1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
3 ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
4 ;;; Copyright © 2017 Carlo Zancanaro <carlo@zancanaro.id.au>
5 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
7 ;;; This file is part of GNU Guix.
9 ;;; GNU Guix is free software; you can redistribute it and/or modify it
10 ;;; under the terms of the GNU General Public License as published by
11 ;;; the Free Software Foundation; either version 3 of the License, or (at
12 ;;; your option) any later version.
14 ;;; GNU Guix is distributed in the hope that it will be useful, but
15 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
16 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ;;; GNU General Public License for more details.
19 ;;; You should have received a copy of the GNU General Public License
20 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
22 ;;; Some of the help text was taken from the default dovecot.conf files.
24 (define-module (gnu services mail)
25 #:use-module (gnu services)
26 #:use-module (gnu services base)
27 #:use-module (gnu services configuration)
28 #:use-module (gnu services shepherd)
29 #:use-module (gnu system pam)
30 #:use-module (gnu system shadow)
31 #:use-module (gnu packages mail)
32 #:use-module (gnu packages admin)
33 #:use-module (gnu packages tls)
34 #:use-module (guix records)
35 #:use-module (guix packages)
36 #:use-module (guix gexp)
37 #:use-module (ice-9 match)
38 #:use-module (ice-9 format)
39 #:use-module (srfi srfi-1)
40 #:export (dovecot-service
43 opaque-dovecot-configuration
48 unix-listener-configuration
49 fifo-listener-configuration
50 inet-listener-configuration
52 protocol-configuration
55 namespace-configuration
57 opensmtpd-configuration
58 opensmtpd-configuration?
59 opensmtpd-service-type
60 %default-opensmtpd-config-file
62 mail-aliases-service-type
67 %default-exim-config-file))
71 ;;; This module provides service definitions for the Dovecot POP3 and IMAP
76 (define (uglify-field-name field-name)
77 (let ((str (symbol->string field-name)))
78 (string-join (string-split (if (string-suffix? "?" str)
79 (substring str 0 (1- (string-length str)))
84 (define (serialize-field field-name val)
85 (format #t "~a=~a\n" (uglify-field-name field-name) val))
87 (define (serialize-string field-name val)
88 (serialize-field field-name val))
90 (define (space-separated-string-list? val)
93 (and (string? x) (not (string-index x #\space))))
95 (define (serialize-space-separated-string-list field-name val)
96 (serialize-field field-name (string-join val " ")))
98 (define (comma-separated-string-list? val)
101 (and (string? x) (not (string-index x #\,))))
103 (define (serialize-comma-separated-string-list field-name val)
104 (serialize-field field-name (string-join val ",")))
106 (define (file-name? val)
108 (string-prefix? "/" val)))
109 (define (serialize-file-name field-name val)
110 (serialize-string field-name val))
112 (define (colon-separated-file-name-list? val)
114 ;; Trailing slashes not needed and not
115 (and-map file-name? val)))
116 (define (serialize-colon-separated-file-name-list field-name val)
117 (serialize-field field-name (string-join val ":")))
119 (define (serialize-boolean field-name val)
120 (serialize-string field-name (if val "yes" "no")))
122 (define (non-negative-integer? val)
123 (and (exact-integer? val) (not (negative? val))))
124 (define (serialize-non-negative-integer field-name val)
125 (serialize-field field-name val))
127 (define (hours? val) (non-negative-integer? val))
128 (define (serialize-hours field-name val)
129 (serialize-field field-name (format #f "~a hours" val)))
131 (define (free-form-fields? val)
134 ((((? symbol?) . (? string)) . val) (free-form-fields? val))
136 (define (serialize-free-form-fields field-name val)
137 (for-each (match-lambda ((k . v) (serialize-field k v))) val))
139 (define (free-form-args? val)
142 ((((? symbol?) . (? string)) . val) (free-form-args? val))
144 (define (serialize-free-form-args field-name val)
145 (serialize-field field-name
147 (map (match-lambda ((k . v) (format #t "~a=~a" k v))) val)
150 (define-configuration dict-configuration
152 (free-form-fields '())
153 "A list of key-value pairs that this dict should hold."))
155 (define (serialize-dict-configuration field-name val)
156 (format #t "dict {\n")
157 (serialize-configuration val dict-configuration-fields)
160 (define-configuration passdb-configuration
163 "The driver that the passdb should use. Valid values include
164 @samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and
167 (space-separated-string-list '())
168 "Space separated list of arguments to the passdb driver."))
170 (define (serialize-passdb-configuration field-name val)
171 (format #t "passdb {\n")
172 (serialize-configuration val passdb-configuration-fields)
174 (define (passdb-configuration-list? val)
175 (and (list? val) (and-map passdb-configuration? val)))
176 (define (serialize-passdb-configuration-list field-name val)
177 (for-each (lambda (val) (serialize-passdb-configuration field-name val)) val))
179 (define-configuration userdb-configuration
182 "The driver that the userdb should use. Valid values include
183 @samp{passwd} and @samp{static}.")
185 (space-separated-string-list '())
186 "Space separated list of arguments to the userdb driver.")
189 "Override fields from passwd."))
191 (define (serialize-userdb-configuration field-name val)
192 (format #t "userdb {\n")
193 (serialize-configuration val userdb-configuration-fields)
195 (define (userdb-configuration-list? val)
196 (and (list? val) (and-map userdb-configuration? val)))
197 (define (serialize-userdb-configuration-list field-name val)
198 (for-each (lambda (val) (serialize-userdb-configuration field-name val)) val))
200 (define-configuration unix-listener-configuration
202 (string (configuration-missing-field 'unix-listener 'path))
203 "Path to the file, relative to @code{base-dir} field. This is also used as
207 "The access mode for the socket.")
210 "The user to own the the socket.")
213 "The group to own the socket."))
215 (define (serialize-unix-listener-configuration field-name val)
216 (format #t "unix_listener ~a {\n" (unix-listener-configuration-path val))
217 (serialize-configuration val (cdr unix-listener-configuration-fields))
220 (define-configuration fifo-listener-configuration
222 (string (configuration-missing-field 'fifo-listener 'path))
223 "Path to the file, relative to @code{base-dir} field. This is also used as
227 "The access mode for the socket.")
230 "The user to own the the socket.")
233 "The group to own the socket."))
235 (define (serialize-fifo-listener-configuration field-name val)
236 (format #t "fifo_listener ~a {\n" (fifo-listener-configuration-path val))
237 (serialize-configuration val (cdr fifo-listener-configuration-fields))
240 (define-configuration inet-listener-configuration
242 (string (configuration-missing-field 'inet-listener 'protocol))
243 "The protocol to listen for.")
