Commit | Line | Data |
---|---|---|
d8c18af8 AW |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com> | |
8d9bb4b4 | 3 | ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> |
82ccc499 | 4 | ;;; Copyright © 2017 Carlo Zancanaro <carlo@zancanaro.id.au> |
c3f146e7 | 5 | ;;; Copyright © 2017, 2020 Tobias Geerinckx-Rice <me@tobias.gr> |
ace8e269 | 6 | ;;; Copyright © 2019 Kristofer Buffington <kristoferbuffington@gmail.com> |
b4db1136 | 7 | ;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de> |
d8c18af8 AW |
8 | ;;; |
9 | ;;; This file is part of GNU Guix. | |
10 | ;;; | |
11 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
12 | ;;; under the terms of the GNU General Public License as published by | |
13 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
14 | ;;; your option) any later version. | |
15 | ;;; | |
16 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
17 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | ;;; GNU General Public License for more details. | |
20 | ;;; | |
21 | ;;; You should have received a copy of the GNU General Public License | |
22 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
23 | ;;; | |
24 | ;;; Some of the help text was taken from the default dovecot.conf files. | |
25 | ||
26 | (define-module (gnu services mail) | |
27 | #:use-module (gnu services) | |
28 | #:use-module (gnu services base) | |
5305ed20 | 29 | #:use-module (gnu services configuration) |
0190c1c0 | 30 | #:use-module (gnu services shepherd) |
d8c18af8 AW |
31 | #:use-module (gnu system pam) |
32 | #:use-module (gnu system shadow) | |
dd3cf144 | 33 | #:use-module (gnu system setuid) |
d8c18af8 AW |
34 | #:use-module (gnu packages mail) |
35 | #:use-module (gnu packages admin) | |
b4db1136 | 36 | #:use-module (gnu packages dav) |
d8c18af8 AW |
37 | #:use-module (gnu packages tls) |
38 | #:use-module (guix records) | |
39 | #:use-module (guix packages) | |
40 | #:use-module (guix gexp) | |
d8c18af8 | 41 | #:use-module (ice-9 match) |
82ccc499 | 42 | #:use-module (ice-9 format) |
8d17cf1c | 43 | #:use-module (srfi srfi-1) |
5305ed20 | 44 | #:export (dovecot-service |
24e96431 | 45 | dovecot-service-type |
d8c18af8 AW |
46 | dovecot-configuration |
47 | opaque-dovecot-configuration | |
48 | ||
49 | dict-configuration | |
50 | passdb-configuration | |
51 | userdb-configuration | |
52 | unix-listener-configuration | |
53 | fifo-listener-configuration | |
54 | inet-listener-configuration | |
55 | service-configuration | |
56 | protocol-configuration | |
57 | plugin-configuration | |
58 | mailbox-configuration | |
f88371e8 SB |
59 | namespace-configuration |
60 | ||
61 | opensmtpd-configuration | |
62 | opensmtpd-configuration? | |
63 | opensmtpd-service-type | |
82ccc499 CZ |
64 | %default-opensmtpd-config-file |
65 | ||
8d17cf1c CZ |
66 | mail-aliases-service-type |
67 | ||
82ccc499 CZ |
68 | exim-configuration |
69 | exim-configuration? | |
70 | exim-service-type | |
412e6396 SB |
71 | %default-exim-config-file |
72 | ||
73 | imap4d-configuration | |
74 | imap4d-configuration? | |
75 | imap4d-service-type | |
b4db1136 JB |
76 | %default-imap4d-config-file |
77 | ||
78 | radicale-configuration | |
79 | radicale-configuration? | |
80 | radicale-service-type | |
81 | %default-radicale-config-file)) | |
d8c18af8 AW |
82 | |
83 | ;;; Commentary: | |
84 | ;;; | |
85 | ;;; This module provides service definitions for the Dovecot POP3 and IMAP | |
86 | ;;; mail server. | |
87 | ;;; | |
88 | ;;; Code: | |
89 | ||
56aef188 CL |
90 | (define (uglify-field-name field-name) |
91 | (let ((str (symbol->string field-name))) | |
92 | (string-join (string-split (if (string-suffix? "?" str) | |
93 | (substring str 0 (1- (string-length str))) | |
94 | str) | |
95 | #\-) | |
96 | "_"))) | |
97 | ||
98 | (define (serialize-field field-name val) | |
99 | (format #t "~a=~a\n" (uglify-field-name field-name) val)) | |
100 | ||
101 | (define (serialize-string field-name val) | |
102 | (serialize-field field-name val)) | |
103 | ||
104 | (define (space-separated-string-list? val) | |
105 | (and (list? val) | |
106 | (and-map (lambda (x) | |
107 | (and (string? x) (not (string-index x #\space)))) | |
108 | val))) | |
109 | (define (serialize-space-separated-string-list field-name val) | |
a1640091 AA |
110 | (match val |
111 | (() #f) | |
112 | (_ (serialize-field field-name (string-join val " "))))) | |
d8c18af8 AW |
113 | |
114 | (define (comma-separated-string-list? val) | |
115 | (and (list? val) | |
116 | (and-map (lambda (x) | |
117 | (and (string? x) (not (string-index x #\,)))) | |
118 | val))) | |
119 | (define (serialize-comma-separated-string-list field-name val) | |
120 | (serialize-field field-name (string-join val ","))) | |
121 | ||
56aef188 CL |
122 | (define (file-name? val) |
123 | (and (string? val) | |
124 | (string-prefix? "/" val))) | |
125 | (define (serialize-file-name field-name val) | |
126 | (serialize-string field-name val)) | |
127 | ||
d8c18af8 AW |
128 | (define (colon-separated-file-name-list? val) |
129 | (and (list? val) | |
130 | ;; Trailing slashes not needed and not | |
131 | (and-map file-name? val))) | |
132 | (define (serialize-colon-separated-file-name-list field-name val) | |
133 | (serialize-field field-name (string-join val ":"))) | |
134 | ||
56aef188 CL |
135 | (define (serialize-boolean field-name val) |
136 | (serialize-string field-name (if val "yes" "no"))) | |
137 | ||
d8c18af8 AW |
138 | (define (non-negative-integer? val) |
139 | (and (exact-integer? val) (not (negative? val)))) | |
140 | (define (serialize-non-negative-integer field-name val) | |
141 | (serialize-field field-name val)) | |
142 | ||
143 | (define (hours? val) (non-negative-integer? val)) | |
144 | (define (serialize-hours field-name val) | |
145 | (serialize-field field-name (format #f "~a hours" val))) | |
146 | ||
147 | (define (free-form-fields? val) | |
148 | (match val | |
149 | (() #t) | |
ad34409e | 150 | ((((? symbol?) . (? string?)) . val) (free-form-fields? val)) |
d8c18af8 AW |
151 | (_ #f))) |
152 | (define (serialize-free-form-fields field-name val) | |
153 | (for-each (match-lambda ((k . v) (serialize-field k v))) val)) | |
154 | ||
155 | (define (free-form-args? val) | |
156 | (match val | |
157 | (() #t) | |
ad34409e | 158 | ((((? symbol?) . (? string?)) . val) (free-form-args? val)) |
d8c18af8 AW |
159 | (_ #f))) |
160 | (define (serialize-free-form-args field-name val) | |
161 | (serialize-field field-name | |
162 | (string-join | |
5a6e27bf | 163 | (map (match-lambda ((k . v) (format #f "~a=~a" k v))) val) |
d8c18af8 AW |
164 | " "))) |
165 | ||
166 | (define-configuration dict-configuration | |
167 | (entries | |
168 | (free-form-fields '()) | |
169 | "A list of key-value pairs that this dict should hold.")) | |
170 | ||
171 | (define (serialize-dict-configuration field-name val) | |
172 | (format #t "dict {\n") | |
173 | (serialize-configuration val dict-configuration-fields) | |
174 | (format #t "}\n")) | |
175 | ||
176 | (define-configuration passdb-configuration | |
177 | (driver | |
178 | (string "pam") | |
179 | "The driver that the passdb should use. Valid values include | |
180 | @samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and | |
181 | @samp{static}.") | |
182 | (args | |
deb36188 CL |
183 | (space-separated-string-list '()) |
184 | "Space separated list of arguments to the passdb driver.")) | |
d8c18af8 AW |
185 | |
186 | (define (serialize-passdb-configuration field-name val) | |
187 | (format #t "passdb {\n") | |
188 | (serialize-configuration val passdb-configuration-fields) | |
189 | (format #t "}\n")) | |
190 | (define (passdb-configuration-list? val) | |
191 | (and (list? val) (and-map passdb-configuration? val))) | |
192 | (define (serialize-passdb-configuration-list field-name val) | |
193 | (for-each (lambda (val) (serialize-passdb-configuration field-name val)) val)) | |
194 | ||
195 | (define-configuration userdb-configuration | |
196 | (driver | |
197 | (string "passwd") | |
198 | "The driver that the userdb should use. Valid values include | |
199 | @samp{passwd} and @samp{static}.") | |
200 | (args | |
deb36188 CL |
201 | (space-separated-string-list '()) |
202 | "Space separated list of arguments to the userdb driver.") | |
d8c18af8 AW |
203 | (override-fields |
204 | (free-form-args '()) | |
205 | "Override fields from passwd.")) | |
206 | ||
207 | (define (serialize-userdb-configuration field-name val) | |
208 | (format #t "userdb {\n") | |
209 | (serialize-configuration val userdb-configuration-fields) | |
210 | (format #t "}\n")) | |
211 | (define (userdb-configuration-list? val) | |
212 | (and (list? val) (and-map userdb-configuration? val))) | |
213 | (define (serialize-userdb-configuration-list field-name val) | |
214 | (for-each (lambda (val) (serialize-userdb-configuration field-name val)) val)) | |
215 | ||
216 | (define-configuration unix-listener-configuration | |
217 | (path | |
eba56076 CL |
218 | (string (configuration-missing-field 'unix-listener 'path)) |
219 | "Path to the file, relative to @code{base-dir} field. This is also used as | |
220 | the section name.") | |
d8c18af8 AW |
221 | (mode |
222 | (string "0600") | |
223 | "The access mode for the socket.") | |
224 | (user | |
225 | (string "") | |
226 | "The user to own the the socket.") | |
227 | (group | |
228 | (string "") | |
229 | "The group to own the socket.")) | |
230 | ||
231 | (define (serialize-unix-listener-configuration field-name val) | |
232 | (format #t "unix_listener ~a {\n" (unix-listener-configuration-path val)) | |
233 | (serialize-configuration val (cdr unix-listener-configuration-fields)) | |
234 | (format #t "}\n")) | |
235 | ||
236 | (define-configuration fifo-listener-configuration | |
237 | (path | |
eba56076 CL |
238 | (string (configuration-missing-field 'fifo-listener 'path)) |
239 | "Path to the file, relative to @code{base-dir} field. This is also used as | |
240 | the section name.") | |
d8c18af8 AW |
241 | (mode |
242 | (string "0600") | |
243 | "The access mode for the socket.") | |
244 | (user | |
245 | (string "") | |
246 | "The user to own the the socket.") | |
247 | (group | |
248 | (string "") | |
249 | "The group to own the socket.")) | |
250 | ||
251 | (define (serialize-fifo-listener-configuration field-name val) | |
252 | (format #t "fifo_listener ~a {\n" (fifo-listener-configuration-path val)) | |
253 | (serialize-configuration val (cdr fifo-listener-configuration-fields)) | |
254 | (format #t "}\n")) | |
255 | ||
256 | (define-configuration inet-listener-configuration | |
257 | (protocol | |
5305ed20 | 258 | (string (configuration-missing-field 'inet-listener 'protocol)) |
