User defined sieve scripts
This is on the list of future plans in the readme and it's something I want so I'll write about what I've tried. There are several ways to do this but I don't know what's best for this repo.
We need to put a file called ~/.dovecot.sieve
in the user's home directory. We can do this:
- Declaratively using home-manager. This would require creating a home directory for each user and probably setting their shell. At the moment we're doing this: https://github.com/r-raymond/nixos-mailserver/blob/50a3fa9edc226c36cde1c994f2f2cd6965ec754c/mail-server/users.nix#L34 so in /etc/passwd each user's home directory is set to
/var/empty
and shell isnologin
.
A problem with this approach is that home-manager chokes on this line when the username contains the @
character: https://github.com/rycee/home-manager/blob/1e0862eab5825f64aa724de57e20e8022af7f29f/nixos/default.nix#L41
This can be worked around by changing the first argument to writeScript
to just activate
, but then systemd will choke when the generated activation unit references a user with an @
character in their name:
Note that restrictions on the user/group name syntax are enforced: the specified name must consist only of the characters a-z, A-Z, 0-9, "" and "-", except for the first character which must be one of a-z, A-Z or "" (i.e. numbers and "-" are not permitted as first character). The user/group name must have at least one character, and at most 31. These restrictions are enforced in order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux systems. https://www.freedesktop.org/software/systemd/man/systemd.exec.html
So if we were going to do that, we wouldn't be able to have users like user@domain
, we'd have to change it to some other symbol that systemd accepts and figure out how to get dovecot to deliver to that name.
- Declaratively using a bunch of activation scripts, and making our own per-domain passwd and shadow files. I've done this here: https://github.com/eqyiel/deployments/blob/477c1706d2710662aa2849be8139b8069b899973/realms/tsumugi.rkm.id.au/mail-server.nix#L291-L317
This way, the virtual users don't need to have system accounts and their home directory according to dovecot can just be ${mailDirectory}/domain/user
(where their mail currently sits).
- Imperatively, using the manage-sieve protocol. This would still require either setting a real (
/etc/passwd
) or virtual (${mailDirectory}/domain/passwd
, as described above) home directory for each user. This requires opening port 4190 (dovecot is already serving it in the current configuration).
I'm leaning towards the second option but it would be good to get some feedback!