# nixos-mailserver: a simple mail server # Copyright (C) 2016-2018 Robin Raymond # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see { pkgs, ... }: let sendMail = pkgs.writeTextFile { "name" = "send-mail-to-send-only-account"; "text" = '' EHLO mail.example.com MAIL FROM: none@example.com RCPT TO: send-only@example.com QUIT ''; }; hashPassword = password: pkgs.runCommand "password-${password}-hashed" { buildInputs = [ pkgs.mkpasswd ]; inherit password; } '' mkpasswd -s <<<"$password" > $out ''; hashPasswordWithScheme = password: pkgs.runCommand "password-${password}-hashed-with-scheme" { buildInputs = [ pkgs.dovecot ]; inherit password; } '' printf "$password\n$password\n" | doveadm -O pw -s SSHA256 > $out ''; hashedPasswordFile = hashPassword "my-password"; hashedPasswordFileWithScheme = hashPasswordWithScheme "my-password"; passwordFile = pkgs.writeText "password" "my-password"; in { name = "internal"; nodes = { machine = { pkgs, ... }: { imports = [ ./../default.nix ./lib/config.nix ]; virtualisation.memorySize = 1024; environment.systemPackages = [ (pkgs.writeScriptBin "mail-check" '' ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@ '') ] ++ (with pkgs; [ curl openssl netcat ]); systemd.tmpfiles.settings."mailserver-test-passwords" = { "/run/passwords/user3" = { f = { argument = "my-password"; mode = "0600"; }; }; }; systemd.services.dovecot.serviceConfig.CacheDirectory = "dovecot"; mailserver = { enable = true; fqdn = "mail.example.com"; domains = [ "example.com" "domain.com" ]; localDnsResolver = false; accounts = { "user1@example.com" = { hashedPasswordFile = hashedPasswordFile; }; "user2@example.com" = { hashedPasswordFile = hashedPasswordFile; aliasesRegexp = [ ''/^user2.*@domain\.com$/'' ]; }; "user3@example.com" = { passwordFile = "/run/passwords/user3"; }; "user4@example.com" = { hashedPasswordFile = hashedPasswordFileWithScheme; }; "send-only@example.com" = { hashedPasswordFile = hashPassword "send-only"; sendOnly = true; }; }; forwards = { # user2@example.com is a local account and its mails are # also forwarded to user1@example.com "user2@example.com" = "user1@example.com"; }; storage = { gid = 5000; group = "vmail"; }; indexDir = "/var/cache/dovecot/fts"; enableImap = false; }; }; }; testScript = { nodes, ... }: # python '' machine.start() machine.wait_for_unit("multi-user.target") machine.wait_for_unit("dovecot.service") machine.wait_for_open_unix_socket("/run/rspamd/rspamd-milter.sock") # Regression test for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/205 with subtest("mail forwarded can are locally kept"): # A mail sent to user2@example.com via explicit TLS is in the user1@example.com mailbox machine.succeed( " ".join( [ "mail-check send-and-read", "--smtp-port 587", "--smtp-starttls", "--smtp-host localhost", "--imap-host localhost", "--imap-username user1@example.com", "--from-addr user1@example.com", "--to-addr user2@example.com", "--src-password-file ${passwordFile}", "--dst-password-file ${passwordFile}", "--ignore-dkim-spf", ] ) ) # A mail sent to user2@example.com via implicit TLS is in the user2@example.com mailbox machine.succeed( " ".join( [ "mail-check send-and-read", "--smtp-port 465", "--smtp-ssl", "--smtp-host localhost", "--imap-host localhost", "--imap-username user2@example.com", "--from-addr user1@example.com", "--to-addr user2@example.com", "--src-password-file ${passwordFile}", "--dst-password-file ${passwordFile}", "--ignore-dkim-spf", ] ) ) with subtest("regex email alias are received"): # A mail sent to user2-regex-alias@domain.com via explicit TLS is in the user2@example.com mailbox machine.succeed( " ".join( [ "mail-check send-and-read", "--smtp-port 587", "--smtp-starttls", "--smtp-host localhost", "--imap-host localhost", "--imap-username user2@example.com", "--from-addr user1@example.com", "--to-addr user2-regex-alias@domain.com", "--src-password-file ${passwordFile}", "--dst-password-file ${passwordFile}", "--ignore-dkim-spf", ] ) ) with subtest("user can send from regex email alias"): # A mail sent to user1@example.com from user2-regex-alias@domain.com by # user2@example.com via implicit TLS is in the user1@example.com mailbox machine.succeed( " ".join( [ "mail-check send-and-read", "--smtp-port 465", "--smtp-ssl", "--smtp-host localhost", "--imap-host localhost", "--smtp-username user2@example.com", "--from-addr user2-regex-alias@domain.com", "--to-addr user1@example.com", "--src-password-file ${passwordFile}", "--dst-password-file ${passwordFile}", "--ignore-dkim-spf", ] ) ) with subtest("vmail gid is set correctly"): machine.succeed("getent group vmail | grep 5000") with subtest("Check dovecot maildir and index locations"): # If these paths change we need a migration machine.succeed("doveadm user -f home user1@example.com | grep ${nodes.machine.mailserver.storage.path}/example.com/user1") machine.succeed("doveadm user -f mail_path user1@example.com | grep ${nodes.machine.mailserver.storage.path}/example.com/user1/mail") machine.succeed("doveadm user -f mail_index_path user1@example.com | grep ${nodes.machine.mailserver.indexDir}/example.com/user1") with subtest("mail to send only accounts is rejected"): machine.wait_for_open_port(25) # TODO put this blocking into the systemd units machine.wait_until_succeeds( "set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]" ) machine.succeed( "cat ${sendMail} | nc localhost 25 | grep -q '554 5.5.0 Error'" ) with subtest("rspamd controller serves web ui"): machine.succeed( "set +o pipefail; curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q ''" ) with subtest("user with plaintext password file can send and receive"): machine.succeed( " ".join( [ "mail-check send-and-read", "--smtp-port 587", "--smtp-starttls", "--smtp-host localhost", "--imap-host localhost", "--imap-username user3@example.com", "--from-addr user3@example.com", "--to-addr user3@example.com", "--src-password-file ${passwordFile}", "--dst-password-file ${passwordFile}", "--ignore-dkim-spf", ] ) ) with subtest("user with scheme-prefixed hashedPasswordFile can send and receive"): machine.succeed( " ".join( [ "mail-check send-and-read", "--smtp-port 587", "--smtp-starttls", "--smtp-host localhost", "--imap-host localhost", "--imap-username user4@example.com", "--from-addr user4@example.com", "--to-addr user4@example.com", "--src-password-file ${passwordFile}", "--dst-password-file ${passwordFile}", "--ignore-dkim-spf", ] ) ) with subtest("imap port 143 is closed and imaps is serving SSL"): machine.wait_for_closed_port(143) machine.wait_for_open_port(993) machine.succeed( "echo | openssl s_client -connect localhost:993 | grep 'New, TLS'" ) ''; }