d8c18af8 AW |
259 | "The protocol to listen for.") |
260 | (address | |
261 | (string "") | |
262 | "The address on which to listen, or empty for all addresses.") | |
263 | (port | |
264 | (non-negative-integer | |
5305ed20 | 265 | (configuration-missing-field 'inet-listener 'port)) |
d8c18af8 AW |
266 | "The port on which to listen.") |
267 | (ssl? | |
268 | (boolean #t) | |
269 | "Whether to use SSL for this service; @samp{yes}, @samp{no}, or | |
270 | @samp{required}.")) | |
271 | ||
272 | (define (serialize-inet-listener-configuration field-name val) | |
273 | (format #t "inet_listener ~a {\n" (inet-listener-configuration-protocol val)) | |
274 | (serialize-configuration val (cdr inet-listener-configuration-fields)) | |
275 | (format #t "}\n")) | |
276 | ||
277 | (define (listener-configuration? val) | |
278 | (or (unix-listener-configuration? val) | |
279 | (fifo-listener-configuration? val) | |
280 | (inet-listener-configuration? val))) | |
281 | (define (serialize-listener-configuration field-name val) | |
282 | (cond | |
283 | ((unix-listener-configuration? val) | |
284 | (serialize-unix-listener-configuration field-name val)) | |
285 | ((fifo-listener-configuration? val) | |
286 | (serialize-fifo-listener-configuration field-name val)) | |
287 | ((inet-listener-configuration? val) | |
288 | (serialize-inet-listener-configuration field-name val)) | |
fb7e6ccb | 289 | (else (configuration-field-error #f field-name val)))) |
d8c18af8 AW |
290 | (define (listener-configuration-list? val) |
291 | (and (list? val) (and-map listener-configuration? val))) | |
292 | (define (serialize-listener-configuration-list field-name val) | |
293 | (for-each (lambda (val) | |
294 | (serialize-listener-configuration field-name val)) | |
295 | val)) | |
296 | ||
297 | (define-configuration service-configuration | |
298 | (kind | |
5305ed20 | 299 | (string (configuration-missing-field 'service 'kind)) |
d8c18af8 AW |
300 | "The service kind. Valid values include @code{director}, |
301 | @code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap}, | |
302 | @code{pop3}, @code{auth}, @code{auth-worker}, @code{dict}, | |
303 | @code{tcpwrap}, @code{quota-warning}, or anything else.") | |
304 | (listeners | |
305 | (listener-configuration-list '()) | |
306 | "Listeners for the service. A listener is either an | |
307 | @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or | |
308 | an @code{inet-listener-configuration}.") | |
8d9bb4b4 CL |
309 | (client-limit |
310 | (non-negative-integer 0) | |
311 | "Maximum number of simultaneous client connections per process. Once this | |
312 | number of connections is received, the next incoming connection will prompt | |
313 | Dovecot to spawn another process. If set to 0, @code{default-client-limit} is | |
314 | used instead.") | |
d8c18af8 AW |
315 | (service-count |
316 | (non-negative-integer 1) | |
317 | "Number of connections to handle before starting a new process. | |
318 | Typically the only useful values are 0 (unlimited) or 1. 1 is more | |
319 | secure, but 0 is faster. <doc/wiki/LoginProcess.txt>.") | |
be8dd4a5 CL |
320 | (process-limit |
321 | (non-negative-integer 0) | |
322 | "Maximum number of processes that can exist for this service. If set to 0, | |
323 | @code{default-process-limit} is used instead.") | |
d8c18af8 AW |
324 | (process-min-avail |
325 | (non-negative-integer 0) | |
326 | "Number of processes to always keep waiting for more connections.") | |
327 | ;; FIXME: Need to be able to take the default for this value from other | |
328 | ;; parts of the config. | |
329 | (vsz-limit | |
330 | (non-negative-integer #e256e6) | |
331 | "If you set @samp{service-count 0}, you probably need to grow | |
332 | this.")) | |
333 | ||
334 | (define (serialize-service-configuration field-name val) | |
335 | (format #t "service ~a {\n" (service-configuration-kind val)) | |
336 | (serialize-configuration val (cdr service-configuration-fields)) | |
337 | (format #t "}\n")) | |
338 | (define (service-configuration-list? val) | |
339 | (and (list? val) (and-map service-configuration? val))) | |
340 | (define (serialize-service-configuration-list field-name val) | |
341 | (for-each (lambda (val) | |
342 | (serialize-service-configuration field-name val)) | |
343 | val)) | |
344 | ||
345 | (define-configuration protocol-configuration | |
346 | (name | |
5305ed20 | 347 | (string (configuration-missing-field 'protocol 'name)) |
d8c18af8 AW |
348 | "The name of the protocol.") |
349 | (auth-socket-path | |
350 | (string "/var/run/dovecot/auth-userdb") | |
351 | "UNIX socket path to master authentication server to find users. | |
352 | This is used by imap (for shared users) and lda.") | |
353 | (mail-plugins | |
354 | (space-separated-string-list '("$mail_plugins")) | |
355 | "Space separated list of plugins to load.") | |
356 | (mail-max-userip-connections | |
357 | (non-negative-integer 10) | |
358 | "Maximum number of IMAP connections allowed for a user from each IP | |
0fd5bdca AA |
359 | address. NOTE: The username is compared case-sensitively.") |
360 | (imap-metadata? | |
361 | (boolean #f) | |
362 | "Whether to enable the @code{IMAP METADATA} extension as defined in | |
363 | @uref{https://tools.ietf.org/html/rfc5464, RFC@tie{}5464}, which provides | |
364 | a means for clients to set and retrieve per-mailbox, per-user metadata | |
365 | and annotations over IMAP. | |
366 | ||
367 | If this is @samp{#t}, you must also specify a dictionary @i{via} the | |
6e05920c AA |
368 | @code{mail-attribute-dict} setting.") |
369 | (managesieve-notify-capability | |
370 | (space-separated-string-list '()) | |
371 | "Which NOTIFY capabilities to report to clients that first connect to | |
372 | the ManageSieve service, before authentication. These may differ from the | |
373 | capabilities offered to authenticated users. If this field is left empty, | |
0d6eb692 AA |
374 | report what the Sieve interpreter supports by default.") |
375 | (managesieve-sieve-capability | |
376 | (space-separated-string-list '()) | |
377 | "Which SIEVE capabilities to report to clients that first connect to | |
378 | the ManageSieve service, before authentication. These may differ from the | |
379 | capabilities offered to authenticated users. If this field is left empty, | |
6e05920c | 380 | report what the Sieve interpreter supports by default.")) |
d8c18af8 AW |
381 | |
382 | (define (serialize-protocol-configuration field-name val) | |
383 | (format #t "protocol ~a {\n" (protocol-configuration-name val)) | |
384 | (serialize-configuration val (cdr protocol-configuration-fields)) | |
385 | (format #t "}\n")) | |
386 | (define (protocol-configuration-list? val) | |
387 | (and (list? val) (and-map protocol-configuration? val))) | |
388 | (define (serialize-protocol-configuration-list field-name val) | |
389 | (serialize-field 'protocols | |
390 | (string-join (map protocol-configuration-name val) " ")) | |
391 | (for-each (lambda (val) | |
392 | (serialize-protocol-configuration field-name val)) | |
393 | val)) | |
394 | ||
395 | (define-configuration plugin-configuration | |
396 | (entries | |
397 | (free-form-fields '()) | |
398 | "A list of key-value pairs that this dict should hold.")) | |
399 | ||
400 | (define (serialize-plugin-configuration field-name val) | |
401 | (format #t "plugin {\n") | |
402 | (serialize-configuration val plugin-configuration-fields) | |
403 | (format #t "}\n")) | |
404 | ||
405 | (define-configuration mailbox-configuration | |
406 | (name | |
407 | (string (error "mailbox name is required")) | |
408 | "Name for this mailbox.") | |
409 | ||
410 | (auto | |
411 | (string "no") | |
412 | "@samp{create} will automatically create this mailbox. | |
413 | @samp{subscribe} will both create and subscribe to the mailbox.") | |
414 | ||
415 | (special-use | |
416 | (space-separated-string-list '()) | |
417 | "List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154. | |
418 | Valid values are @code{\\All}, @code{\\Archive}, @code{\\Drafts}, | |
419 | @code{\\Flagged}, @code{\\Junk}, @code{\\Sent}, and @code{\\Trash}.")) | |
420 | ||
421 | (define (serialize-mailbox-configuration field-name val) | |
422 | (format #t "mailbox \"~a\" {\n" (mailbox-configuration-name val)) | |
423 | (serialize-configuration val (cdr mailbox-configuration-fields)) | |
424 | (format #t "}\n")) | |
425 | (define (mailbox-configuration-list? val) | |
426 | (and (list? val) (and-map mailbox-configuration? val))) | |
427 | (define (serialize-mailbox-configuration-list field-name val) | |
428 | (for-each (lambda (val) | |
429 | (serialize-mailbox-configuration field-name val)) | |
430 | val)) | |
431 | ||
432 | (define-configuration namespace-configuration | |
433 | (name | |
434 | (string (error "namespace name is required")) | |
435 | "Name for this namespace.") | |
436 | ||
437 | (type | |
438 | (string "private") | |
439 | "Namespace type: @samp{private}, @samp{shared} or @samp{public}.") | |
440 | ||
441 | (separator | |
442 | (string "") | |
443 | "Hierarchy separator to use. You should use the same separator for | |
444 | all namespaces or some clients get confused. @samp{/} is usually a good | |
445 | one. The default however depends on the underlying mail storage | |
446 | format.") | |
447 | ||
448 | (prefix | |
449 | (string "") | |
450 | "Prefix required to access this namespace. This needs to be | |
451 | different for all namespaces. For example @samp{Public/}.") | |
452 | ||
453 | (location | |
454 | (string "") | |
455 | "Physical location of the mailbox. This is in same format as | |
456 | mail_location, which is also the default for it.") | |
457 | ||
458 | (inbox? | |
459 | (boolean #f) | |
460 | "There can be only one INBOX, and this setting defines which | |
461 | namespace has it.") | |
462 | ||
463 | (hidden? | |
464 | (boolean #f) | |
465 | "If namespace is hidden, it's not advertised to clients via NAMESPACE | |
466 | extension. You'll most likely also want to set @samp{list? #f}. This is mostly | |
467 | useful when converting from another server with different namespaces | |
468 | which you want to deprecate but still keep working. For example you can | |
469 | create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/} | |
470 | and @samp{mail/}.") | |
471 | ||
472 | (list? | |
473 | (boolean #t) | |
474 | "Show the mailboxes under this namespace with LIST command. This | |
475 | makes the namespace visible for clients that don't support NAMESPACE | |
476 | extension. The special @code{children} value lists child mailboxes, but | |
477 | hides the namespace prefix.") | |
478 | ||
479 | (subscriptions? | |
480 | (boolean #t) | |
481 | "Namespace handles its own subscriptions. If set to @code{#f}, the | |
482 | parent namespace handles them. The empty prefix should always have this | |
483 | as @code{#t}.)") | |
484 | ||
485 | (mailboxes | |
486 | (mailbox-configuration-list '()) | |
487 | "List of predefined mailboxes in this namespace.")) | |
488 | ||
489 | (define (serialize-namespace-configuration field-name val) | |
490 | (format #t "namespace ~a {\n" (namespace-configuration-name val)) | |
491 | (serialize-configuration val (cdr namespace-configuration-fields)) | |
492 | (format #t "}\n")) | |
493 | (define (list-of-namespace-configuration? val) | |
494 | (and (list? val) (and-map namespace-configuration? val))) | |
495 | (define (serialize-list-of-namespace-configuration field-name val) | |
496 | (for-each (lambda (val) | |
497 | (serialize-namespace-configuration field-name val)) | |
498 | val)) | |
499 | ||
500 | (define-configuration dovecot-configuration | |
501 | (dovecot | |
892f1b72 | 502 | (file-like dovecot) |
d8c18af8 AW |
503 | "The dovecot package.") |
504 | ||
505 | (listen | |
506 | (comma-separated-string-list '("*" "::")) | |
507 | "A list of IPs or hosts where to listen in for connections. @samp{*} | |
508 | listens in all IPv4 interfaces, @samp{::} listens in all IPv6 | |
509 | interfaces. If you want to specify non-default ports or anything more | |
510 | complex, customize the address and port fields of the | |
511 | @samp{inet-listener} of the specific services you are interested in.") | |
512 | ||
d8c18af8 AW |
513 | (dict |
514 | (dict-configuration (dict-configuration)) | |
515 | "Dict configuration, as created by the @code{dict-configuration} | |
516 | constructor.") | |
517 | ||
518 | (passdbs | |
519 | (passdb-configuration-list (list (passdb-configuration (driver "pam")))) | |
520 | "List of passdb configurations, each one created by the | |
521 | @code{passdb-configuration} constructor.") | |
522 | ||
523 | (userdbs | |
524 | (userdb-configuration-list (list (userdb-configuration (driver "passwd")))) | |
525 | "List of userdb configurations, each one created by the | |
526 | @code{userdb-configuration} constructor.") | |
527 | ||
528 | (plugin-configuration | |
529 | (plugin-configuration (plugin-configuration)) | |
530 | "Plug-in configuration, created by the @code{plugin-configuration} | |
531 | constructor.") | |
532 | ||
533 | (namespaces | |
534 | (list-of-namespace-configuration | |
535 | (list | |
536 | (namespace-configuration | |
537 | (name "inbox") | |
538 | (prefix "") | |
539 | (inbox? #t) | |
540 | (mailboxes | |
541 | (list | |
542 | (mailbox-configuration (name "Drafts") (special-use '("\\Drafts"))) | |
543 | (mailbox-configuration (name "Junk") (special-use '("\\Junk"))) | |
544 | (mailbox-configuration (name "Trash") (special-use '("\\Trash"))) | |
545 | (mailbox-configuration (name "Sent") (special-use '("\\Sent"))) | |
546 | (mailbox-configuration (name "Sent Messages") (special-use '("\\Sent"))) | |
547 | (mailbox-configuration (name "Drafts") (special-use '("\\Drafts")))))))) | |
548 | "List of namespaces. Each item in the list is created by the | |
549 | @code{namespace-configuration} constructor.") | |
550 | ||
551 | (base-dir | |
552 | (file-name "/var/run/dovecot/") | |
553 | "Base directory where to store runtime data.") | |
554 | ||
555 | (login-greeting | |
556 | (string "Dovecot ready.") | |
557 | "Greeting message for clients.") | |
558 | ||
559 | (login-trusted-networks | |
560 | (space-separated-string-list '()) | |
561 | "List of trusted network ranges. Connections from these IPs are | |
562 | allowed to override their IP addresses and ports (for logging and for | |
563 | authentication checks). @samp{disable-plaintext-auth} is also ignored | |
564 | for these networks. Typically you'd specify your IMAP proxy servers | |
565 | here.") | |
566 | ||
567 | (login-access-sockets | |
568 | (space-separated-string-list '()) | |
569 | "List of login access check sockets (e.g. tcpwrap).") | |
570 | ||
571 | (verbose-proctitle? | |
572 | (boolean #f) | |
573 | "Show more verbose process titles (in ps). Currently shows user name | |
574 | and IP address. Useful for seeing who are actually using the IMAP | |
575 | processes (e.g. shared mailboxes or if same uid is used for multiple | |
576 | accounts).") | |
577 | ||
578 | (shutdown-clients? | |
579 | (boolean #t) | |
580 | "Should all processes be killed when Dovecot master process shuts down. | |
581 | Setting this to @code{#f} means that Dovecot can be upgraded without | |
582 | forcing existing client connections to close (although that could also | |
583 | be a problem if the upgrade is e.g. because of a security fix).") | |
584 | ||
585 | (doveadm-worker-count | |
586 | (non-negative-integer 0) | |
587 | "If non-zero, run mail commands via this many connections to doveadm | |
588 | server, instead of running them directly in the same process.") | |
589 | ||
590 | (doveadm-socket-path | |
591 | (string "doveadm-server") | |
592 | "UNIX socket or host:port used for connecting to doveadm server.") | |
593 | ||
594 | (import-environment | |
595 | (space-separated-string-list '("TZ")) | |
596 | "List of environment variables that are preserved on Dovecot startup | |
597 | and passed down to all of its child processes. You can also give | |
598 | key=value pairs to always set specific settings.") | |
599 | ||
600 | ;;; Authentication processes | |
601 | ||
602 | (disable-plaintext-auth? | |
603 | (boolean #t) | |
604 | "Disable LOGIN command and all other plaintext authentications unless | |
605 | SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP | |
606 | matches the local IP (i.e. you're connecting from the same computer), | |
607 | the connection is considered secure and plaintext authentication is | |
608 | allowed. See also ssl=required setting.") | |
609 | ||
610 | (auth-cache-size | |
611 | (non-negative-integer 0) | |
612 | "Authentication cache size (e.g. @samp{#e10e6}). 0 means it's disabled. | |
613 | Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set | |
614 | for caching to be used.") | |
615 | ||
616 | (auth-cache-ttl | |
617 | (string "1 hour") | |
618 | "Time to live for cached data. After TTL expires the cached record | |
619 | is no longer used, *except* if the main database lookup returns internal | |
620 | failure. We also try to handle password changes automatically: If | |
621 | user's previous authentication was successful, but this one wasn't, the | |
622 | cache isn't used. For now this works only with plaintext | |
623 | authentication.") | |
624 | ||
625 | (auth-cache-negative-ttl | |
626 | (string "1 hour") | |
627 | "TTL for negative hits (user not found, password mismatch). | |
628 | 0 disables caching them completely.") | |
629 | ||
630 | (auth-realms | |
631 | (space-separated-string-list '()) | |
632 | "List of realms for SASL authentication mechanisms that need them. | |
633 | You can leave it empty if you don't want to support multiple realms. | |
634 | Many clients simply use the first one listed here, so keep the default | |
635 | realm first.") | |
636 | ||
637 | (auth-default-realm | |
638 | (string "") | |
639 | "Default realm/domain to use if none was specified. This is used for | |
640 | both SASL realms and appending @@domain to username in plaintext | |
641 | logins.") | |
642 | ||
643 | (auth-username-chars | |
644 | (string | |
645 | "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@") | |
646 | "List of allowed characters in username. If the user-given username | |
647 | contains a character not listed in here, the login automatically fails. | |
648 | This is just an extra check to make sure user can't exploit any | |
649 | potential quote escaping vulnerabilities with SQL/LDAP databases. If | |
650 | you want to allow all characters, set this value to empty.") | |
651 | ||
652 | (auth-username-translation | |
653 | (string "") | |
654 | "Username character translations before it's looked up from | |
655 | databases. The value contains series of from -> to characters. For | |
656 | example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are | |
657 | translated to @samp{@@}.") | |
658 | ||
659 | (auth-username-format | |
660 | (string "%Lu") | |
661 | "Username formatting before it's looked up from databases. You can | |
662 | use the standard variables here, e.g. %Lu would lowercase the username, | |
663 | %n would drop away the domain if it was given, or @samp{%n-AT-%d} would | |
664 | change the @samp{@@} into @samp{-AT-}. This translation is done after | |
665 | @samp{auth-username-translation} changes.") | |
666 | ||
667 | (auth-master-user-separator | |
668 | (string "") | |
669 | "If you want to allow master users to log in by specifying the master | |
670 | username within the normal username string (i.e. not using SASL | |
671 | mechanism's support for it), you can specify the separator character | |
672 | here. The format is then <username><separator><master username>. | |
673 | UW-IMAP uses @samp{*} as the separator, so that could be a good | |
674 | choice.") | |
675 | ||
676 | (auth-anonymous-username | |
677 | (string "anonymous") | |
678 | "Username to use for users logging in with ANONYMOUS SASL | |
679 | mechanism.") | |
680 | ||
681 | (auth-worker-max-count | |
682 | (non-negative-integer 30) | |
683 | "Maximum number of dovecot-auth worker processes. They're used to | |
684 | execute blocking passdb and userdb queries (e.g. MySQL and PAM). | |
685 | They're automatically created and destroyed as needed.") | |
686 | ||
687 | (auth-gssapi-hostname | |
688 | (string "") | |
689 | "Host name to use in GSSAPI principal names. The default is to use | |
690 | the name returned by gethostname(). Use @samp{$ALL} (with quotes) to | |
691 | allow all keytab entries.") | |
692 | ||
693 | (auth-krb5-keytab | |
694 | (string "") | |
695 | "Kerberos keytab to use for the GSSAPI mechanism. Will use the | |
696 | system default (usually /etc/krb5.keytab) if not specified. You may | |
697 | need to change the auth service to run as root to be able to read this | |
698 | file.") | |
699 | ||
700 | (auth-use-winbind? | |
701 | (boolean #f) | |
702 | "Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon | |
703 | and @samp{ntlm-auth} helper. | |
704 | <doc/wiki/Authentication/Mechanisms/Winbind.txt>.") | |
705 | ||
706 | (auth-winbind-helper-path | |
707 | (file-name "/usr/bin/ntlm_auth") | |
708 | "Path for Samba's @samp{ntlm-auth} helper binary.") | |
709 | ||
710 | (auth-failure-delay | |
711 | (string "2 secs") | |
712 | "Time to delay before replying to failed authentications.") | |
713 | ||
714 | (auth-ssl-require-client-cert? | |
715 | (boolean #f) | |
716 | "Require a valid SSL client certificate or the authentication | |
717 | fails.") | |
718 | ||
719 | (auth-ssl-username-from-cert? | |
720 | (boolean #f) | |
721 | "Take the username from client's SSL certificate, using | |
722 | @code{X509_NAME_get_text_by_NID()} which returns the subject's DN's | |
723 | CommonName.") | |
724 | ||
725 | (auth-mechanisms | |
726 | (space-separated-string-list '("plain")) | |
727 | "List of wanted authentication mechanisms. Supported mechanisms are: | |
728 | @samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5}, | |
729 | @samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi}, | |
730 | @samp{otp}, @samp{skey}, and @samp{gss-spnego}. NOTE: See also | |
731 | @samp{disable-plaintext-auth} setting.") | |
732 | ||
733 | (director-servers | |
734 | (space-separated-string-list '()) | |
735 | "List of IPs or hostnames to all director servers, including ourself. | |
736 | Ports can be specified as ip:port. The default port is the same as what | |
737 | director service's @samp{inet-listener} is using.") | |
738 | ||
739 | (director-mail-servers | |
740 | (space-separated-string-list '()) | |
741 | "List of IPs or hostnames to all backend mail servers. Ranges are | |
742 | allowed too, like 10.0.0.10-10.0.0.30.") | |
743 | ||
744 | (director-user-expire | |
745 | (string "15 min") | |
746 | "How long to redirect users to a specific server after it no longer | |
747 | has any connections.") | |
748 | ||
d8c18af8 AW |
749 | (director-username-hash |
750 | (string "%Lu") | |
751 | "How the username is translated before being hashed. Useful values | |
752 | include %Ln if user can log in with or without @@domain, %Ld if mailboxes | |
753 | are shared within domain.") | |
754 | ||
755 | ;;; Log destination. | |
756 | ||
757 | (log-path | |
758 | (string "syslog") | |
759 | "Log file to use for error messages. @samp{syslog} logs to syslog, | |
760 | @samp{/dev/stderr} logs to stderr.") | |
761 | ||
762 | (info-log-path | |
763 | (string "") | |
764 | "Log file to use for informational messages. Defaults to | |
765 | @samp{log-path}.") | |
766 | ||
767 | (debug-log-path | |
768 | (string "") | |
769 | "Log file to use for debug messages. Defaults to | |
770 | @samp{info-log-path}.") | |
771 | ||
772 | (syslog-facility | |
773 | (string "mail") | |
774 | "Syslog facility to use if you're logging to syslog. Usually if you | |
775 | don't want to use @samp{mail}, you'll use local0..local7. Also other | |
776 | standard facilities are supported.") | |
777 | ||
778 | (auth-verbose? | |
779 | (boolean #f) | |
780 | "Log unsuccessful authentication attempts and the reasons why they | |
781 | failed.") | |
782 | ||
5b3d3cf7 CB |
783 | (auth-verbose-passwords |
784 | (string "no") | |
d8c18af8 AW |
785 | "In case of password mismatches, log the attempted password. Valid |
786 | values are no, plain and sha1. sha1 can be useful for detecting brute | |
787 | force password attempts vs. user simply trying the same password over | |
788 | and over again. You can also truncate the value to n chars by appending | |
789 | \":n\" (e.g. sha1:6).") | |
790 | ||
791 | (auth-debug? | |
792 | (boolean #f) | |
793 | "Even more verbose logging for debugging purposes. Shows for example | |
794 | SQL queries.") | |
795 | ||
796 | (auth-debug-passwords? | |
797 | (boolean #f) | |
798 | "In case of password mismatches, log the passwords and used scheme so | |
799 | the problem can be debugged. Enabling this also enables | |
800 | @samp{auth-debug}.") | |
801 | ||
802 | (mail-debug? | |
803 | (boolean #f) | |
804 | "Enable mail process debugging. This can help you figure out why | |
805 | Dovecot isn't finding your mails.") | |
806 | ||
807 | (verbose-ssl? | |
808 | (boolean #f) | |
809 | "Show protocol level SSL errors.") | |
810 | ||
811 | (log-timestamp | |
812 | (string "\"%b %d %H:%M:%S \"") | |
813 | "Prefix for each line written to log file. % codes are in | |
814 | strftime(3) format.") | |
815 | ||
816 | (login-log-format-elements | |
817 | (space-separated-string-list | |
818 | '("user=<%u>" "method=%m" "rip=%r" "lip=%l" "mpid=%e" "%c")) | |
819 | "List of elements we want to log. The elements which have a | |
820 | non-empty variable value are joined together to form a comma-separated | |
821 | string.") | |
822 | ||
823 | (login-log-format | |
824 | (string "%$: %s") | |
825 | "Login log format. %s contains @samp{login-log-format-elements} | |
826 | string, %$ contains the data we want to log.") | |
827 | ||
828 | (mail-log-prefix | |
28c03b45 | 829 | (string "\"%s(%u)<%{pid}><%{session}>: \"") |
d8c18af8 AW |
830 | "Log prefix for mail processes. See doc/wiki/Variables.txt for list |
831 | of possible variables you can use.") | |
832 | ||
833 | (deliver-log-format | |
834 | (string "msgid=%m: %$") | |
835 | "Format to use for logging mail deliveries. You can use variables: | |
836 | @table @code | |
837 | @item %$ | |
838 | Delivery status message (e.g. @samp{saved to INBOX}) | |
839 | @item %m | |
840 | Message-ID | |
841 | @item %s | |
842 | Subject | |
843 | @item %f | |
844 | From address | |
845 | @item %p | |
846 | Physical size | |
847 | @item %w | |
848 | Virtual size. | |
849 | @end table") | |
850 | ||
851 | ;;; Mailbox locations and namespaces | |
852 | ||
853 | (mail-location | |
854 | (string "") | |
855 | "Location for users' mailboxes. The default is empty, which means | |
856 | that Dovecot tries to find the mailboxes automatically. This won't work | |
857 | if the user doesn't yet have any mail, so you should explicitly tell | |
858 | Dovecot the full location. | |
859 | ||
860 | If you're using mbox, giving a path to the INBOX | |
861 | file (e.g. /var/mail/%u) isn't enough. You'll also need to tell Dovecot | |
862 | where the other mailboxes are kept. This is called the \"root mail | |
863 | directory\", and it must be the first path given in the | |
864 | @samp{mail-location} setting. | |
865 | ||
866 | There are a few special variables you can use, eg.: | |
867 | ||
868 | @table @samp | |
869 | @item %u | |
870 | username | |
871 | @item %n | |
872 | user part in user@@domain, same as %u if there's no domain | |
873 | @item %d | |
874 | domain part in user@@domain, empty if there's no domain | |
875 | @item %h | |
876 | home director | |
877 | @end table | |
878 | ||
879 | See doc/wiki/Variables.txt for full list. Some examples: | |
880 | @table @samp | |
881 | @item maildir:~/Maildir | |
882 | @item mbox:~/mail:INBOX=/var/mail/%u | |
883 | @item mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/% | |
884 | @end table") | |
885 | ||
886 | (mail-uid | |
887 | (string "") | |
888 | "System user and group used to access mails. If you use multiple, | |
889 | userdb can override these by returning uid or gid fields. You can use | |
890 | either numbers or names. <doc/wiki/UserIds.txt>.") | |
891 | ||
892 | (mail-gid | |
893 | (string "") | |
894 | "") | |
895 | ||
896 | (mail-privileged-group | |
897 | (string "") | |
898 | "Group to enable temporarily for privileged operations. Currently | |
899 | this is used only with INBOX when either its initial creation or | |
900 | dotlocking fails. Typically this is set to \"mail\" to give access to | |
901 | /var/mail.") | |
902 | ||
903 | (mail-access-groups | |
904 | (string "") | |
905 | "Grant access to these supplementary groups for mail processes. | |
906 | Typically these are used to set up access to shared mailboxes. Note | |
907 | that it may be dangerous to set these if users can create | |
908 | symlinks (e.g. if \"mail\" group is set here, ln -s /var/mail ~/mail/var | |
909 | could allow a user to delete others' mailboxes, or ln -s | |
910 | /secret/shared/box ~/mail/mybox would allow reading it).") | |
911 | ||
912 | (mail-full-filesystem-access? | |
913 | (boolean #f) | |
8f65585b | 914 | "Allow full file system access to clients. There's no access checks |
d8c18af8 AW |
915 | other than what the operating system does for the active UID/GID. It |
916 | works with both maildir and mboxes, allowing you to prefix mailboxes | |
917 | names with e.g. /path/ or ~user/.") | |
918 | ||
919 | ;;; Mail processes | |
920 | ||
921 | (mmap-disable? | |
922 | (boolean #f) | |
923 | "Don't use mmap() at all. This is required if you store indexes to | |
8f65585b | 924 | shared file systems (NFS or clustered file system).") |
d8c18af8 AW |
925 | |
926 | (dotlock-use-excl? | |
927 | (boolean #t) | |
928 | "Rely on @samp{O_EXCL} to work when creating dotlock files. NFS | |
929 | supports @samp{O_EXCL} since version 3, so this should be safe to use | |
930 | nowadays by default.") | |
931 | ||
932 | (mail-fsync | |
933 | (string "optimized") | |
934 | "When to use fsync() or fdatasync() calls: | |
935 | @table @code | |
936 | @item optimized | |
937 | Whenever necessary to avoid losing important data | |
938 | @item always | |
939 | Useful with e.g. NFS when write()s are delayed | |
940 | @item never | |
941 | Never use it (best performance, but crashes can lose data). | |
942 | @end table") | |
943 | ||
944 | (mail-nfs-storage? | |
945 | (boolean #f) | |
946 | "Mail storage exists in NFS. Set this to yes to make Dovecot flush | |
947 | NFS caches whenever needed. If you're using only a single mail server | |
948 | this isn't needed.") | |
949 | ||
950 | (mail-nfs-index? | |
951 | (boolean #f) | |
952 | "Mail index files also exist in NFS. Setting this to yes requires | |
953 | @samp{mmap-disable? #t} and @samp{fsync-disable? #f}.") | |
954 | ||
955 | (lock-method | |
956 | (string "fcntl") | |
957 | "Locking method for index files. Alternatives are fcntl, flock and | |
958 | dotlock. Dotlocking uses some tricks which may create more disk I/O | |
959 | than other locking methods. NFS users: flock doesn't work, remember to | |
960 | change @samp{mmap-disable}.") | |
961 | ||
962 | (mail-temp-dir | |
963 | (file-name "/tmp") | |
964 | "Directory in which LDA/LMTP temporarily stores incoming mails >128 | |
965 | kB.") | |
966 | ||
967 | (first-valid-uid | |
968 | (non-negative-integer 500) | |
969 | "Valid UID range for users. This is mostly to make sure that users can't | |
970 | log in as daemons or other system users. Note that denying root logins is | |
971 | hardcoded to dovecot binary and can't be done even if @samp{first-valid-uid} | |
972 | is set to 0.") | |
973 | ||
974 | (last-valid-uid | |
975 | (non-negative-integer 0) | |
976 | "") | |
977 | ||
978 | (first-valid-gid | |
979 | (non-negative-integer 1) | |
980 | "Valid GID range for users. Users having non-valid GID as primary group ID | |