246 "The address on which to listen, or empty for all addresses.")
248 (non-negative-integer
249 (configuration-missing-field 'inet-listener 'port))
250 "The port on which to listen.")
253 "Whether to use SSL for this service; @samp{yes}, @samp{no}, or
256 (define (serialize-inet-listener-configuration field-name val)
257 (format #t "inet_listener ~a {\n" (inet-listener-configuration-protocol val))
258 (serialize-configuration val (cdr inet-listener-configuration-fields))
261 (define (listener-configuration? val)
262 (or (unix-listener-configuration? val)
263 (fifo-listener-configuration? val)
264 (inet-listener-configuration? val)))
265 (define (serialize-listener-configuration field-name val)
267 ((unix-listener-configuration? val)
268 (serialize-unix-listener-configuration field-name val))
269 ((fifo-listener-configuration? val)
270 (serialize-fifo-listener-configuration field-name val))
271 ((inet-listener-configuration? val)
272 (serialize-inet-listener-configuration field-name val))
273 (else (configuration-field-error field-name val))))
274 (define (listener-configuration-list? val)
275 (and (list? val) (and-map listener-configuration? val)))
276 (define (serialize-listener-configuration-list field-name val)
277 (for-each (lambda (val)
278 (serialize-listener-configuration field-name val))
281 (define-configuration service-configuration
283 (string (configuration-missing-field 'service 'kind))
284 "The service kind. Valid values include @code{director},
285 @code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap},
286 @code{pop3}, @code{auth}, @code{auth-worker}, @code{dict},
287 @code{tcpwrap}, @code{quota-warning}, or anything else.")
289 (listener-configuration-list '())
290 "Listeners for the service. A listener is either an
291 @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or
292 an @code{inet-listener-configuration}.")
294 (non-negative-integer 0)
295 "Maximum number of simultaneous client connections per process. Once this
296 number of connections is received, the next incoming connection will prompt
297 Dovecot to spawn another process. If set to 0, @code{default-client-limit} is
300 (non-negative-integer 1)
301 "Number of connections to handle before starting a new process.
302 Typically the only useful values are 0 (unlimited) or 1. 1 is more
303 secure, but 0 is faster. <doc/wiki/LoginProcess.txt>.")
305 (non-negative-integer 0)
306 "Maximum number of processes that can exist for this service. If set to 0,
307 @code{default-process-limit} is used instead.")
309 (non-negative-integer 0)
310 "Number of processes to always keep waiting for more connections.")
311 ;; FIXME: Need to be able to take the default for this value from other
312 ;; parts of the config.
314 (non-negative-integer #e256e6)
315 "If you set @samp{service-count 0}, you probably need to grow
318 (define (serialize-service-configuration field-name val)
319 (format #t "service ~a {\n" (service-configuration-kind val))
320 (serialize-configuration val (cdr service-configuration-fields))
322 (define (service-configuration-list? val)
323 (and (list? val) (and-map service-configuration? val)))
324 (define (serialize-service-configuration-list field-name val)
325 (for-each (lambda (val)
326 (serialize-service-configuration field-name val))
329 (define-configuration protocol-configuration
331 (string (configuration-missing-field 'protocol 'name))
332 "The name of the protocol.")
334 (string "/var/run/dovecot/auth-userdb")
335 "UNIX socket path to master authentication server to find users.
336 This is used by imap (for shared users) and lda.")
338 (space-separated-string-list '("$mail_plugins"))
339 "Space separated list of plugins to load.")
340 (mail-max-userip-connections
341 (non-negative-integer 10)
342 "Maximum number of IMAP connections allowed for a user from each IP
343 address. NOTE: The username is compared case-sensitively."))
345 (define (serialize-protocol-configuration field-name val)
346 (format #t "protocol ~a {\n" (protocol-configuration-name val))
347 (serialize-configuration val (cdr protocol-configuration-fields))
349 (define (protocol-configuration-list? val)
350 (and (list? val) (and-map protocol-configuration? val)))
351 (define (serialize-protocol-configuration-list field-name val)
352 (serialize-field 'protocols
353 (string-join (map protocol-configuration-name val) " "))
354 (for-each (lambda (val)
355 (serialize-protocol-configuration field-name val))
358 (define-configuration plugin-configuration
360 (free-form-fields '())
361 "A list of key-value pairs that this dict should hold."))
363 (define (serialize-plugin-configuration field-name val)
364 (format #t "plugin {\n")
365 (serialize-configuration val plugin-configuration-fields)
368 (define-configuration mailbox-configuration
370 (string (error "mailbox name is required"))
371 "Name for this mailbox.")
375 "@samp{create} will automatically create this mailbox.
376 @samp{subscribe} will both create and subscribe to the mailbox.")
379 (space-separated-string-list '())
380 "List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154.
381 Valid values are @code{\\All}, @code{\\Archive}, @code{\\Drafts},
382 @code{\\Flagged}, @code{\\Junk}, @code{\\Sent}, and @code{\\Trash}."))
384 (define (serialize-mailbox-configuration field-name val)
385 (format #t "mailbox \"~a\" {\n" (mailbox-configuration-name val))
386 (serialize-configuration val (cdr mailbox-configuration-fields))
388 (define (mailbox-configuration-list? val)
389 (and (list? val) (and-map mailbox-configuration? val)))
390 (define (serialize-mailbox-configuration-list field-name val)
391 (for-each (lambda (val)
392 (serialize-mailbox-configuration field-name val))
395 (define-configuration namespace-configuration
397 (string (error "namespace name is required"))
398 "Name for this namespace.")
402 "Namespace type: @samp{private}, @samp{shared} or @samp{public}.")
406 "Hierarchy separator to use. You should use the same separator for
407 all namespaces or some clients get confused. @samp{/} is usually a good
408 one. The default however depends on the underlying mail storage
413 "Prefix required to access this namespace. This needs to be
414 different for all namespaces. For example @samp{Public/}.")
418 "Physical location of the mailbox. This is in same format as
419 mail_location, which is also the default for it.")
423 "There can be only one INBOX, and this setting defines which
428 "If namespace is hidden, it's not advertised to clients via NAMESPACE
429 extension. You'll most likely also want to set @samp{list? #f}. This is mostly
430 useful when converting from another server with different namespaces
431 which you want to deprecate but still keep working. For example you can
432 create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/}
437 "Show the mailboxes under this namespace with LIST command. This
438 makes the namespace visible for clients that don't support NAMESPACE
439 extension. The special @code{children} value lists child mailboxes, but
440 hides the namespace prefix.")
444 "Namespace handles its own subscriptions. If set to @code{#f}, the
445 parent namespace handles them. The empty prefix should always have this
449 (mailbox-configuration-list '())
450 "List of predefined mailboxes in this namespace."))
452 (define (serialize-namespace-configuration field-name val)
453 (format #t "namespace ~a {\n" (namespace-configuration-name val))
454 (serialize-configuration val (cdr namespace-configuration-fields))
456 (define (list-of-namespace-configuration? val)
457 (and (list? val) (and-map namespace-configuration? val)))
458 (define (serialize-list-of-namespace-configuration field-name val)
459 (for-each (lambda (val)
460 (serialize-namespace-configuration field-name val))
463 (define-configuration dovecot-configuration
466 "The dovecot package.")
469 (comma-separated-string-list '("*" "::"))
470 "A list of IPs or hosts where to listen in for connections. @samp{*}
471 listens in all IPv4 interfaces, @samp{::} listens in all IPv6
472 interfaces. If you want to specify non-default ports or anything more
473 complex, customize the address and port fields of the
474 @samp{inet-listener} of the specific services you are interested in.")
477 (protocol-configuration-list
478 (list (protocol-configuration
480 "List of protocols we want to serve. Available protocols include
481 @samp{imap}, @samp{pop3}, and @samp{lmtp}.")
484 (service-configuration-list
486 (service-configuration
492 (inet-listener-configuration (protocol "imap") (port 143) (ssl? #f))
493 (inet-listener-configuration (protocol "imaps") (port 993) (ssl? #t)))))
494 (service-configuration
498 (inet-listener-configuration (protocol "pop3") (port 110) (ssl? #f))
499 (inet-listener-configuration (protocol "pop3s") (port 995) (ssl? #t)))))
500 (service-configuration
505 (list (unix-listener-configuration (path "lmtp") (mode "0666")))))
506 (service-configuration
509 (process-limit 1024))
510 (service-configuration
513 (process-limit 1024))
514 (service-configuration (kind "auth")
515 ;; In what could be taken to be a bug, the default value of 1 for
516 ;; service-count makes it so that a PAM auth worker can't fork off
517 ;; subprocesses for making blocking queries. The result is that nobody
518 ;; can log in -- very secure, but not very useful! If we simply omit
519 ;; the service-count, it will default to the value of
520 ;; auth-worker-max-count, which is 30, instead of defaulting to 1, which
521 ;; is the default for all other services. As a hack, bump this value to
527 (list (unix-listener-configuration (path "auth-userdb")))))
528 (service-configuration
532 (service-configuration
536 (listeners (list (unix-listener-configuration (path "dict")))))))
537 "List of services to enable. Available services include @samp{imap},
538 @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and
542 (dict-configuration (dict-configuration))
543 "Dict configuration, as created by the @code{dict-configuration}
547 (passdb-configuration-list (list (passdb-configuration (driver "pam"))))
548 "List of passdb configurations, each one created by the
549 @code{passdb-configuration} constructor.")
552 (userdb-configuration-list (list (userdb-configuration (driver "passwd"))))
553 "List of userdb configurations, each one created by the
554 @code{userdb-configuration} constructor.")
556 (plugin-configuration
557 (plugin-configuration (plugin-configuration))
558 "Plug-in configuration, created by the @code{plugin-configuration}
562 (list-of-namespace-configuration
564 (namespace-configuration
570 (mailbox-configuration (name "Drafts") (special-use '("\\Drafts")))
571 (mailbox-configuration (name "Junk") (special-use '("\\Junk")))
572 (mailbox-configuration (name "Trash") (special-use '("\\Trash")))
573 (mailbox-configuration (name "Sent") (special-use '("\\Sent")))
574 (mailbox-configuration (name "Sent Messages") (special-use '("\\Sent")))
575 (mailbox-configuration (name "Drafts") (special-use '("\\Drafts"))))))))
576 "List of namespaces. Each item in the list is created by the
577 @code{namespace-configuration} constructor.")
580 (file-name "/var/run/dovecot/")
581 "Base directory where to store runtime data.")
584 (string "Dovecot ready.")
585 "Greeting message for clients.")
587 (login-trusted-networks
588 (space-separated-string-list '())
589 "List of trusted network ranges. Connections from these IPs are
590 allowed to override their IP addresses and ports (for logging and for
591 authentication checks). @samp{disable-plaintext-auth} is also ignored
592 for these networks. Typically you'd specify your IMAP proxy servers
595 (login-access-sockets
596 (space-separated-string-list '())
597 "List of login access check sockets (e.g. tcpwrap).")
601 "Show more verbose process titles (in ps). Currently shows user name
602 and IP address. Useful for seeing who are actually using the IMAP
603 processes (e.g. shared mailboxes or if same uid is used for multiple
608 "Should all processes be killed when Dovecot master process shuts down.
609 Setting this to @code{#f} means that Dovecot can be upgraded without
610 forcing existing client connections to close (although that could also
611 be a problem if the upgrade is e.g. because of a security fix).")
613 (doveadm-worker-count
614 (non-negative-integer 0)
615 "If non-zero, run mail commands via this many connections to doveadm
616 server, instead of running them directly in the same process.")
619 (string "doveadm-server")
620 "UNIX socket or host:port used for connecting to doveadm server.")
623 (space-separated-string-list '("TZ"))
624 "List of environment variables that are preserved on Dovecot startup
625 and passed down to all of its child processes. You can also give
626 key=value pairs to always set specific settings.")
628 ;;; Authentication processes
630 (disable-plaintext-auth?
632 "Disable LOGIN command and all other plaintext authentications unless
633 SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
634 matches the local IP (i.e. you're connecting from the same computer),
635 the connection is considered secure and plaintext authentication is
636 allowed. See also ssl=required setting.")
639 (non-negative-integer 0)
640 "Authentication cache size (e.g. @samp{#e10e6}). 0 means it's disabled.
641 Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set
642 for caching to be used.")
646 "Time to live for cached data. After TTL expires the cached record
647 is no longer used, *except* if the main database lookup returns internal
648 failure. We also try to handle password changes automatically: If
649 user's previous authentication was successful, but this one wasn't, the
650 cache isn't used. For now this works only with plaintext
653 (auth-cache-negative-ttl
655 "TTL for negative hits (user not found, password mismatch).
656 0 disables caching them completely.")
659 (space-separated-string-list '())
660 "List of realms for SASL authentication mechanisms that need them.
661 You can leave it empty if you don't want to support multiple realms.
662 Many clients simply use the first one listed here, so keep the default
667 "Default realm/domain to use if none was specified. This is used for
668 both SASL realms and appending @@domain to username in plaintext
673 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@")
674 "List of allowed characters in username. If the user-given username
675 contains a character not listed in here, the login automatically fails.
676 This is just an extra check to make sure user can't exploit any
677 potential quote escaping vulnerabilities with SQL/LDAP databases. If
678 you want to allow all characters, set this value to empty.")
680 (auth-username-translation
682 "Username character translations before it's looked up from
683 databases. The value contains series of from -> to characters. For
684 example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are
685 translated to @samp{@@}.")
687 (auth-username-format
689 "Username formatting before it's looked up from databases. You can
690 use the standard variables here, e.g. %Lu would lowercase the username,
691 %n would drop away the domain if it was given, or @samp{%n-AT-%d} would
692 change the @samp{@@} into @samp{-AT-}. This translation is done after
693 @samp{auth-username-translation} changes.")
695 (auth-master-user-separator
697 "If you want to allow master users to log in by specifying the master
698 username within the normal username string (i.e. not using SASL
699 mechanism's support for it), you can specify the separator character
700 here. The format is then <username><separator><master username>.
701 UW-IMAP uses @samp{*} as the separator, so that could be a good
704 (auth-anonymous-username
706 "Username to use for users logging in with ANONYMOUS SASL
709 (auth-worker-max-count
710 (non-negative-integer 30)
711 "Maximum number of dovecot-auth worker processes. They're used to
712 execute blocking passdb and userdb queries (e.g. MySQL and PAM).
713 They're automatically created and destroyed as needed.")
715 (auth-gssapi-hostname
717 "Host name to use in GSSAPI principal names. The default is to use
718 the name returned by gethostname(). Use @samp{$ALL} (with quotes) to
719 allow all keytab entries.")
723 "Kerberos keytab to use for the GSSAPI mechanism. Will use the
724 system default (usually /etc/krb5.keytab) if not specified. You may
725 need to change the auth service to run as root to be able to read this
730 "Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon
731 and @samp{ntlm-auth} helper.
732 <doc/wiki/Authentication/Mechanisms/Winbind.txt>.")
734 (auth-winbind-helper-path
735 (file-name "/usr/bin/ntlm_auth")
736 "Path for Samba's @samp{ntlm-auth} helper binary.")
740 "Time to delay before replying to failed authentications.")
742 (auth-ssl-require-client-cert?
744 "Require a valid SSL client certificate or the authentication
747 (auth-ssl-username-from-cert?
749 "Take the username from client's SSL certificate, using
750 @code{X509_NAME_get_text_by_NID()} which returns the subject's DN's
754 (space-separated-string-list '("plain"))
755 "List of wanted authentication mechanisms. Supported mechanisms are:
756 @samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5},
757 @samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi},
758 @samp{otp}, @samp{skey}, and @samp{gss-spnego}. NOTE: See also
759 @samp{disable-plaintext-auth} setting.")
762 (space-separated-string-list '())
763 "List of IPs or hostnames to all director servers, including ourself.
764 Ports can be specified as ip:port. The default port is the same as what
765 director service's @samp{inet-listener} is using.")
767 (director-mail-servers
768 (space-separated-string-list '())
769 "List of IPs or hostnames to all backend mail servers. Ranges are
770 allowed too, like 10.0.0.10-10.0.0.30.")
772 (director-user-expire
774 "How long to redirect users to a specific server after it no longer
775 has any connections.")
777 (director-username-hash
779 "How the username is translated before being hashed. Useful values
780 include %Ln if user can log in with or without @@domain, %Ld if mailboxes
781 are shared within domain.")
787 "Log file to use for error messages. @samp{syslog} logs to syslog,
788 @samp{/dev/stderr} logs to stderr.")
792 "Log file to use for informational messages. Defaults to
797 "Log file to use for debug messages. Defaults to
798 @samp{info-log-path}.")
802 "Syslog facility to use if you're logging to syslog. Usually if you
803 don't want to use @samp{mail}, you'll use local0..local7. Also other
804 standard facilities are supported.")
808 "Log unsuccessful authentication attempts and the reasons why they
811 (auth-verbose-passwords?
813 "In case of password mismatches, log the attempted password. Valid
814 values are no, plain and sha1. sha1 can be useful for detecting brute
815 force password attempts vs. user simply trying the same password over
816 and over again. You can also truncate the value to n chars by appending
817 \":n\" (e.g. sha1:6).")
821 "Even more verbose logging for debugging purposes. Shows for example
824 (auth-debug-passwords?
826 "In case of password mismatches, log the passwords and used scheme so
827 the problem can be debugged. Enabling this also enables
832 "Enable mail process debugging. This can help you figure out why
833 Dovecot isn't finding your mails.")
837 "Show protocol level SSL errors.")
840 (string "\"%b %d %H:%M:%S \"")
841 "Prefix for each line written to log file. % codes are in
842 strftime(3) format.")
844 (login-log-format-elements
845 (space-separated-string-list
846 '("user=<%u>" "method=%m" "rip=%r" "lip=%l" "mpid=%e" "%c"))
847 "List of elements we want to log. The elements which have a
848 non-empty variable value are joined together to form a comma-separated
853 "Login log format. %s contains @samp{login-log-format-elements}
854 string, %$ contains the data we want to log.")
857 (string "\"%s(%u)<%{pid}><%{session}>: \"")
858 "Log prefix for mail processes. See doc/wiki/Variables.txt for list
859 of possible variables you can use.")
862 (string "msgid=%m: %$")
863 "Format to use for logging mail deliveries. You can use variables:
866 Delivery status message (e.g. @samp{saved to INBOX})
879 ;;; Mailbox locations and namespaces
883 "Location for users' mailboxes. The default is empty, which means
884 that Dovecot tries to find the mailboxes automatically. This won't work
885 if the user doesn't yet have any mail, so you should explicitly tell
886 Dovecot the full location.
888 If you're using mbox, giving a path to the INBOX
889 file (e.g. /var/mail/%u) isn't enough. You'll also need to tell Dovecot
890 where the other mailboxes are kept. This is called the \"root mail
891 directory\", and it must be the first path given in the
892 @samp{mail-location} setting.
894 There are a few special variables you can use, eg.:
900 user part in user@@domain, same as %u if there's no domain
902 domain part in user@@domain, empty if there's no domain
907 See doc/wiki/Variables.txt for full list. Some examples:
909 @item maildir:~/Maildir
910 @item mbox:~/mail:INBOX=/var/mail/%u
911 @item mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%
916 "System user and group used to access mails. If you use multiple,
917 userdb can override these by returning uid or gid fields. You can use
918 either numbers or names. <doc/wiki/UserIds.txt>.")
924 (mail-privileged-group
926 "Group to enable temporarily for privileged operations. Currently
927 this is used only with INBOX when either its initial creation or
928 dotlocking fails. Typically this is set to \"mail\" to give access to
933 "Grant access to these supplementary groups for mail processes.
