Tweaks to dovecot
This commit is contained in:
parent
96aa481ad7
commit
2492a479db
77
dovecot.nix
77
dovecot.nix
|
|
@ -186,43 +186,50 @@ in {
|
||||||
tmpfiles.rules = [
|
tmpfiles.rules = [
|
||||||
"d ${cfg.state-directory} 0751 ${cfg.mail-user} ${cfg.mail-group} - -"
|
"d ${cfg.state-directory} 0751 ${cfg.mail-user} ${cfg.mail-group} - -"
|
||||||
"d ${cfg.state-directory}/mail 0750 ${cfg.mail-user} ${cfg.mail-group} - -"
|
"d ${cfg.state-directory}/mail 0750 ${cfg.mail-user} ${cfg.mail-group} - -"
|
||||||
"d ${cfg.state-directory}/sieves 0750 ${config.services.dovecot2.user} - - -"
|
"d ${cfg.state-directory}/sieves 0750 ${config.services.dovecot2.user} ${config.services.dovecot2.group} - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.dovecot-sieve-generator = let
|
services = {
|
||||||
isRegularFile = _: type: type == "regular";
|
prometheus-dovecot-exporter = {
|
||||||
sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
|
requires = [ "dovecot2.service" ];
|
||||||
headOrNull = lst: if lst == [ ] then null else head lst;
|
after = [ "dovecot2.service" ];
|
||||||
stripExt = ext: filename:
|
};
|
||||||
headOrNull (builtins.match "(.+)[.]${ext}$" filename);
|
|
||||||
compileFile = filename: _:
|
dovecot-sieve-generator = let
|
||||||
let
|
isRegularFile = _: type: type == "regular";
|
||||||
filePath = ./sieves + "/${filename}";
|
sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
|
||||||
fileBaseName = stripExt "sieve" filename;
|
headOrNull = lst: if lst == [ ] then null else head lst;
|
||||||
in ''
|
stripExt = ext: filename:
|
||||||
cp ${filePath} ${sieveDirectory}/${fileBaseName}.sieve
|
headOrNull (builtins.match "(.+)[.]${ext}$" filename);
|
||||||
sievec ${sieveDirectory}/${fileBaseName}.sieve ${sieveDirectory}/${fileBaseName}.svbin
|
compileFile = filename: _:
|
||||||
'';
|
let
|
||||||
in {
|
filePath = ./sieves + "/${filename}";
|
||||||
wantedBy = [ "dovecot2.service" ];
|
fileBaseName = stripExt "sieve" filename;
|
||||||
before = [ "dovecot2.service" ];
|
in ''
|
||||||
path = with pkgs; [ dovecot_pigeonhole ];
|
cp ${filePath} ${sieveDirectory}/${fileBaseName}.sieve
|
||||||
serviceConfig = {
|
sievec ${sieveDirectory}/${fileBaseName}.sieve ${sieveDirectory}/${fileBaseName}.svbin
|
||||||
User = config.services.dovecot2.user;
|
'';
|
||||||
ReadWritePaths = [ sieveDirectory ];
|
in {
|
||||||
ExecStart = pkgs.writeShellScript "generate-sieves.sh"
|
wantedBy = [ "dovecot2.service" ];
|
||||||
(concatStringsSep "\n" (mapAttrsToList compileFile sieves));
|
after = [ "dovecot2.service" ];
|
||||||
PrivateDevices = true;
|
path = with pkgs; [ dovecot_pigeonhole ];
|
||||||
PrivateTmp = true;
|
serviceConfig = {
|
||||||
PrivateMounts = true;
|
User = config.services.dovecot2.user;
|
||||||
ProtectControlGroups = true;
|
ReadWritePaths = [ sieveDirectory "/run/dovecot2" ];
|
||||||
ProtectKernelTunables = true;
|
ExecStart = pkgs.writeShellScript "generate-sieves.sh"
|
||||||
ProtectKernelModules = true;
|
(concatStringsSep "\n" (mapAttrsToList compileFile sieves));
|
||||||
ProtectSystem = true;
|
PrivateDevices = true;
|
||||||
ProtectHome = true;
|
PrivateTmp = true;
|
||||||
ProtectClock = true;
|
PrivateMounts = true;
|
||||||
ProtectKernelLogs = true;
|
ProtectControlGroups = true;
|
||||||
Type = "oneshot";
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectSystem = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
Type = "oneshot";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -244,7 +244,7 @@ in {
|
||||||
|
|
||||||
relay-restrictions = [
|
relay-restrictions = [
|
||||||
"reject_unauth_destination"
|
"reject_unauth_destination"
|
||||||
# "reject_unauth_pipelining"
|
"reject_unauth_pipelining"
|
||||||
"reject_unknown_sender_domain"
|
"reject_unknown_sender_domain"
|
||||||
"permit_mynetworks"
|
"permit_mynetworks"
|
||||||
"permit_sasl_authenticated"
|
"permit_sasl_authenticated"
|
||||||
|
|
@ -255,7 +255,7 @@ in {
|
||||||
"check_sender_access ${mappedFile "reject_recipients"}"
|
"check_sender_access ${mappedFile "reject_recipients"}"
|
||||||
"reject_unknown_sender_domain"
|
"reject_unknown_sender_domain"
|
||||||
"reject_unknown_recipient_domain"
|
"reject_unknown_recipient_domain"
|
||||||
# "reject_unauth_pipelining"
|
"reject_unauth_pipelining"
|
||||||
"reject_unauth_destination"
|
"reject_unauth_destination"
|
||||||
"reject_invalid_hostname"
|
"reject_invalid_hostname"
|
||||||
"reject_non_fqdn_hostname"
|
"reject_non_fqdn_hostname"
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ if string "${mailbox}" "Trash" {
|
||||||
}
|
}
|
||||||
|
|
||||||
if string "${mailbox}" "Junk" {
|
if string "${mailbox}" "Junk" {
|
||||||
stop
|
stop;
|
||||||
}
|
}
|
||||||
|
|
||||||
if environment :matches "imap.user" "*" {
|
if environment :matches "imap.user" "*" {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue