From 2492a479db13c7dd146217a2902850ff01d782e0 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Fri, 29 Sep 2023 10:19:09 -0700
Subject: [PATCH] Tweaks to dovecot

---
 dovecot.nix      | 77 ++++++++++++++++++++++++++----------------------
 postfix.nix      |  4 +--
 sieves/ham.sieve |  2 +-
 3 files changed, 45 insertions(+), 38 deletions(-)

diff --git a/dovecot.nix b/dovecot.nix
index 18283cf..f206501 100644
--- a/dovecot.nix
+++ b/dovecot.nix
@@ -186,43 +186,50 @@ in {
       tmpfiles.rules = [
         "d ${cfg.state-directory}        0751 ${cfg.mail-user} ${cfg.mail-group} - -"
         "d ${cfg.state-directory}/mail   0750 ${cfg.mail-user} ${cfg.mail-group} - -"
-        "d ${cfg.state-directory}/sieves 0750 ${config.services.dovecot2.user} - - -"
+        "d ${cfg.state-directory}/sieves 0750 ${config.services.dovecot2.user} ${config.services.dovecot2.group} - -"
       ];
 
-      services.dovecot-sieve-generator = let
-        isRegularFile = _: type: type == "regular";
-        sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
-        headOrNull = lst: if lst == [ ] then null else head lst;
-        stripExt = ext: filename:
-          headOrNull (builtins.match "(.+)[.]${ext}$" filename);
-        compileFile = filename: _:
-          let
-            filePath = ./sieves + "/${filename}";
-            fileBaseName = stripExt "sieve" filename;
-          in ''
-            cp ${filePath} ${sieveDirectory}/${fileBaseName}.sieve
-            sievec ${sieveDirectory}/${fileBaseName}.sieve ${sieveDirectory}/${fileBaseName}.svbin
-          '';
-      in {
-        wantedBy = [ "dovecot2.service" ];
-        before = [ "dovecot2.service" ];
-        path = with pkgs; [ dovecot_pigeonhole ];
-        serviceConfig = {
-          User = config.services.dovecot2.user;
-          ReadWritePaths = [ sieveDirectory ];
-          ExecStart = pkgs.writeShellScript "generate-sieves.sh"
-            (concatStringsSep "\n" (mapAttrsToList compileFile sieves));
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateMounts = true;
-          ProtectControlGroups = true;
-          ProtectKernelTunables = true;
-          ProtectKernelModules = true;
-          ProtectSystem = true;
-          ProtectHome = true;
-          ProtectClock = true;
-          ProtectKernelLogs = true;
-          Type = "oneshot";
+      services = {
+        prometheus-dovecot-exporter = {
+          requires = [ "dovecot2.service" ];
+          after = [ "dovecot2.service" ];
+        };
+
+        dovecot-sieve-generator = let
+          isRegularFile = _: type: type == "regular";
+          sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
+          headOrNull = lst: if lst == [ ] then null else head lst;
+          stripExt = ext: filename:
+            headOrNull (builtins.match "(.+)[.]${ext}$" filename);
+          compileFile = filename: _:
+            let
+              filePath = ./sieves + "/${filename}";
+              fileBaseName = stripExt "sieve" filename;
+            in ''
+              cp ${filePath} ${sieveDirectory}/${fileBaseName}.sieve
+              sievec ${sieveDirectory}/${fileBaseName}.sieve ${sieveDirectory}/${fileBaseName}.svbin
+            '';
+        in {
+          wantedBy = [ "dovecot2.service" ];
+          after = [ "dovecot2.service" ];
+          path = with pkgs; [ dovecot_pigeonhole ];
+          serviceConfig = {
+            User = config.services.dovecot2.user;
+            ReadWritePaths = [ sieveDirectory "/run/dovecot2" ];
+            ExecStart = pkgs.writeShellScript "generate-sieves.sh"
+              (concatStringsSep "\n" (mapAttrsToList compileFile sieves));
+            PrivateDevices = true;
+            PrivateTmp = true;
+            PrivateMounts = true;
+            ProtectControlGroups = true;
+            ProtectKernelTunables = true;
+            ProtectKernelModules = true;
+            ProtectSystem = true;
+            ProtectHome = true;
+            ProtectClock = true;
+            ProtectKernelLogs = true;
+            Type = "oneshot";
+          };
         };
       };
     };
diff --git a/postfix.nix b/postfix.nix
index 0903a05..41b4b29 100644
--- a/postfix.nix
+++ b/postfix.nix
@@ -244,7 +244,7 @@ in {
 
         relay-restrictions = [
           "reject_unauth_destination"
-          # "reject_unauth_pipelining"
+          "reject_unauth_pipelining"
           "reject_unknown_sender_domain"
           "permit_mynetworks"
           "permit_sasl_authenticated"
@@ -255,7 +255,7 @@ in {
           "check_sender_access ${mappedFile "reject_recipients"}"
           "reject_unknown_sender_domain"
           "reject_unknown_recipient_domain"
-          # "reject_unauth_pipelining"
+          "reject_unauth_pipelining"
           "reject_unauth_destination"
           "reject_invalid_hostname"
           "reject_non_fqdn_hostname"
diff --git a/sieves/ham.sieve b/sieves/ham.sieve
index 9cb43b4..85aaa9e 100644
--- a/sieves/ham.sieve
+++ b/sieves/ham.sieve
@@ -9,7 +9,7 @@ if string "${mailbox}" "Trash" {
 }
 
 if string "${mailbox}" "Junk" {
-  stop
+  stop;
 }
 
 if environment :matches "imap.user" "*" {