934 Typically these are used to set up access to shared mailboxes. Note
935 that it may be dangerous to set these if users can create
936 symlinks (e.g. if \"mail\" group is set here, ln -s /var/mail ~/mail/var
937 could allow a user to delete others' mailboxes, or ln -s
938 /secret/shared/box ~/mail/mybox would allow reading it).")
940 (mail-full-filesystem-access?
942 "Allow full file system access to clients. There's no access checks
943 other than what the operating system does for the active UID/GID. It
944 works with both maildir and mboxes, allowing you to prefix mailboxes
945 names with e.g. /path/ or ~user/.")
951 "Don't use mmap() at all. This is required if you store indexes to
952 shared file systems (NFS or clustered file system).")
956 "Rely on @samp{O_EXCL} to work when creating dotlock files. NFS
957 supports @samp{O_EXCL} since version 3, so this should be safe to use
958 nowadays by default.")
962 "When to use fsync() or fdatasync() calls:
965 Whenever necessary to avoid losing important data
967 Useful with e.g. NFS when write()s are delayed
969 Never use it (best performance, but crashes can lose data).
974 "Mail storage exists in NFS. Set this to yes to make Dovecot flush
975 NFS caches whenever needed. If you're using only a single mail server
980 "Mail index files also exist in NFS. Setting this to yes requires
981 @samp{mmap-disable? #t} and @samp{fsync-disable? #f}.")
985 "Locking method for index files. Alternatives are fcntl, flock and
986 dotlock. Dotlocking uses some tricks which may create more disk I/O
987 than other locking methods. NFS users: flock doesn't work, remember to
988 change @samp{mmap-disable}.")
992 "Directory in which LDA/LMTP temporarily stores incoming mails >128
996 (non-negative-integer 500)
997 "Valid UID range for users. This is mostly to make sure that users can't
998 log in as daemons or other system users. Note that denying root logins is
999 hardcoded to dovecot binary and can't be done even if @samp{first-valid-uid}
1003 (non-negative-integer 0)
1007 (non-negative-integer 1)
1008 "Valid GID range for users. Users having non-valid GID as primary group ID
1009 aren't allowed to log in. If user belongs to supplementary groups with
1010 non-valid GIDs, those groups are not set.")
1013 (non-negative-integer 0)
1016 (mail-max-keyword-length
1017 (non-negative-integer 50)
1018 "Maximum allowed length for mail keyword name. It's only forced when
1019 trying to create new keywords.")
1022 (colon-separated-file-name-list '())
1023 "List of directories under which chrooting is allowed for mail
1024 processes (i.e. /var/mail will allow chrooting to /var/mail/foo/bar
1025 too). This setting doesn't affect @samp{login-chroot}
1026 @samp{mail-chroot} or auth chroot settings. If this setting is empty,
1027 \"/./\" in home dirs are ignored. WARNING: Never add directories here
1028 which local users can modify, that may lead to root exploit. Usually
1029 this should be done only if you don't allow shell access for users.
1030 <doc/wiki/Chrooting.txt>.")
1034 "Default chroot directory for mail processes. This can be overridden
1035 for specific users in user database by giving /./ in user's home
1036 directory (e.g. /home/./user chroots into /home). Note that usually
1037 there is no real need to do chrooting, Dovecot doesn't allow users to
1038 access files outside their mail directory anyway. If your home
1039 directories are prefixed with the chroot directory, append \"/.\" to
1040 @samp{mail-chroot}. <doc/wiki/Chrooting.txt>.")
1043 (file-name "/var/run/dovecot/auth-userdb")
1044 "UNIX socket path to master authentication server to find users.
1045 This is used by imap (for shared users) and lda.")
1048 (file-name "/usr/lib/dovecot")
1049 "Directory where to look up mail plugins.")
1052 (space-separated-string-list '())
1053 "List of plugins to load for all services. Plugins specific to IMAP,
1054 LDA, etc. are added to this list in their own .conf files.")
1057 (mail-cache-min-mail-count
1058 (non-negative-integer 0)
1059 "The minimum number of mails in a mailbox before updates are done to
1060 cache file. This allows optimizing Dovecot's behavior to do less disk
1061 writes at the cost of more disk reads.")
1063 (mailbox-idle-check-interval
1065 "When IDLE command is running, mailbox is checked once in a while to
1066 see if there are any new mails or other changes. This setting defines
1067 the minimum time to wait between those checks. Dovecot can also use
1068 dnotify, inotify and kqueue to find out immediately when changes
1073 "Save mails with CR+LF instead of plain LF. This makes sending those
1074 mails take less CPU, especially with sendfile() syscall with Linux and
1075 FreeBSD. But it also creates a bit more disk I/O which may just make it
1076 slower. Also note that if other software reads the mboxes/maildirs,
1077 they may handle the extra CRs wrong and cause problems.")
1081 "By default LIST command returns all entries in maildir beginning
1082 with a dot. Enabling this option makes Dovecot return only entries
1083 which are directories. This is done by stat()ing each entry, so it
1084 causes more disk I/O.
1085 (For systems setting struct @samp{dirent->d_type} this check is free
1086 and it's done always regardless of this setting).")
1088 (maildir-copy-with-hardlinks?
1090 "When copying a message, do it with hard links whenever possible.
1091 This makes the performance much better, and it's unlikely to have any
1094 (maildir-very-dirty-syncs?
1096 "Assume Dovecot is the only MUA accessing Maildir: Scan cur/
1097 directory only when its mtime changes unexpectedly or when we can't find
1098 the mail otherwise.")
1101 (space-separated-string-list '("fcntl"))
1102 "Which locking methods to use for locking mbox. There are four
1107 Create <mailbox>.lock file. This is the oldest and most NFS-safe
1108 solution. If you want to use /var/mail/ like directory, the users will
1109 need write access to that directory.
1111 Same as dotlock, but if it fails because of permissions or because there
1112 isn't enough disk space, just skip it.
1114 Use this if possible. Works with NFS too if lockd is used.
1116 May not exist in all systems. Doesn't work with NFS.
1118 May not exist in all systems. Doesn't work with NFS.
1121 You can use multiple locking methods; if you do the order they're declared
1122 in is important to avoid deadlocks if other MTAs/MUAs are using multiple
1123 locking methods as well. Some operating systems don't allow using some of
1124 them simultaneously.")
1127 (space-separated-string-list '("dotlock" "fcntl"))
1132 "Maximum time to wait for lock (all of them) before aborting.")
1134 (mbox-dotlock-change-timeout
1136 "If dotlock exists but the mailbox isn't modified in any way,
1137 override the lock file after this much time.")
