Omni/Cloud/Mail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

{...}:
/*
Known issues:

- when the acme cert gets refreshed, you need to manually restart dovecot
- when restarting dovecot, it might hang, in that case do:
      systemctl --job-mode=ignore-dependencies restart dovecot2 postfix
*/
{
  mailserver = {
    enable = true;
    monitoring = {
      enable = true;
      alertAddress = "bsima@icloud.com";
    };
    fqdn = "bensima.com";
    domains = ["bensima.com" "simatime.com" "bsima.me"];
    certificateScheme = "acme-nginx"; # let's encrypt, using named scheme instead of number
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;
    enableManageSieve = true;
    virusScanning = false; # ur on ur own
    localDnsResolver = true;

    # Define proper virtual aliases instead of placeholder
    extraVirtualAliases = {
      "blocked@bensima.com" = "ben@bensima.com";

      # forward old addresses to new domain
      "ben@bsima.me" = "ben@bensima.com";
      "ben@simatime.com" = "ben@bensima.com";
    };

    loginAccounts = {
      "ben@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = [
          # my old emails
          "ben@simatime.com"
          "ben@bsima.me"
          # admin stuff, necessary i think?
          "postmaster@bensima.com"
          "abuse@bensima.com"
        ];
        catchAll = ["bensima.com" "simatime.com" "bsima.me"];
        quota = "10G";
      };
      "dev@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = ["dev@simatime.com" "dev@bsima.me"];
        quota = "10G";
      };
      "monica@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        quota = "1G";
      };
    };
  };

  # Configure Postfix to block unwanted domains using the NixOS services.postfix.headerChecks option
  services.postfix.headerChecks = [
    # Block perfora.net
    {
      pattern = "/^Received:.*perfora\\.net/";
      action = "REJECT Domain perfora.net is blocked";
    }
    {
      pattern = "/^From:.*perfora\\.net/";
      action = "REJECT Domain perfora.net is blocked";
    }

    # Block novastells.com.es domain
    {
      pattern = "/^Received:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^From:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^Return-Path:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^Sender:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }

    # Block optaltechtld.com domain
    {
      pattern = "/^Received:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "/^From:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "/^Return-Path:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "/^Sender:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
  ];
}