981 | aren't allowed to log in. If user belongs to supplementary groups with | |
982 | non-valid GIDs, those groups are not set.") | |
983 | ||
984 | (last-valid-gid | |
985 | (non-negative-integer 0) | |
986 | "") | |
987 | ||
988 | (mail-max-keyword-length | |
989 | (non-negative-integer 50) | |
990 | "Maximum allowed length for mail keyword name. It's only forced when | |
991 | trying to create new keywords.") | |
992 | ||
993 | (valid-chroot-dirs | |
994 | (colon-separated-file-name-list '()) | |
995 | "List of directories under which chrooting is allowed for mail | |
996 | processes (i.e. /var/mail will allow chrooting to /var/mail/foo/bar | |
997 | too). This setting doesn't affect @samp{login-chroot} | |
998 | @samp{mail-chroot} or auth chroot settings. If this setting is empty, | |
999 | \"/./\" in home dirs are ignored. WARNING: Never add directories here | |
1000 | which local users can modify, that may lead to root exploit. Usually | |
1001 | this should be done only if you don't allow shell access for users. | |
1002 | <doc/wiki/Chrooting.txt>.") | |
1003 | ||
1004 | (mail-chroot | |
1005 | (string "") | |
1006 | "Default chroot directory for mail processes. This can be overridden | |
1007 | for specific users in user database by giving /./ in user's home | |
1008 | directory (e.g. /home/./user chroots into /home). Note that usually | |
1009 | there is no real need to do chrooting, Dovecot doesn't allow users to | |
1010 | access files outside their mail directory anyway. If your home | |
1011 | directories are prefixed with the chroot directory, append \"/.\" to | |
1012 | @samp{mail-chroot}. <doc/wiki/Chrooting.txt>.") | |
1013 | ||
1014 | (auth-socket-path | |
1015 | (file-name "/var/run/dovecot/auth-userdb") | |
1016 | "UNIX socket path to master authentication server to find users. | |
1017 | This is used by imap (for shared users) and lda.") | |
1018 | ||
1019 | (mail-plugin-dir | |
d9d88c2f TGR |
1020 | (file-name "/usr/lib/dovecot") |
1021 | "Directory where to look up mail plugins.") | |
d8c18af8 AW |
1022 | |
1023 | (mail-plugins | |
1024 | (space-separated-string-list '()) | |
1025 | "List of plugins to load for all services. Plugins specific to IMAP, | |
1026 | LDA, etc. are added to this list in their own .conf files.") | |
1027 | ||
1028 | ||
1029 | (mail-cache-min-mail-count | |
1030 | (non-negative-integer 0) | |
1031 | "The minimum number of mails in a mailbox before updates are done to | |
1032 | cache file. This allows optimizing Dovecot's behavior to do less disk | |
1033 | writes at the cost of more disk reads.") | |
1034 | ||
1035 | (mailbox-idle-check-interval | |
1036 | (string "30 secs") | |
1037 | "When IDLE command is running, mailbox is checked once in a while to | |
1038 | see if there are any new mails or other changes. This setting defines | |
1039 | the minimum time to wait between those checks. Dovecot can also use | |
1040 | dnotify, inotify and kqueue to find out immediately when changes | |
1041 | occur.") | |
1042 | ||
1043 | (mail-save-crlf? | |
1044 | (boolean #f) | |
1045 | "Save mails with CR+LF instead of plain LF. This makes sending those | |
1046 | mails take less CPU, especially with sendfile() syscall with Linux and | |
1047 | FreeBSD. But it also creates a bit more disk I/O which may just make it | |
1048 | slower. Also note that if other software reads the mboxes/maildirs, | |
1049 | they may handle the extra CRs wrong and cause problems.") | |
1050 | ||
1051 | (maildir-stat-dirs? | |
1052 | (boolean #f) | |
1053 | "By default LIST command returns all entries in maildir beginning | |
1054 | with a dot. Enabling this option makes Dovecot return only entries | |
1055 | which are directories. This is done by stat()ing each entry, so it | |
1056 | causes more disk I/O. | |
1057 | (For systems setting struct @samp{dirent->d_type} this check is free | |
1058 | and it's done always regardless of this setting).") | |
1059 | ||
1060 | (maildir-copy-with-hardlinks? | |
1061 | (boolean #t) | |
1062 | "When copying a message, do it with hard links whenever possible. | |
1063 | This makes the performance much better, and it's unlikely to have any | |
1064 | side effects.") | |
1065 | ||
1066 | (maildir-very-dirty-syncs? | |
1067 | (boolean #f) | |
1068 | "Assume Dovecot is the only MUA accessing Maildir: Scan cur/ | |
1069 | directory only when its mtime changes unexpectedly or when we can't find | |
1070 | the mail otherwise.") | |
1071 | ||
1072 | (mbox-read-locks | |
1073 | (space-separated-string-list '("fcntl")) | |
1074 | "Which locking methods to use for locking mbox. There are four | |
1075 | available: | |
1076 | ||
1077 | @table @code | |
1078 | @item dotlock | |
1079 | Create <mailbox>.lock file. This is the oldest and most NFS-safe | |
1080 | solution. If you want to use /var/mail/ like directory, the users will | |
1081 | need write access to that directory. | |
1082 | @item dotlock-try | |
1083 | Same as dotlock, but if it fails because of permissions or because there | |
1084 | isn't enough disk space, just skip it. | |
1085 | @item fcntl | |
1086 | Use this if possible. Works with NFS too if lockd is used. | |
1087 | @item flock | |
1088 | May not exist in all systems. Doesn't work with NFS. | |
1089 | @item lockf | |
1090 | May not exist in all systems. Doesn't work with NFS. | |
1091 | @end table | |
1092 | ||
1093 | You can use multiple locking methods; if you do the order they're declared | |
1094 | in is important to avoid deadlocks if other MTAs/MUAs are using multiple | |
1095 | locking methods as well. Some operating systems don't allow using some of | |
1096 | them simultaneously.") | |
1097 | ||
1098 | (mbox-write-locks | |
1099 | (space-separated-string-list '("dotlock" "fcntl")) | |
1100 | "") | |
1101 | ||
1102 | (mbox-lock-timeout | |
1103 | (string "5 mins") | |
1104 | "Maximum time to wait for lock (all of them) before aborting.") | |
1105 | ||
1106 | (mbox-dotlock-change-timeout | |
1107 | (string "2 mins") | |
1108 | "If dotlock exists but the mailbox isn't modified in any way, | |
1109 | override the lock file after this much time.") | |
1110 | ||
1111 | (mbox-dirty-syncs? | |
1112 | (boolean #t) | |
1113 | "When mbox changes unexpectedly we have to fully read it to find out | |
1114 | what changed. If the mbox is large this can take a long time. Since | |
1115 | the change is usually just a newly appended mail, it'd be faster to | |
1116 | simply read the new mails. If this setting is enabled, Dovecot does | |
1117 | this but still safely fallbacks to re-reading the whole mbox file | |
1118 | whenever something in mbox isn't how it's expected to be. The only real | |
1119 | downside to this setting is that if some other MUA changes message | |
1120 | flags, Dovecot doesn't notice it immediately. Note that a full sync is | |
1121 | done with SELECT, EXAMINE, EXPUNGE and CHECK commands.") | |
1122 | ||
1123 | (mbox-very-dirty-syncs? | |
1124 | (boolean #f) | |
1125 | "Like @samp{mbox-dirty-syncs}, but don't do full syncs even with SELECT, | |
1126 | EXAMINE, EXPUNGE or CHECK commands. If this is set, | |
1127 | @samp{mbox-dirty-syncs} is ignored.") | |
1128 | ||
1129 | (mbox-lazy-writes? | |
1130 | (boolean #t) | |
1131 | "Delay writing mbox headers until doing a full write sync (EXPUNGE | |
1132 | and CHECK commands and when closing the mailbox). This is especially | |
1133 | useful for POP3 where clients often delete all mails. The downside is | |
1134 | that our changes aren't immediately visible to other MUAs.") | |
1135 | ||
1136 | (mbox-min-index-size | |
1137 | (non-negative-integer 0) | |
1138 | "If mbox size is smaller than this (e.g. 100k), don't write index | |
1139 | files. If an index file already exists it's still read, just not | |
1140 | updated.") | |
1141 | ||
1142 | (mdbox-rotate-size | |
28c03b45 | 1143 | (non-negative-integer #e10e6) |
d8c18af8 AW |
1144 | "Maximum dbox file size until it's rotated.") |
1145 | ||
1146 | (mdbox-rotate-interval | |
1147 | (string "1d") | |
1148 | "Maximum dbox file age until it's rotated. Typically in days. Day | |
1149 | begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check | |
1150 | disabled.") | |
1151 | ||
1152 | (mdbox-preallocate-space? | |
1153 | (boolean #f) | |
1154 | "When creating new mdbox files, immediately preallocate their size to | |
1155 | @samp{mdbox-rotate-size}. This setting currently works only in Linux | |
8f65585b | 1156 | with some file systems (ext4, xfs).") |
d8c18af8 | 1157 | |
5b5c5096 AA |
1158 | (mail-attribute-dict |
1159 | (string "") | |
1160 | "The location of a dictionary used to store @code{IMAP METADATA} | |
1161 | as defined by @uref{https://tools.ietf.org/html/rfc5464, RFC@tie{}5464}. | |
1162 | ||
1163 | The IMAP METADATA commands are available only if the ``imap'' | |
1164 | protocol configuration's @code{imap-metadata?} field is @samp{#t}.") | |
1165 | ||
d8c18af8 AW |
1166 | (mail-attachment-dir |
1167 | (string "") | |
1168 | "sdbox and mdbox support saving mail attachments to external files, | |
1169 | which also allows single instance storage for them. Other backends | |
1170 | don't support this for now. | |
1171 | ||
1172 | WARNING: This feature hasn't been tested much yet. Use at your own risk. | |
1173 | ||
1174 | Directory root where to store mail attachments. Disabled, if empty.") | |
1175 | ||
1176 | (mail-attachment-min-size | |
1177 | (non-negative-integer #e128e3) | |
1178 | "Attachments smaller than this aren't saved externally. It's also | |
1179 | possible to write a plugin to disable saving specific attachments | |
1180 | externally.") | |
1181 | ||
1182 | (mail-attachment-fs | |
1183 | (string "sis posix") | |
8f65585b | 1184 | "File system backend to use for saving attachments: |
d8c18af8 AW |
1185 | @table @code |
1186 | @item posix | |
1187 | No SiS done by Dovecot (but this might help FS's own deduplication) | |
1188 | @item sis posix | |
1189 | SiS with immediate byte-by-byte comparison during saving | |
1190 | @item sis-queue posix | |
1191 | SiS with delayed comparison and deduplication. | |
1192 | @end table") | |
1193 | ||
1194 | (mail-attachment-hash | |
1195 | (string "%{sha1}") | |
1196 | "Hash format to use in attachment filenames. You can add any text and | |
1197 | variables: @code{%@{md4@}}, @code{%@{md5@}}, @code{%@{sha1@}}, | |
1198 | @code{%@{sha256@}}, @code{%@{sha512@}}, @code{%@{size@}}. Variables can be | |
1199 | truncated, e.g. @code{%@{sha256:80@}} returns only first 80 bits.") | |
1200 | ||
1201 | (default-process-limit | |
1202 | (non-negative-integer 100) | |
1203 | "") | |
1204 | ||
1205 | (default-client-limit | |
1206 | (non-negative-integer 1000) | |
