpd_tls_chain_files

Closes #183

See merge request simple-nixos-mailserver/nixos-mailserver!410
 2025-06-14 12:47:58 +00:00
Martin Weinelt e0ab4eeb67 docs/setup-guide: bump example stateVersion to 2 
If you do a fresh install now you should be able to skip the first
migration step.
 2025-06-14 01:20:27 +02:00
Martin Weinelt 8e0074c4e5 Merge branch 'flake-update' into 'master' 
flake.lock: Update

See merge request simple-nixos-mailserver/nixos-mailserver!414
 2025-06-13 02:13:15 +00:00
Martin Weinelt 3b7cda8cc5 flake.lock: Update 
Flake lock file updates:

• Updated input 'git-hooks':
    'github:cachix/git-hooks.nix/dcf5072734cb576d2b0c59b2ac44f5050b5eac82' (2025-03-22)
  → 'github:cachix/git-hooks.nix/623c56286de5a3193aa38891a6991b28f9bab056' (2025-06-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/adaa24fbf46737f3f1b5497bf64bae750f82942e' (2025-05-13)
  → 'github:NixOS/nixpkgs/3e3afe5174c561dee0df6f2c2b2236990146329f' (2025-06-07)
• Updated input 'nixpkgs-25_05':
    'github:NixOS/nixpkgs/ca49c4304acf0973078db0a9d200fd2bae75676d' (2025-05-18)
  → 'github:NixOS/nixpkgs/fd487183437963a59ba763c0cc4f27e3447dd6dd' (2025-06-12)
 2025-06-13 04:00:52 +02:00
Martin Weinelt 3f1c6960d3 Merge branch 'smptp-smuggling-cleanup' into 'master' 
postfix: remove option to toggle SMTP smuggling workarounnd

See merge request simple-nixos-mailserver/nixos-mailserver!411
 2025-06-12 22:57:43 +00:00
Martin Weinelt 54cb3e5784 Merge branch 'crypto' into 'master' 
postfix: allow client to select the preferred cipher

See merge request simple-nixos-mailserver/nixos-mailserver!412
 2025-06-12 22:48:04 +00:00
Martin Weinelt f1bd4b8215 postfix: remove option to toggle SMTP smuggling workarounnd 
It has been default enabled since Postfix 3.9 and can still be configured
from the NixOS option mentioned in the removal warning.

Removing the option makes our interface leaner.

Information is based on https://www.postfix.org/smtp-smuggling.html#long.
 2025-06-13 00:21:16 +02:00
Martin Weinelt e540dc864c postfix: configure cert/key using smtpd_tls_chain_files 
The sslCert and sslKey options are going away, because they do too much,
e.g. provision the keypair for client certificate authentication, which
is not at all what we want or need.
 2025-06-12 01:05:51 +02:00
Martin Weinelt 8b27add088 Merge branch 'backup_spam_db' into 'master' 
docs: mention spam and ham training data in backup guide

See merge request simple-nixos-mailserver/nixos-mailserver!409
 2025-06-06 21:16:24 +00:00
Guillaume Girol 49980abd25 mention spam and ham training data in backup guide 2025-06-06 12:00:00 +00:00
Martin Weinelt f9b15192b8 postfix: allow client to select the preferred cipher 
As long as all cipher we support are considered safe we can allow clients
to select one that suits them best.
 2025-06-03 00:45:12 +02:00
Martin Weinelt d6d6308ba2 Merge branch 'doc-backup-sieve' into 'master' 
docs/backup-guide: add recommendation for sieveDirectory

See merge request simple-nixos-mailserver/nixos-mailserver!405
 2025-06-02 14:57:24 +00:00
Tom Herbers c4628a4c04 docs/backup-guide: add recommendation for sieveDirectory 
Co-authored-by: Martin Weinelt <martin+gitlab@linuxlounge.net>
 2025-06-02 11:27:09 +02:00
Martin Weinelt 8c835feaa7 docs/migrations: Improve title scoping for LDAP home dir migration 2025-06-02 04:31:41 +02:00
Martin Weinelt c9f61e02ae docs/howto-develop: fix stateVersion assertion example 2025-05-31 13:06:29 +02:00
Martin Weinelt 145afc5393 Merge branch 'assertions-guard-reformat' into 'master' 
assertions: guard by enable flag and reformat

See merge request simple-nixos-mailserver/nixos-mailserver!407
 2025-05-31 10:51:28 +00:00
Martin Weinelt ea1b0f8e2b assertions: guard by enable flag and reformat 
None of these should trigger when you've not enabled mailserver.
 2025-05-30 18:28:16 +02:00
Martin Weinelt c8bc3e4f1f Merge branch 'ldap-mail-directory-assertion' into 'master' 
Fix assertion for ldap mail directory

See merge request simple-nixos-mailserver/nixos-mailserver!406
 2025-05-30 13:14:11 +00:00
Charlotte Van Petegem 519a85a801 Fix assertion for ldap mail directory 2025-05-30 12:49:02 +00:00
Martin Weinelt ffd0e6f8f2 Merge branch 'dont-hardcode-ldap-home-base' into 'master' 
dovecot: respect the mailDirectory base for LDAP home directories

See merge request simple-nixos-mailserver/nixos-mailserver!400
 2025-05-29 21:14:25 +00:00
Martin Weinelt 7cb61e6e3a dovecot: respect the mailDirectory base for LDAP home directories 
This change is safe, if you have not altered the default value of the
 `mailserver.mailDirectory` setting.
 2025-05-29 23:10:33 +02:00
Martin Weinelt a1e9276656 Merge branch 'remove-dovecot-module-workaround' into 'master' 
dovecot: remove workaround for services.dovecot2.modules removal

See merge request simple-nixos-mailserver/nixos-mailserver!404
 2025-05-29 17:41:37 +00:00
Martin Weinelt 233c5e1a70 dovecot: remove workaround for services.dovecot2.modules removal 2025-05-29 14:06:34 +02:00
Martin Weinelt 506c6151d6 Merge branch 'various-things' into 'master' 
Cleanup

See merge request simple-nixos-mailserver/nixos-mailserver!403
 2025-05-29 06:58:39 +00:00
Martin Weinelt 11bfdbf136 tests: drop dhparam default length configuration 
This has been the default value since the option was introduced back in
2018[0].

[0] https://github.com/NixOS/nixpkgs/commit/81fc2c35097f81ecb29a576148486cc1ce5a5bcc
 2025-05-29 08:49:37 +02:00
Martin Weinelt 10cccc7706 docs: fix code block syntax in migration init 2025-05-29 08:48:56 +02:00
Martin Weinelt 6a78dc3375 Merge branch 'stateVersion' into 'master' 
Introduce stateVersion concept

See merge request simple-nixos-mailserver/nixos-mailserver!401
 2025-05-29 06:14:17 +00:00