1141 "When mbox changes unexpectedly we have to fully read it to find out
1142 what changed. If the mbox is large this can take a long time. Since
1143 the change is usually just a newly appended mail, it'd be faster to
1144 simply read the new mails. If this setting is enabled, Dovecot does
1145 this but still safely fallbacks to re-reading the whole mbox file
1146 whenever something in mbox isn't how it's expected to be. The only real
1147 downside to this setting is that if some other MUA changes message
1148 flags, Dovecot doesn't notice it immediately. Note that a full sync is
1149 done with SELECT, EXAMINE, EXPUNGE and CHECK commands.")
1151 (mbox-very-dirty-syncs?
1153 "Like @samp{mbox-dirty-syncs}, but don't do full syncs even with SELECT,
1154 EXAMINE, EXPUNGE or CHECK commands. If this is set,
1155 @samp{mbox-dirty-syncs} is ignored.")
1159 "Delay writing mbox headers until doing a full write sync (EXPUNGE
1160 and CHECK commands and when closing the mailbox). This is especially
1161 useful for POP3 where clients often delete all mails. The downside is
1162 that our changes aren't immediately visible to other MUAs.")
1164 (mbox-min-index-size
1165 (non-negative-integer 0)
1166 "If mbox size is smaller than this (e.g. 100k), don't write index
1167 files. If an index file already exists it's still read, just not
1171 (non-negative-integer #e10e6)
1172 "Maximum dbox file size until it's rotated.")
1174 (mdbox-rotate-interval
1176 "Maximum dbox file age until it's rotated. Typically in days. Day
1177 begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check
1180 (mdbox-preallocate-space?
1182 "When creating new mdbox files, immediately preallocate their size to
1183 @samp{mdbox-rotate-size}. This setting currently works only in Linux
1184 with some file systems (ext4, xfs).")
1186 (mail-attachment-dir
1188 "sdbox and mdbox support saving mail attachments to external files,
1189 which also allows single instance storage for them. Other backends
1190 don't support this for now.
1192 WARNING: This feature hasn't been tested much yet. Use at your own risk.
1194 Directory root where to store mail attachments. Disabled, if empty.")
1196 (mail-attachment-min-size
1197 (non-negative-integer #e128e3)
1198 "Attachments smaller than this aren't saved externally. It's also
1199 possible to write a plugin to disable saving specific attachments
1203 (string "sis posix")
1204 "File system backend to use for saving attachments:
1207 No SiS done by Dovecot (but this might help FS's own deduplication)
1209 SiS with immediate byte-by-byte comparison during saving
1210 @item sis-queue posix
1211 SiS with delayed comparison and deduplication.
1214 (mail-attachment-hash
1216 "Hash format to use in attachment filenames. You can add any text and
1217 variables: @code{%@{md4@}}, @code{%@{md5@}}, @code{%@{sha1@}},
1218 @code{%@{sha256@}}, @code{%@{sha512@}}, @code{%@{size@}}. Variables can be
1219 truncated, e.g. @code{%@{sha256:80@}} returns only first 80 bits.")
1221 (default-process-limit
1222 (non-negative-integer 100)
1225 (default-client-limit
1226 (non-negative-integer 1000)
1230 (non-negative-integer #e256e6)
1231 "Default VSZ (virtual memory size) limit for service processes.
1232 This is mainly intended to catch and kill processes that leak memory
1233 before they eat up everything.")
1237 "Login user is internally used by login processes. This is the most
1238 untrusted user in Dovecot system. It shouldn't have access to anything
1241 (default-internal-user
1243 "Internal user is used by unprivileged processes. It should be
1244 separate from login user, so that login processes can't disturb other
1249 "SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>.")
1252 (string "</etc/dovecot/default.pem")
1253 "PEM encoded X.509 SSL/TLS certificate (public key).")
1256 (string "</etc/dovecot/private/default.pem")
1257 "PEM encoded SSL/TLS private key. The key is opened before
1258 dropping root privileges, so keep the key file unreadable by anyone but
1263 "If key file is password protected, give the password here.
1264 Alternatively give it when starting dovecot with -p parameter. Since
1265 this file is often world-readable, you may want to place this setting
1266 instead to a different.")
1270 "PEM encoded trusted certificate authority. Set this only if you
1271 intend to use @samp{ssl-verify-client-cert? #t}. The file should
1272 contain the CA certificate(s) followed by the matching
1273 CRL(s). (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).")
1276 "Require that CRL check succeeds for client certificates.")
1277 (ssl-verify-client-cert?
1279 "Request client to send a certificate. If you also want to require
1280 it, set @samp{auth-ssl-require-client-cert? #t} in auth section.")
1282 (ssl-cert-username-field
1283 (string "commonName")
1284 "Which field from certificate to use for username. commonName and
1285 x500UniqueIdentifier are the usual choices. You'll also need to set
1286 @samp{auth-ssl-username-from-cert? #t}.")
1290 "Minimum SSL protocol version to accept.")
1293 (string "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH")
1294 "SSL ciphers to use.")
1298 "SSL crypto device to use, for valid values run \"openssl engine\".")
1301 (string "postmaster@%d")
1302 "Address to use when sending rejection mails.
1303 Default is postmaster@@<your domain>. %d expands to recipient domain.")
1307 "Hostname to use in various parts of sent mails (e.g. in Message-Id)
1308 and in LMTP replies. Default is the system's real hostname@@domain.")
1310 (quota-full-tempfail?
1312 "If user is over quota, return with temporary failure instead of
1313 bouncing the mail.")
1316 (file-name "/usr/sbin/sendmail")
1317 "Binary to use for sending mails.")
1321 "If non-empty, send mails via this SMTP host[:port] instead of
1325 (string "Rejected: %s")
1326 "Subject: header to use for rejection mails. You can use the same
1327 variables as for @samp{rejection-reason} below.")
1330 (string "Your message to <%t> was automatically rejected:%n%r")
1331 "Human readable error message for rejection mails. You can use
1345 (recipient-delimiter
1347 "Delimiter character between local-part and detail in email
1350 (lda-original-recipient-header
1352 "Header where the original recipient address (SMTP's RCPT TO:
1353 address) is taken from if not available elsewhere. With dovecot-lda -a
1354 parameter overrides this. A commonly used header for this is
1357 (lda-mailbox-autocreate?
1359 "Should saving a mail to a nonexistent mailbox automatically create
1362 (lda-mailbox-autosubscribe?
1364 "Should automatically created mailboxes be also automatically
1368 (imap-max-line-length
1369 (non-negative-integer #e64e3)
1370 "Maximum IMAP command line length. Some clients generate very long
1371 command lines with huge mailboxes, so you may need to raise this if you
1372 get \"Too long argument\" or \"IMAP command line too large\" errors
1376 (string "in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}")
1377 "IMAP logout format string:
1380 total number of bytes read from client
1382 total number of bytes sent to client.