1207 | "") | |
1208 | ||
1209 | (default-vsz-limit | |
1210 | (non-negative-integer #e256e6) | |
1211 | "Default VSZ (virtual memory size) limit for service processes. | |
1212 | This is mainly intended to catch and kill processes that leak memory | |
1213 | before they eat up everything.") | |
1214 | ||
1215 | (default-login-user | |
1216 | (string "dovenull") | |
1217 | "Login user is internally used by login processes. This is the most | |
1218 | untrusted user in Dovecot system. It shouldn't have access to anything | |
1219 | at all.") | |
1220 | ||
1221 | (default-internal-user | |
1222 | (string "dovecot") | |
1223 | "Internal user is used by unprivileged processes. It should be | |
1224 | separate from login user, so that login processes can't disturb other | |
1225 | processes.") | |
1226 | ||
1227 | (ssl? | |
1228 | (string "required") | |
1229 | "SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>.") | |
1230 | ||
1231 | (ssl-cert | |
1232 | (string "</etc/dovecot/default.pem") | |
1233 | "PEM encoded X.509 SSL/TLS certificate (public key).") | |
1234 | ||
1235 | (ssl-key | |
1236 | (string "</etc/dovecot/private/default.pem") | |
1237 | "PEM encoded SSL/TLS private key. The key is opened before | |
1238 | dropping root privileges, so keep the key file unreadable by anyone but | |
1239 | root.") | |
1240 | ||
1241 | (ssl-key-password | |
1242 | (string "") | |
1243 | "If key file is password protected, give the password here. | |
1244 | Alternatively give it when starting dovecot with -p parameter. Since | |
1245 | this file is often world-readable, you may want to place this setting | |
1246 | instead to a different.") | |
1247 | ||
1248 | (ssl-ca | |
1249 | (string "") | |
1250 | "PEM encoded trusted certificate authority. Set this only if you | |
1251 | intend to use @samp{ssl-verify-client-cert? #t}. The file should | |
1252 | contain the CA certificate(s) followed by the matching | |
1253 | CRL(s). (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).") | |
1254 | (ssl-require-crl? | |
1255 | (boolean #t) | |
1256 | "Require that CRL check succeeds for client certificates.") | |
1257 | (ssl-verify-client-cert? | |
1258 | (boolean #f) | |
1259 | "Request client to send a certificate. If you also want to require | |
1260 | it, set @samp{auth-ssl-require-client-cert? #t} in auth section.") | |
1261 | ||
1262 | (ssl-cert-username-field | |
1263 | (string "commonName") | |
1264 | "Which field from certificate to use for username. commonName and | |
1265 | x500UniqueIdentifier are the usual choices. You'll also need to set | |
1266 | @samp{auth-ssl-username-from-cert? #t}.") | |
1267 | ||
28c03b45 TGR |
1268 | (ssl-min-protocol |
1269 | (string "TLSv1") | |
1270 | "Minimum SSL protocol version to accept.") | |
d8c18af8 AW |
1271 | |
1272 | (ssl-cipher-list | |
28c03b45 | 1273 | (string "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH") |
d8c18af8 AW |
1274 | "SSL ciphers to use.") |
1275 | ||
1276 | (ssl-crypto-device | |
1277 | (string "") | |
1278 | "SSL crypto device to use, for valid values run \"openssl engine\".") | |
1279 | ||
1280 | (postmaster-address | |
66329c23 | 1281 | (string "postmaster@%d") |
d8c18af8 AW |
1282 | "Address to use when sending rejection mails. |
1283 | Default is postmaster@@<your domain>. %d expands to recipient domain.") | |
1284 | ||
1285 | (hostname | |
1286 | (string "") | |
1287 | "Hostname to use in various parts of sent mails (e.g. in Message-Id) | |
1288 | and in LMTP replies. Default is the system's real hostname@@domain.") | |
1289 | ||
1290 | (quota-full-tempfail? | |
1291 | (boolean #f) | |
1292 | "If user is over quota, return with temporary failure instead of | |
1293 | bouncing the mail.") | |
1294 | ||
1295 | (sendmail-path | |
1296 | (file-name "/usr/sbin/sendmail") | |
1297 | "Binary to use for sending mails.") | |
1298 | ||
1299 | (submission-host | |
1300 | (string "") | |
1301 | "If non-empty, send mails via this SMTP host[:port] instead of | |
1302 | sendmail.") | |
1303 | ||
1304 | (rejection-subject | |
1305 | (string "Rejected: %s") | |
1306 | "Subject: header to use for rejection mails. You can use the same | |
1307 | variables as for @samp{rejection-reason} below.") | |
1308 | ||
1309 | (rejection-reason | |
1310 | (string "Your message to <%t> was automatically rejected:%n%r") | |
1311 | "Human readable error message for rejection mails. You can use | |
1312 | variables: | |
1313 | ||
1314 | @table @code | |
1315 | @item %n | |
1316 | CRLF | |
1317 | @item %r | |
1318 | reason | |
1319 | @item %s | |
1320 | original subject | |
1321 | @item %t | |
1322 | recipient | |
1323 | @end table") | |
1324 | ||
1325 | (recipient-delimiter | |
1326 | (string "+") | |
1327 | "Delimiter character between local-part and detail in email | |
1328 | address.") | |
1329 | ||
1330 | (lda-original-recipient-header | |
1331 | (string "") | |
1332 | "Header where the original recipient address (SMTP's RCPT TO: | |
1333 | address) is taken from if not available elsewhere. With dovecot-lda -a | |
1334 | parameter overrides this. A commonly used header for this is | |
1335 | X-Original-To.") | |
1336 | ||
1337 | (lda-mailbox-autocreate? | |
1338 | (boolean #f) | |
1339 | "Should saving a mail to a nonexistent mailbox automatically create | |
1340 | it?.") | |
1341 | ||
1342 | (lda-mailbox-autosubscribe? | |
1343 | (boolean #f) | |
1344 | "Should automatically created mailboxes be also automatically | |
1345 | subscribed?.") | |
1346 | ||
1347 | ||
1348 | (imap-max-line-length | |
1349 | (non-negative-integer #e64e3) | |
1350 | "Maximum IMAP command line length. Some clients generate very long | |
1351 | command lines with huge mailboxes, so you may need to raise this if you | |
1352 | get \"Too long argument\" or \"IMAP command line too large\" errors | |
1353 | often.") | |
1354 | ||
1355 | (imap-logout-format | |
28c03b45 | 1356 | (string "in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}") |
d8c18af8 AW |
1357 | "IMAP logout format string: |
1358 | @table @code | |
1359 | @item %i | |
1360 | total number of bytes read from client | |
1361 | @item %o | |
1362 | total number of bytes sent to client. | |
28c03b45 TGR |
1363 | @end table |
1364 | See @file{doc/wiki/Variables.txt} for a list of all the variables you can use.") | |
d8c18af8 AW |
1365 | |
1366 | (imap-capability | |
1367 | (string "") | |
1368 | "Override the IMAP CAPABILITY response. If the value begins with '+', | |
1369 | add the given capabilities on top of the defaults (e.g. +XFOO XBAR).") | |
1370 | ||
1371 | (imap-idle-notify-interval | |
1372 | (string "2 mins") | |
1373 | "How long to wait between \"OK Still here\" notifications when client | |
1374 | is IDLEing.") | |
1375 | ||
1376 | (imap-id-send | |
1377 | (string "") | |
1378 | "ID field names and values to send to clients. Using * as the value | |
1379 | makes Dovecot use the default value. The following fields have default | |
1380 | values currently: name, version, os, os-version, support-url, | |
1381 | support-email.") | |
1382 | ||
1383 | (imap-id-log | |
1384 | (string "") | |
1385 | "ID fields sent by client to log. * means everything.") | |
1386 | ||
1387 | (imap-client-workarounds | |
1388 | (space-separated-string-list '()) | |
1389 | "Workarounds for various client bugs: | |
1390 | ||
1391 | @table @code | |
1392 | @item delay-newmail | |
1393 | Send EXISTS/RECENT new mail notifications only when replying to NOOP and | |
1394 | CHECK commands. Some clients ignore them otherwise, for example OSX | |
1395 | Mail (<v2.1). Outlook Express breaks more badly though, without this it | |
1396 | may show user \"Message no longer in server\" errors. Note that OE6 | |
1397 | still breaks even with this workaround if synchronization is set to | |
1398 | \"Headers Only\". | |
1399 | ||
1400 | @item tb-extra-mailbox-sep | |
1401 | Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and | |
1402 | adds extra @samp{/} suffixes to mailbox names. This option causes Dovecot to | |
1403 | ignore the extra @samp{/} instead of treating it as invalid mailbox name. | |
1404 | ||
1405 | @item tb-lsub-flags | |
1406 | Show \\Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). | |
1407 | This makes Thunderbird realize they aren't selectable and show them | |
1408 | greyed out, instead of only later giving \"not selectable\" popup error. | |
1409 | @end table | |
1410 | ") | |
1411 | ||
1412 | (imap-urlauth-host | |
1413 | (string "") | |
22470c88 AA |
1414 | "Host allowed in URLAUTH URLs sent by client. \"*\" allows all.") |
1415 | ||
1416 | (protocols | |
1417 | (protocol-configuration-list | |
1418 | (list (protocol-configuration | |
1419 | (name "imap")))) | |
1420 | "List of protocols we want to serve. Available protocols include | |
1421 | @samp{imap}, @samp{pop3}, and @samp{lmtp}.") | |
1422 | ||
1423 | (services | |
1424 | (service-configuration-list | |
1425 | (list | |
1426 | (service-configuration | |
1427 | (kind "imap-login") | |
1428 | (client-limit 0) | |
1429 | (process-limit 0) | |
1430 | (listeners | |
1431 | (list | |
1432 | (inet-listener-configuration (protocol "imap") (port 143) (ssl? #f)) | |
1433 | (inet-listener-configuration (protocol "imaps") (port 993) (ssl? #t))))) | |
1434 | (service-configuration | |
1435 | (kind "pop3-login") | |
1436 | (listeners | |
1437 | (list | |
1438 | (inet-listener-configuration (protocol "pop3") (port 110) (ssl? #f)) | |
1439 | (inet-listener-configuration (protocol "pop3s") (port 995) (ssl? #t))))) | |
1440 | (service-configuration | |
1441 | (kind "lmtp") | |
1442 | (client-limit 1) | |
1443 | (process-limit 0) | |
1444 | (listeners | |
1445 | (list (unix-listener-configuration (path "lmtp") (mode "0666"))))) | |
1446 | (service-configuration | |
1447 | (kind "imap") | |
1448 | (client-limit 1) | |
1449 | (process-limit 1024)) | |
1450 | (service-configuration | |
1451 | (kind "pop3") | |
1452 | (client-limit 1) | |
1453 | (process-limit 1024)) | |
1454 | (service-configuration | |
1455 | (kind "auth") | |
1456 | (service-count 0) | |
1457 | (client-limit 0) | |
1458 | (process-limit 1) | |
1459 | (listeners | |
1460 | (list (unix-listener-configuration (path "auth-userdb"))))) | |
1461 | (service-configuration | |
1462 | (kind "auth-worker") | |
1463 | (client-limit 1) | |
1464 | (process-limit 0)) | |
1465 | (service-configuration | |
1466 | (kind "dict") | |
1467 | (client-limit 1) | |
1468 | (process-limit 0) | |
1469 | (listeners (list (unix-listener-configuration (path "dict"))))))) | |
1470 | "List of services to enable. Available services include @samp{imap}, | |
1471 | @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and | |
