From 7927f6ca963d229f7609a47227d51eb6b3038bcd Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 11 Nov 2024 00:15:07 +0100 Subject: [PATCH] fix(mail): Got working stalwart mail config --- services/authelia/configuration.yml | 10 ++--- services/outline/default.nix | 6 +-- services/stalwart-mail/default.nix | 65 +++++++++++++++++++++-------- 3 files changed, 56 insertions(+), 25 deletions(-) diff --git a/services/authelia/configuration.yml b/services/authelia/configuration.yml index 3044099..582b9b5 100644 --- a/services/authelia/configuration.yml +++ b/services/authelia/configuration.yml @@ -76,12 +76,12 @@ storage: notifier: disable_startup_check: true smtp: - address: 'smtp://mail.gasdev.fr:25' - username: 'postmaster@gasdev.fr' + address: 'submissions://mail.gasdev.fr:465' + username: 'postmaster' sender: 'Authelia ' - identifier: 'mail.gasdev.fr' - tls: - server_name: 'mail.gasdev.fr' + # identifier: 'mail.gasdev.fr' + # tls: + # server_name: 'mail.gasdev.fr' log: level: 'info' diff --git a/services/outline/default.nix b/services/outline/default.nix index 498ac31..87e9d24 100644 --- a/services/outline/default.nix +++ b/services/outline/default.nix @@ -30,10 +30,10 @@ smtp = { host = "mail.gasdev.fr"; port = 465; - username = "postmaster@gasdev.fr"; + username = "postmaster"; passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path; - fromEmail = "from.outline@gasdev.fr"; - replyEmail = "reply.outline@gasdev.fr"; + fromEmail = "outline@gasdev.fr"; + replyEmail = "no-reply@gasdev.fr"; }; storage = { diff --git a/services/stalwart-mail/default.nix b/services/stalwart-mail/default.nix index 6563297..cb46db8 100644 --- a/services/stalwart-mail/default.nix +++ b/services/stalwart-mail/default.nix @@ -5,6 +5,11 @@ in { sops.secrets."stalwart-mail/ACME_SECRET".owner = "stalwart-mail"; services.caddy.virtualHosts."mailadmin.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.01:40312 + ''; + }; + services.caddy.virtualHosts."mail.${domain}" = { extraConfig = '' reverse_proxy http://127.0.01:8080 ''; @@ -12,7 +17,7 @@ in { "mta-sts.${domain}" "autoconfig.${domain}" "autodiscover.${domain}" - "mail.${domain}" + "${domain}" ]; }; networking.firewall.allowedTCPPorts = [25 465 587 993]; @@ -21,7 +26,7 @@ in { enable = true; settings = { server = { - hostname = "mx1.${domain}"; + hostname = "mail.${domain}"; tls = { enable = true; implicit = true; @@ -34,41 +39,36 @@ in { submissions = { bind = "[::]:465"; protocol = "smtp"; + tls.implicit = true; }; imaps = { bind = "[::]:993"; protocol = "imap"; + tls.implicit = true; }; jmap = { bind = "[::]:8080"; - url = "https://mail.${domain}"; - protocol = "jmap"; + protocol = "http"; + tls.implicit = false; }; management = { - bind = ["127.0.0.1:8080"]; + bind = ["127.0.0.1:40312"]; protocol = "http"; }; }; }; lookup.default = { - hostname = "mx1.${domain}"; + hostname = "mail.${domain}"; domain = "${domain}"; }; - acme."letsencrypt" = { + certificate.default = { default = true; - directory = "https://acme-v02.api.letsencrypt.org/directory"; - challenge = "dns-01"; - contact = "postmaster@${domain}"; - domains = ["${domain}" "mx1.${domain}"]; - provider = "cloudflare"; - secret = "%{file:${config.sops.secrets."stalwart-mail/ACME_SECRET".path}}%"; + cert = "%{file:/var/lib/stalwart-mail/cert/mail.${domain}.pem}%"; + private-key = "%{file:/var/lib/stalwart-mail/cert/mail.${domain}.priv.pem}%"; }; session.auth = { - mechanisms = "[plain]"; - directory = "'in-memory'"; + mechanisms = "[plain, login]"; }; - session.rcpt.directory = "'in-memory'"; - queue.outbound.next-hop = "'local'"; directory."imap".lookup.domains = ["${domain}"]; storage = { data = "rocksdb"; @@ -113,4 +113,35 @@ in { StateDirectoryMode = "0740"; }; }; + + systemd.timers."stalwart-mail-update-certs" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "stalwart-mail-update-certs.service"; + }; + }; + + systemd.services."stalwart-mail-update-certs" = { + script = '' + set -eu + + CADDY_CERT_DIR="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.${domain}" + STALWART_CERT_DIR="/var/lib/stalwart-mail/cert" + + mkdir -p "''\${CADDY_CERT_DIR}" + mkdir -p "''\${STALWART_CERT_DIR}" + + cat "''\${CADDY_CERT_DIR}/mail.${domain}.crt" > "''\${STALWART_CERT_DIR}/mail.${domain}.pem" + cat "''\${CADDY_CERT_DIR}/mail.${domain}.key" > "''\${STALWART_CERT_DIR}/mail.${domain}.priv.pem" + + chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}" + chmod -R 0700 "''\${STALWART_CERT_DIR}" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; }