1384 See @file{doc/wiki/Variables.txt} for a list of all the variables you can use.")
1388 "Override the IMAP CAPABILITY response. If the value begins with '+',
1389 add the given capabilities on top of the defaults (e.g. +XFOO XBAR).")
1391 (imap-idle-notify-interval
1393 "How long to wait between \"OK Still here\" notifications when client
1398 "ID field names and values to send to clients. Using * as the value
1399 makes Dovecot use the default value. The following fields have default
1400 values currently: name, version, os, os-version, support-url,
1405 "ID fields sent by client to log. * means everything.")
1407 (imap-client-workarounds
1408 (space-separated-string-list '())
1409 "Workarounds for various client bugs:
1413 Send EXISTS/RECENT new mail notifications only when replying to NOOP and
1414 CHECK commands. Some clients ignore them otherwise, for example OSX
1415 Mail (<v2.1). Outlook Express breaks more badly though, without this it
1416 may show user \"Message no longer in server\" errors. Note that OE6
1417 still breaks even with this workaround if synchronization is set to
1420 @item tb-extra-mailbox-sep
1421 Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
1422 adds extra @samp{/} suffixes to mailbox names. This option causes Dovecot to
1423 ignore the extra @samp{/} instead of treating it as invalid mailbox name.
1426 Show \\Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
1427 This makes Thunderbird realize they aren't selectable and show them
1428 greyed out, instead of only later giving \"not selectable\" popup error.
1434 "Host allowed in URLAUTH URLs sent by client. \"*\" allows all.") )
1436 (define-configuration opaque-dovecot-configuration
1439 "The dovecot package.")
1442 (string (configuration-missing-field 'opaque-dovecot-configuration
1444 "The contents of the @code{dovecot.conf} to use."))
1446 (define %dovecot-accounts
1447 ;; Account and group for the Dovecot daemon.
1448 (list (user-group (name "dovecot") (system? #t))
1453 (comment "Dovecot daemon user")
1454 (home-directory "/var/empty")
1455 (shell (file-append shadow "/sbin/nologin")))
1457 (user-group (name "dovenull") (system? #t))
1462 (comment "Dovecot daemon login user")
1463 (home-directory "/var/empty")
1464 (shell (file-append shadow "/sbin/nologin")))))
1466 (define (%dovecot-activation config)
1470 ((opaque-dovecot-configuration? config)
1471 (opaque-dovecot-configuration-string config))
1473 (with-output-to-string
1475 (serialize-configuration config
1476 dovecot-configuration-fields)))))))
1478 (use-modules (guix build utils))
1479 (define (mkdir-p/perms directory owner perms)
1481 (chown "/var/run/dovecot" (passwd:uid owner) (passwd:gid owner))
1482 (chmod directory perms))
1483 (define (build-subject parameters)
1486 (let ((k (car pair)) (v (cdr pair)))
1487 (define (escape-char str chr)
1488 (string-join (string-split str chr) (string #\\ chr)))
1489 (string-append "/" k "="
1490 (escape-char (escape-char v #\=) #\/))))
1491 (filter (lambda (pair) (cdr pair)) parameters))))
1492 (define* (create-self-signed-certificate-if-absent
1493 #:key private-key public-key (owner (getpwnam "root"))
1494 (common-name (gethostname))
1495 (organization-name "GuixSD")
1496 (organization-unit-name "Default Self-Signed Certificate")
1497 (subject-parameters `(("CN" . ,common-name)
1498 ("O" . ,organization-name)
1499 ("OU" . ,organization-unit-name)))
1500 (subject (build-subject subject-parameters)))
1501 ;; Note that by default, OpenSSL outputs keys in PEM format. This
1503 (unless (file-exists? private-key)
1505 ((zero? (system* (string-append #$openssl "/bin/openssl")
1506 "genrsa" "-out" private-key "2048"))
1507 (chown private-key (passwd:uid owner) (passwd:gid owner))
1508 (chmod private-key #o400))
1510 (format (current-error-port)
1511 "Failed to create private key at ~a.\n" private-key))))
1512 (unless (file-exists? public-key)
1514 ((zero? (system* (string-append #$openssl "/bin/openssl")
1515 "req" "-new" "-x509" "-key" private-key
1516 "-out" public-key "-days" "3650"
1517 "-batch" "-subj" subject))
1518 (chown public-key (passwd:uid owner) (passwd:gid owner))
1519 (chmod public-key #o444))
1521 (format (current-error-port)
1522 "Failed to create public key at ~a.\n" public-key)))))
1523 (let ((user (getpwnam "dovecot")))
1524 (mkdir-p/perms "/var/run/dovecot" user #o755)
1525 (mkdir-p/perms "/var/lib/dovecot" user #o755)
1526 (mkdir-p/perms "/etc/dovecot" user #o755)
1527 (copy-file #$(plain-file "dovecot.conf" config-str)
1528 "/etc/dovecot/dovecot.conf")
1529 (mkdir-p/perms "/etc/dovecot/private" user #o700)
1530 (create-self-signed-certificate-if-absent
1531 #:private-key "/etc/dovecot/private/default.pem"
1532 #:public-key "/etc/dovecot/default.pem"
1533 #:owner (getpwnam "root")
1534 #:common-name (format #f "Dovecot service on ~a" (gethostname)))))))
1536 (define (dovecot-shepherd-service config)
1537 "Return a list of <shepherd-service> for CONFIG."
1538 (let ((dovecot (if (opaque-dovecot-configuration? config)
1539 (opaque-dovecot-configuration-dovecot config)
1540 (dovecot-configuration-dovecot config))))
1541 (list (shepherd-service
1542 (documentation "Run the Dovecot POP3/IMAP mail server.")
1543 (provision '(dovecot))
1544 (requirement '(networking))
1545 (start #~(make-forkexec-constructor
1546 (list (string-append #$dovecot "/sbin/dovecot")
1548 (stop #~(make-forkexec-constructor
1549 (list (string-append #$dovecot "/sbin/dovecot")
1552 (define %dovecot-pam-services
1553 (list (unix-pam-service "dovecot")))
1555 (define dovecot-service-type
1556 (service-type (name 'dovecot)
1558 (list (service-extension shepherd-root-service-type
1559 dovecot-shepherd-service)
1560 (service-extension account-service-type
1561 (const %dovecot-accounts))
1562 (service-extension pam-root-service-type
1563 (const %dovecot-pam-services))
1564 (service-extension activation-service-type
1565 %dovecot-activation)))))
1567 (define* (dovecot-service #:key (config (dovecot-configuration)))
1568 "Return a service that runs @command{dovecot}, a mail server that can run
1569 POP3, IMAP, and LMTP. @var{config} should be a configuration object created
1570 by @code{dovecot-configuration}. @var{config} may also be created by
1571 @code{opaque-dovecot-configuration}, which allows specification of the
1572 @code{dovecot.conf} as a string."