1472 | @samp{lmtp}.")) | |
d8c18af8 AW |
1473 | |
1474 | (define-configuration opaque-dovecot-configuration | |
1475 | (dovecot | |
892f1b72 | 1476 | (file-like dovecot) |
d8c18af8 AW |
1477 | "The dovecot package.") |
1478 | ||
1479 | (string | |
5305ed20 JL |
1480 | (string (configuration-missing-field 'opaque-dovecot-configuration |
1481 | 'string)) | |
d8c18af8 AW |
1482 | "The contents of the @code{dovecot.conf} to use.")) |
1483 | ||
1484 | (define %dovecot-accounts | |
1485 | ;; Account and group for the Dovecot daemon. | |
1486 | (list (user-group (name "dovecot") (system? #t)) | |
1487 | (user-account | |
1488 | (name "dovecot") | |
1489 | (group "dovecot") | |
1490 | (system? #t) | |
1491 | (comment "Dovecot daemon user") | |
1492 | (home-directory "/var/empty") | |
9e41130b | 1493 | (shell (file-append shadow "/sbin/nologin"))) |
d8c18af8 AW |
1494 | |
1495 | (user-group (name "dovenull") (system? #t)) | |
1496 | (user-account | |
1497 | (name "dovenull") | |
1498 | (group "dovenull") | |
1499 | (system? #t) | |
1500 | (comment "Dovecot daemon login user") | |
1501 | (home-directory "/var/empty") | |
9e41130b | 1502 | (shell (file-append shadow "/sbin/nologin"))))) |
d8c18af8 | 1503 | |
6310dff1 | 1504 | (define (%dovecot-activation config) |
d8c18af8 | 1505 | ;; Activation gexp. |
6310dff1 OP |
1506 | (let ((config-str |
1507 | (cond | |
1508 | ((opaque-dovecot-configuration? config) | |
1509 | (opaque-dovecot-configuration-string config)) | |
1510 | (else | |
1511 | (with-output-to-string | |
1512 | (lambda () | |
1513 | (serialize-configuration config | |
1514 | dovecot-configuration-fields))))))) | |
1515 | #~(begin | |
1516 | (use-modules (guix build utils)) | |
1517 | (define (mkdir-p/perms directory owner perms) | |
1518 | (mkdir-p directory) | |
1519 | (chown "/var/run/dovecot" (passwd:uid owner) (passwd:gid owner)) | |
1520 | (chmod directory perms)) | |
1521 | (define (build-subject parameters) | |
1522 | (string-concatenate | |
1523 | (map (lambda (pair) | |
1524 | (let ((k (car pair)) (v (cdr pair))) | |
1525 | (define (escape-char str chr) | |
1526 | (string-join (string-split str chr) (string #\\ chr))) | |
1527 | (string-append "/" k "=" | |
1528 | (escape-char (escape-char v #\=) #\/)))) | |
1529 | (filter (lambda (pair) (cdr pair)) parameters)))) | |
1530 | (define* (create-self-signed-certificate-if-absent | |
1531 | #:key private-key public-key (owner (getpwnam "root")) | |
1532 | (common-name (gethostname)) | |
59e80445 | 1533 | (organization-name "Guix") |
6310dff1 OP |
1534 | (organization-unit-name "Default Self-Signed Certificate") |
1535 | (subject-parameters `(("CN" . ,common-name) | |
1536 | ("O" . ,organization-name) | |
1537 | ("OU" . ,organization-unit-name))) | |
1538 | (subject (build-subject subject-parameters))) | |
1539 | ;; Note that by default, OpenSSL outputs keys in PEM format. This | |
1540 | ;; is what we want. | |
1541 | (unless (file-exists? private-key) | |
1542 | (cond | |
1543 | ((zero? (system* (string-append #$openssl "/bin/openssl") | |
1544 | "genrsa" "-out" private-key "2048")) | |
1545 | (chown private-key (passwd:uid owner) (passwd:gid owner)) | |
1546 | (chmod private-key #o400)) | |
1547 | (else | |
1548 | (format (current-error-port) | |
1549 | "Failed to create private key at ~a.\n" private-key)))) | |
1550 | (unless (file-exists? public-key) | |
1551 | (cond | |
1552 | ((zero? (system* (string-append #$openssl "/bin/openssl") | |
1553 | "req" "-new" "-x509" "-key" private-key | |
1554 | "-out" public-key "-days" "3650" | |
1555 | "-batch" "-subj" subject)) | |
1556 | (chown public-key (passwd:uid owner) (passwd:gid owner)) | |
1557 | (chmod public-key #o444)) | |
1558 | (else | |
1559 | (format (current-error-port) | |
1560 | "Failed to create public key at ~a.\n" public-key))))) | |
d9d88c2f | 1561 | (let ((user (getpwnam "dovecot"))) |
6310dff1 OP |
1562 | (mkdir-p/perms "/var/run/dovecot" user #o755) |
1563 | (mkdir-p/perms "/var/lib/dovecot" user #o755) | |
1564 | (mkdir-p/perms "/etc/dovecot" user #o755) | |
1565 | (copy-file #$(plain-file "dovecot.conf" config-str) | |
1566 | "/etc/dovecot/dovecot.conf") | |
1567 | (mkdir-p/perms "/etc/dovecot/private" user #o700) | |
1568 | (create-self-signed-certificate-if-absent | |
1569 | #:private-key "/etc/dovecot/private/default.pem" | |
1570 | #:public-key "/etc/dovecot/default.pem" | |
1571 | #:owner (getpwnam "root") | |
1572 | #:common-name (format #f "Dovecot service on ~a" (gethostname))))))) | |
d8c18af8 | 1573 | |
d4053c71 AK |
1574 | (define (dovecot-shepherd-service config) |
1575 | "Return a list of <shepherd-service> for CONFIG." | |
6310dff1 OP |
1576 | (let ((dovecot (if (opaque-dovecot-configuration? config) |
1577 | (opaque-dovecot-configuration-dovecot config) | |
1578 | (dovecot-configuration-dovecot config)))) | |
d4053c71 | 1579 | (list (shepherd-service |
d8c18af8 AW |
1580 | (documentation "Run the Dovecot POP3/IMAP mail server.") |
1581 | (provision '(dovecot)) | |
1582 | (requirement '(networking)) | |
1583 | (start #~(make-forkexec-constructor | |
1584 | (list (string-append #$dovecot "/sbin/dovecot") | |
6310dff1 | 1585 | "-F"))) |
b25ecfa2 LC |
1586 | (stop #~(lambda _ |
1587 | (invoke #$(file-append dovecot "/sbin/dovecot") | |
1588 | "stop") | |
1589 | #f)))))) | |
d8c18af8 AW |
1590 | |
1591 | (define %dovecot-pam-services | |
1592 | (list (unix-pam-service "dovecot"))) | |
1593 | ||
1594 | (define dovecot-service-type | |
1595 | (service-type (name 'dovecot) | |
1596 | (extensions | |
d4053c71 AK |
1597 | (list (service-extension shepherd-root-service-type |
1598 | dovecot-shepherd-service) | |
d8c18af8 AW |
1599 | (service-extension account-service-type |
1600 | (const %dovecot-accounts)) | |
1601 | (service-extension pam-root-service-type | |
1602 | (const %dovecot-pam-services)) | |
1603 | (service-extension activation-service-type | |
9d7248cd LC |
1604 | %dovecot-activation))) |
1605 | (description "Run Dovecot, a mail server that can run POP3, | |
1606 | IMAP, and LMTP."))) | |
d8c18af8 AW |
1607 | |
1608 | (define* (dovecot-service #:key (config (dovecot-configuration))) | |
1609 | "Return a service that runs @command{dovecot}, a mail server that can run | |
1610 | POP3, IMAP, and LMTP. @var{config} should be a configuration object created | |
1611 | by @code{dovecot-configuration}. @var{config} may also be created by | |
1612 | @code{opaque-dovecot-configuration}, which allows specification of the | |
1613 | @code{dovecot.conf} as a string." | |
d8c18af8 AW |
1614 | (service dovecot-service-type config)) |
1615 | ||
1616 | ;; A little helper to make it easier to document all those fields. | |
5305ed20 JL |
1617 | (define (generate-dovecot-documentation) |
1618 | (generate-documentation | |
d8c18af8 AW |
1619 | `((dovecot-configuration |
1620 | ,dovecot-configuration-fields | |
1621 | (dict dict-configuration) | |
1622 | (namespaces namespace-configuration) | |
1623 | (plugin plugin-configuration) | |
1624 | (passdbs passdb-configuration) | |
1625 | (userdbs userdb-configuration) | |
1626 | (services service-configuration) | |
1627 | (protocols protocol-configuration)) | |
1628 | (dict-configuration ,dict-configuration-fields) | |
1629 | (plugin-configuration ,plugin-configuration-fields) | |
1630 | (passdb-configuration ,passdb-configuration-fields) | |
1631 | (userdb-configuration ,userdb-configuration-fields) | |
1632 | (unix-listener-configuration ,unix-listener-configuration-fields) | |
1633 | (fifo-listener-configuration ,fifo-listener-configuration-fields) | |
1634 | (inet-listener-configuration ,inet-listener-configuration-fields) | |
1635 | (namespace-configuration | |
1636 | ,namespace-configuration-fields | |
1637 | (mailboxes mailbox-configuration)) | |
1638 | (mailbox-configuration ,mailbox-configuration-fields) | |
1639 | (service-configuration | |
1640 | ,service-configuration-fields | |
1641 | (listeners unix-listener-configuration fifo-listener-configuration | |
1642 | inet-listener-configuration)) | |
5305ed20 JL |
1643 | (protocol-configuration ,protocol-configuration-fields)) |
1644 | 'dovecot-configuration)) | |
f88371e8 SB |
1645 | |
1646 | \f | |
1647 | ;;; | |
1648 | ;;; OpenSMTPD. | |
1649 | ;;; | |
1650 | ||
1651 | (define-record-type* <opensmtpd-configuration> | |
1652 | opensmtpd-configuration make-opensmtpd-configuration | |
1653 | opensmtpd-configuration? | |
1654 | (package opensmtpd-configuration-package | |
1655 | (default opensmtpd)) | |
1656 | (config-file opensmtpd-configuration-config-file | |
dd3cf144 M |
1657 | (default %default-opensmtpd-config-file)) |
1658 | (setgid-commands? opensmtpd-setgid-commands? (default #t))) | |
f88371e8 SB |
1659 | |
1660 | (define %default-opensmtpd-config-file | |
1661 | (plain-file "smtpd.conf" " | |
1662 | listen on lo | |
c3f146e7 TGR |
1663 | |
1664 | action inbound mbox | |
1665 | match for local action inbound | |
1666 | ||
1667 | action outbound relay | |
1668 | match from local for any action outbound | |
f88371e8 SB |
1669 | ")) |
1670 | ||
1671 | (define opensmtpd-shepherd-service | |
1672 | (match-lambda | |
1673 | (($ <opensmtpd-configuration> package config-file) | |
1674 | (list (shepherd-service | |
1675 | (provision '(smtpd)) | |
1676 | (requirement '(loopback)) | |
1677 | (documentation "Run the OpenSMTPD daemon.") | |
1678 | (start (let ((smtpd (file-append package "/sbin/smtpd"))) | |
1679 | #~(make-forkexec-constructor | |
1680 | (list #$smtpd "-f" #$config-file) | |
1681 | #:pid-file "/var/run/smtpd.pid"))) | |
1682 | (stop #~(make-kill-destructor))))))) | |
1683 | ||
1684 | (define %opensmtpd-accounts | |
1685 | (list (user-group | |
1686 | (name "smtpq") | |
1687 | (system? #t)) | |
1688 | (user-account | |
1689 | (name "smtpd") | |
1690 | (group "nogroup") | |
1691 | (system? #t) | |
1692 | (comment "SMTP Daemon") | |
1693 | (home-directory "/var/empty") | |
1694 | (shell (file-append shadow "/sbin/nologin"))) | |
1695 | (user-account | |
1696 | (name "smtpq") | |
1697 | (group "smtpq") | |
1698 | (system? #t) | |
1699 | (comment "SMTPD Queue") | |
1700 | (home-directory "/var/empty") | |
1701 | (shell (file-append shadow "/sbin/nologin"))))) | |
1702 | ||
1703 | (define opensmtpd-activation | |
1704 | (match-lambda | |
1705 | (($ <opensmtpd-configuration> package config-file) | |
1706 | (let ((smtpd (file-append package "/sbin/smtpd"))) | |
1707 | #~(begin | |
e57bd0be | 1708 | (use-modules (guix build utils)) |
f88371e8 SB |
1709 | ;; Create mbox and spool directories. |
1710 | (mkdir-p "/var/mail") | |
1711 | (mkdir-p "/var/spool/smtpd") | |
a37e03d6 LC |
1712 | (chmod "/var/spool/smtpd" #o711) |
1713 | (mkdir-p "/var/spool/mail") | |
1714 | (chmod "/var/spool/mail" #o711)))))) | |
f88371e8 | 1715 | |
ace8e269 KB |
1716 | (define %opensmtpd-pam-services |
1717 | (list (unix-pam-service "smtpd"))) | |
1718 | ||
dd3cf144 M |
1719 | (define opensmtpd-set-gids |
1720 | (match-lambda | |
1721 | (($ <opensmtpd-configuration> package config-file set-gids?) | |
1722 | (if set-gids? | |
1723 | (list | |
1724 | (setuid-program | |
1725 | (program (file-append package "/sbin/smtpctl")) | |
1726 | (setuid? #false) | |
1727 | (setgid? #true) | |
1728 | (group "smtpq")) | |
1729 | (setuid-program | |
1730 | (program (file-append package "/sbin/sendmail")) | |
1731 | (setuid? #false) | |
1732 | (setgid? #true) | |
1733 | (group "smtpq")) | |
1734 | (setuid-program | |
1735 | (program (file-append package "/sbin/send-mail")) | |
1736 | (setuid? #false) | |
1737 | (setgid? #true) | |
1738 | (group "smtpq")) | |
1739 | (setuid-program | |
1740 | (program (file-append package "/sbin/makemap")) | |
1741 | (setuid? #false) | |
1742 | (setgid? #true) | |
1743 | (group "smtpq")) | |
1744 | (setuid-program | |
1745 | (program (file-append package "/sbin/mailq")) | |
1746 | (setuid? #false) | |
1747 | (setgid? #true) | |
1748 | (group "smtpq")) | |
1749 | (setuid-program | |
1750 | (program (file-append package "/sbin/newaliases")) | |
1751 | (setuid? #false) | |
1752 | (setgid? #true) | |
1753 | (group "smtpq"))) | |
1754 | '())))) | |
1755 | ||
f88371e8 SB |
1756 | (define opensmtpd-service-type |
1757 | (service-type | |
1758 | (name 'opensmtpd) | |
1759 | (extensions | |
1760 | (list (service-extension account-service-type | |
1761 | (const %opensmtpd-accounts)) | |
1762 | (service-extension activation-service-type | |
1763 | opensmtpd-activation) | |
ace8e269 KB |
1764 | (service-extension pam-root-service-type |
1765 | (const %opensmtpd-pam-services)) | |
f88371e8 SB |
1766 | (service-extension profile-service-type |
1767 | (compose list opensmtpd-configuration-package)) | |
1768 | (service-extension shepherd-root-service-type | |
dd3cf144 M |
1769 | opensmtpd-shepherd-service) |
1770 | (service-extension setuid-program-service-type | |
1771 | opensmtpd-set-gids))) | |
9d7248cd LC |
1772 | (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail |
1773 | Transfer Protocol} server."))) | |
82ccc499 CZ |
1774 | |
1775 | \f | |
8d17cf1c CZ |
1776 | ;;; |
1777 | ;;; mail aliases. | |
1778 | ;;; | |
1779 | ||
1780 | (define (mail-aliases-etc aliases) | |
1781 | `(("aliases" ,(plain-file "aliases" | |
1782 | ;; Ideally we'd use a format string like | |
1783 | ;; "~:{~a: ~{~a~^,~}\n~}", but it gives a | |
1784 | ;; warning that I can't figure out how to fix, | |
1785 | ;; so we'll just use string-join below instead. | |
1786 | (format #f "~:{~a: ~a\n~}" | |
1787 | (map (match-lambda | |
1788 | ((alias addresses ...) | |
1789 | (list alias (string-join addresses ",")))) | |
1790 | aliases)))))) | |
1791 | ||
1792 | (define mail-aliases-service-type | |
1793 | (service-type | |
1794 | (name 'mail-aliases) | |
1795 | (extensions | |
1796 | (list (service-extension etc-service-type mail-aliases-etc))) | |
1797 | (compose concatenate) | |
9d7248cd LC |
1798 | (extend append) |
1799 | (description "Provide a @file{/etc/aliases} file---an email alias | |
1800 | database---computed from the given alias list."))) | |
8d17cf1c CZ |
1801 | |
1802 | \f | |
82ccc499 CZ |
1803 | ;;; |
1804 | ;;; Exim. | |
1805 | ;;; | |
1806 | ||
1807 | (define-record-type* <exim-configuration> exim-configuration | |
1808 | make-exim-configuration | |
1809 | exim-configuration? | |
892f1b72 | 1810 | (package exim-configuration-package ;file-like |
82ccc499 CZ |
1811 | (default exim)) |
1812 | (config-file exim-configuration-config-file ;file-like | |
b065f78e | 1813 | (default #f))) |
82ccc499 CZ |
1814 | |
1815 | (define %exim-accounts | |
1816 | (list (user-group | |
1817 | (name "exim") | |
1818 | (system? #t)) | |
1819 | (user-account | |
1820 | (name "exim") | |
1821 | (group "exim") | |
1822 | (system? #t) | |
1823 | (comment "Exim Daemon") | |
1824 | (home-directory "/var/empty") | |
1825 | (shell (file-append shadow "/sbin/nologin"))))) | |
1826 | ||
1827 | (define (exim-computed-config-file package config-file) | |
1828 | (computed-file "exim.conf" | |
1829 | #~(call-with-output-file #$output | |
1830 | (lambda (port) | |
1831 | (format port " | |
1832 | exim_user = exim | |
1833 | exim_group = exim | |
1834 | .include ~a" | |
1835 | #$(or config-file | |
1836 | (file-append package "/etc/exim.conf"))))))) | |
1837 | ||
1838 | (define exim-shepherd-service | |
1839 | (match-lambda | |
b065f78e | 1840 | (($ <exim-configuration> package config-file) |
82ccc499 CZ |
1841 | (list (shepherd-service |
1842 | (provision '(exim mta)) | |
1843 | (documentation "Run the exim daemon.") | |
1844 | (requirement '(networking)) | |
1845 | (start #~(make-forkexec-constructor | |
1846 | '(#$(file-append package "/bin/exim") | |
1847 | "-bd" "-v" "-C" | |
1848 | #$(exim-computed-config-file package config-file)))) | |
1849 | (stop #~(make-kill-destructor))))))) | |
1850 | ||
1851 | (define exim-activation | |
1852 | (match-lambda | |
b065f78e | 1853 | (($ <exim-configuration> package config-file) |
82ccc499 CZ |
1854 | (with-imported-modules '((guix build utils)) |
1855 | #~(begin | |
1856 | (use-modules (guix build utils)) | |
1857 | ||
1858 | (let ((uid (passwd:uid (getpw "exim"))) | |
1859 | (gid (group:gid (getgr "exim")))) | |
1860 | (mkdir-p "/var/spool/exim") | |
1861 | (chown "/var/spool/exim" uid gid)) | |
1862 | ||
1863 | (zero? (system* #$(file-append package "/bin/exim") | |
1864 | "-bV" "-C" #$(exim-computed-config-file package config-file)))))))) | |
1865 | ||
82ccc499 CZ |
1866 | (define exim-profile |
1867 | (compose list exim-configuration-package)) | |
1868 | ||
1869 | (define exim-service-type | |
1870 | (service-type | |
1871 | (name 'exim) | |
1872 | (extensions | |
1873 | (list (service-extension shepherd-root-service-type exim-shepherd-service) | |
1874 | (service-extension account-service-type (const %exim-accounts)) | |
1875 | (service-extension activation-service-type exim-activation) | |
1876 | (service-extension profile-service-type exim-profile) | |
9d7248cd LC |
1877 | (service-extension mail-aliases-service-type (const '())))) |
1878 | (description "Run the Exim mail transfer agent (MTA)."))) | |
412e6396 SB |
1879 | |
1880 | \f | |
1881 | ;;; | |
1882 | ;;; GNU Mailutils IMAP4 Daemon. | |
1883 | ;;; | |
1884 | ||
1885 | (define %default-imap4d-config-file | |
1886 | (plain-file "imap4d.conf" "server localhost {};\n")) | |
1887 | ||
1888 | (define-record-type* <imap4d-configuration> | |
1889 | imap4d-configuration make-imap4d-configuration imap4d-configuration? | |
1890 | (package imap4d-configuration-package | |
1891 | (default mailutils)) | |
1892 | (config-file imap4d-configuration-config-file | |
1893 | (default %default-imap4d-config-file))) | |
1894 | ||
1895 | (define imap4d-shepherd-service | |
1896 | (match-lambda | |
1897 | (($ <imap4d-configuration> package config-file) | |
1898 | (list (shepherd-service | |
1899 | (provision '(imap4d)) | |
1900 | (requirement '(networking syslogd)) | |
1901 | (documentation "Run the imap4d daemon.") | |
1902 | (start (let ((imap4d (file-append package "/sbin/imap4d"))) | |
1903 | #~(make-forkexec-constructor | |
1904 | (list #$imap4d "--daemon" "--foreground" | |
1905 | "--config-file" #$config-file)))) | |
1906 | (stop #~(make-kill-destructor))))))) | |
1907 | ||
1908 | (define imap4d-service-type | |
1909 | (service-type | |
1910 | (name 'imap4d) | |
1911 | (description | |
1912 | "Run the GNU @command{imap4d} to serve e-mail messages through IMAP.") | |
1913 | (extensions | |
1914 | (list (service-extension | |
1915 | shepherd-root-service-type imap4d-shepherd-service))) | |
1916 | (default-value (imap4d-configuration)))) | |
b4db1136 JB |
1917 | |
1918 | \f | |
1919 | ;;; | |
1920 | ;;; Radicale. | |
1921 | ;;; | |
1922 | ||
1923 | (define-record-type* <radicale-configuration> | |
1924 | radicale-configuration make-radicale-configuration | |
1925 | radicale-configuration? | |
1926 | (package radicale-configuration-package | |
1927 | (default radicale)) | |
1928 | (config-file radicale-configuration-config-file | |
1929 | (default %default-radicale-config-file))) | |
1930 | ||
1931 | (define %default-radicale-config-file | |
1932 | (plain-file "radicale.conf" " | |
1933 | [auth] | |
1934 | type = htpasswd | |
1935 | htpasswd_filename = /var/lib/radicale/users | |
1936 | htpasswd_encryption = plain | |
1937 | ||
1938 | [server] | |
1939 | hosts = localhost:5232")) | |
1940 | ||
1941 | (define %radicale-accounts | |
1942 | (list (user-group | |
1943 | (name "radicale") | |
1944 | (system? #t)) | |
1945 | (user-account | |
1946 | (name "radicale") | |
1947 | (group "radicale") | |
1948 | (system? #t) | |
1949 | (comment "Radicale Daemon") | |
1950 | (home-directory "/var/empty") | |
1951 | (shell (file-append shadow "/sbin/nologin"))))) | |
1952 | ||
1953 | (define radicale-shepherd-service | |
1954 | (match-lambda | |
1955 | (($ <radicale-configuration> package config-file) | |
1956 | (list (shepherd-service | |
1957 | (provision '(radicale)) | |
1958 | (documentation "Run the radicale daemon.") | |
1959 | (requirement '(networking)) | |
1960 | (start #~(make-forkexec-constructor | |
1961 | (list #$(file-append package "/bin/radicale") | |
1962 | "-C" #$config-file) | |
1963 | #:user "radicale" | |
1964 | #:group "radicale")) | |
1965 | (stop #~(make-kill-destructor))))))) | |
1966 | ||
1967 | (define radicale-activation | |
1968 | (match-lambda | |
1969 | (($ <radicale-configuration> package config-file) | |
1970 | (with-imported-modules '((guix build utils)) | |
1971 | #~(begin | |
1972 | (use-modules (guix build utils)) | |
1973 | (let ((uid (passwd:uid (getpw "radicale"))) | |
1974 | (gid (group:gid (getgr "radicale")))) | |
1975 | (mkdir-p "/var/lib/radicale/collections") | |
1976 | (chown "/var/lib/radicale" uid gid) | |
1977 | (chown "/var/lib/radicale/collections" uid gid) | |
1978 | (chmod "/var/lib/radicale" #o700))))))) | |
1979 | ||
1980 | (define radicale-service-type | |
1981 | (service-type | |
1982 | (name 'radicale) | |
1983 | (description "Run radicale, a small CalDAV and CardDAV server.") | |
1984 | (extensions | |
1985 | (list (service-extension shepherd-root-service-type radicale-shepherd-service) | |
1986 | (service-extension account-service-type (const %radicale-accounts)) | |
1987 | (service-extension activation-service-type radicale-activation))) | |
1988 | (default-value (radicale-configuration)))) |