1573 (validate-configuration config
1574 (if (opaque-dovecot-configuration? config)
1575 opaque-dovecot-configuration-fields
1576 dovecot-configuration-fields))
1577 (service dovecot-service-type config))
1579 ;; A little helper to make it easier to document all those fields.
1580 (define (generate-dovecot-documentation)
1581 (generate-documentation
1582 `((dovecot-configuration
1583 ,dovecot-configuration-fields
1584 (dict dict-configuration)
1585 (namespaces namespace-configuration)
1586 (plugin plugin-configuration)
1587 (passdbs passdb-configuration)
1588 (userdbs userdb-configuration)
1589 (services service-configuration)
1590 (protocols protocol-configuration))
1591 (dict-configuration ,dict-configuration-fields)
1592 (plugin-configuration ,plugin-configuration-fields)
1593 (passdb-configuration ,passdb-configuration-fields)
1594 (userdb-configuration ,userdb-configuration-fields)
1595 (unix-listener-configuration ,unix-listener-configuration-fields)
1596 (fifo-listener-configuration ,fifo-listener-configuration-fields)
1597 (inet-listener-configuration ,inet-listener-configuration-fields)
1598 (namespace-configuration
1599 ,namespace-configuration-fields
1600 (mailboxes mailbox-configuration))
1601 (mailbox-configuration ,mailbox-configuration-fields)
1602 (service-configuration
1603 ,service-configuration-fields
1604 (listeners unix-listener-configuration fifo-listener-configuration
1605 inet-listener-configuration))
1606 (protocol-configuration ,protocol-configuration-fields))
1607 'dovecot-configuration))
1614 (define-record-type* <opensmtpd-configuration>
1615 opensmtpd-configuration make-opensmtpd-configuration
1616 opensmtpd-configuration?
1617 (package opensmtpd-configuration-package
1618 (default opensmtpd))
1619 (config-file opensmtpd-configuration-config-file
1620 (default %default-opensmtpd-config-file)))
1622 (define %default-opensmtpd-config-file
1623 (plain-file "smtpd.conf" "
1625 accept from any for local deliver to mbox
1626 accept from local for any relay
1629 (define opensmtpd-shepherd-service
1631 (($ <opensmtpd-configuration> package config-file)
1632 (list (shepherd-service
1633 (provision '(smtpd))
1634 (requirement '(loopback))
1635 (documentation "Run the OpenSMTPD daemon.")
1636 (start (let ((smtpd (file-append package "/sbin/smtpd")))
1637 #~(make-forkexec-constructor
1638 (list #$smtpd "-f" #$config-file)
1639 #:pid-file "/var/run/smtpd.pid")))
1640 (stop #~(make-kill-destructor)))))))
1642 (define %opensmtpd-accounts
1650 (comment "SMTP Daemon")
1651 (home-directory "/var/empty")
1652 (shell (file-append shadow "/sbin/nologin")))
1657 (comment "SMTPD Queue")
1658 (home-directory "/var/empty")
1659 (shell (file-append shadow "/sbin/nologin")))))
1661 (define opensmtpd-activation
1663 (($ <opensmtpd-configuration> package config-file)
1664 (let ((smtpd (file-append package "/sbin/smtpd")))
1666 (use-modules (guix build utils))
1667 ;; Create mbox and spool directories.
1668 (mkdir-p "/var/mail")
1669 (mkdir-p "/var/spool/smtpd")
1670 (chmod "/var/spool/smtpd" #o711))))))
1672 (define opensmtpd-service-type
1676 (list (service-extension account-service-type
1677 (const %opensmtpd-accounts))
1678 (service-extension activation-service-type
1679 opensmtpd-activation)
1680 (service-extension profile-service-type
1681 (compose list opensmtpd-configuration-package))
1682 (service-extension shepherd-root-service-type
1683 opensmtpd-shepherd-service)))))
1690 (define (mail-aliases-etc aliases)
1691 `(("aliases" ,(plain-file "aliases"
1692 ;; Ideally we'd use a format string like
1693 ;; "~:{~a: ~{~a~^,~}\n~}", but it gives a
1694 ;; warning that I can't figure out how to fix,
1695 ;; so we'll just use string-join below instead.
1696 (format #f "~:{~a: ~a\n~}"
1698 ((alias addresses ...)
1699 (list alias (string-join addresses ","))))
1702 (define mail-aliases-service-type
1704 (name 'mail-aliases)
1706 (list (service-extension etc-service-type mail-aliases-etc)))
1707 (compose concatenate)
1715 (define-record-type* <exim-configuration> exim-configuration
1716 make-exim-configuration
1718 (package exim-configuration-package ;<package>
1720 (config-file exim-configuration-config-file ;file-like
1723 (define %exim-accounts
1731 (comment "Exim Daemon")
1732 (home-directory "/var/empty")
1733 (shell (file-append shadow "/sbin/nologin")))))
1735 (define (exim-computed-config-file package config-file)
1736 (computed-file "exim.conf"
1737 #~(call-with-output-file #$output
1744 (file-append package "/etc/exim.conf")))))))
1746 (define exim-shepherd-service
1748 (($ <exim-configuration> package config-file)
1749 (list (shepherd-service
1750 (provision '(exim mta))
1751 (documentation "Run the exim daemon.")
1752 (requirement '(networking))
1753 (start #~(make-forkexec-constructor
1754 '(#$(file-append package "/bin/exim")
1756 #$(exim-computed-config-file package config-file))))
1757 (stop #~(make-kill-destructor)))))))
1759 (define exim-activation
1761 (($ <exim-configuration> package config-file)
1762 (with-imported-modules '((guix build utils))
1764 (use-modules (guix build utils))
1766 (let ((uid (passwd:uid (getpw "exim")))
1767 (gid (group:gid (getgr "exim"))))
1768 (mkdir-p "/var/spool/exim")
1769 (chown "/var/spool/exim" uid gid))
1771 (zero? (system* #$(file-append package "/bin/exim")
1772 "-bV" "-C" #$(exim-computed-config-file package config-file))))))))
1774 (define exim-profile
1775 (compose list exim-configuration-package))
1777 (define exim-service-type
1781 (list (service-extension shepherd-root-service-type exim-shepherd-service)
1782 (service-extension account-service-type (const %exim-accounts))
1783 (service-extension activation-service-type exim-activation)
1784 (service-extension profile-service-type exim-profile)
1785 (service-extension mail-aliases-service-type (const '()))))))