add full support for tls wrapped mode

5 files changed, 93 insertions, 39 deletions

diff --git a/README.md b/README.md
index 960e8c5..5561bd2 100644
--- a/README.md
+++ b/README.md
@@ -35,12 +35,15 @@ D9FE 4119 F082 6F15 93BD  BD36 6162 DBA5 635E A16A
  * [x] Multiple Domains
  * Postfix MTA
     - [x] smtp on port 25
-    - [x] submission port 587
+    - [x] submission tls on port 465
+    - [x] submission starttls on port 587
     - [x] lmtp with dovecot
  * Dovecot
     - [x] maildir folders
-    - [x] imap starttls on port 143
-    - [x] pop3 starttls on port 110
+    - [x] imap with tls on port 993
+    - [x] pop3 with tls on port 995
+    - [x] imap with starttls on port 143
+    - [x] pop3 with starttls on port 110
  * Certificates
     - [x] manual certificates
     - [x] on the fly creation
diff --git a/default.nix b/default.nix
index 6372574..b5c4799 100644
--- a/default.nix
+++ b/default.nix
@@ -396,21 +396,31 @@ in
       type = types.bool;
       default = true;
       description = ''
-        Whether to enable imap / pop3. Both variants are only supported in the
-        (sane) startTLS configuration. The ports are
-
-        110 - Pop3
-        143 - IMAP
-        587 - SMTP with login
+        Whether to enable IMAP with STARTTLS on port 143.
       '';
     };
 
     enableImapSsl = mkOption {
       type = types.bool;
-      default = false;
+      default = true;
+      description = ''
+        Whether to enable IMAP with TLS in wrapper-mode on port 993.
+      '';
+    };
+
+    enableSubmission = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable SMTP with STARTTLS on port 587.
+      '';
+    };
+
+    enableSubmissionSsl = mkOption {
+      type = types.bool;
+      default = true;
       description = ''
-        Whether to enable IMAPS, setting this option to true will open port 993
-        in the firewall.
+        Whether to enable SMTP with TLS in wrapper-mode on port 465.
       '';
     };
 
@@ -418,12 +428,7 @@ in
       type = types.bool;
       default = false;
       description = ''
-        Whether to enable POP3. Both variants are only supported in the (sane)
-        startTLS configuration. The ports are
-
-        110 - Pop3
-        143 - IMAP
-        587 - SMTP with login
+        Whether to enable POP3 with STARTTLS on port on port 110.
       '';
     };
 
@@ -431,8 +436,7 @@ in
       type = types.bool;
       default = false;
       description = ''
-        Whether to enable POP3S, setting this option to true will open port 995
-        in the firewall.
+        Whether to enable POP3 with TLS in wrapper-mode on port 995.
       '';
     };
 
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index fa7a3c8..56cc1ab 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -84,8 +84,8 @@ in
   config = with cfg; lib.mkIf enable {
     services.dovecot2 = {
       enable = true;
-      enableImap = enableImap;
-      enablePop3 = enablePop3;
+      enableImap = enableImap || enableImapSsl;
+      enablePop3 = enablePop3 || enablePop3Ssl;
       enablePAM = false;
       enableQuota = true;
       mailGroup = vmailGroupName;
@@ -95,7 +95,7 @@ in
       sslServerKey = keyPath;
       enableLmtp = true;
       modules = [ pkgs.dovecot_pigeonhole ];
-      protocols = [ "sieve" ];
+      protocols = lib.optional cfg.enableManageSieve "sieve";
 
       sieveScripts = {
         after = builtins.toFile "spam.sieve" ''
@@ -118,6 +118,45 @@ in
           verbose_ssl = yes
         ''}
 
+        ${lib.optionalString (cfg.enableImap || cfg.enableImapSsl) ''
+          service imap-login {
+            inet_listener imap {
+              ${if cfg.enableImap then ''
+                port = 143
+              '' else ''
+                port = 0
+              ''}
+            }
+            inet_listener imaps {
+              ${if cfg.enableImapSsl then ''
+                port = 993
+                ssl = yes
+              '' else ''
+                port = 0
+              ''}
+            }
+          }
+        ''}
+        ${lib.optionalString (cfg.enablePop3 || cfg.enablePop3Ssl) ''
+          service pop3-login {
+            inet_listener pop3 {
+              ${if cfg.enablePop3 then ''
+                port = 110
+              '' else ''
+                port = 0
+              ''}
+            }
+            inet_listener pop3s {
+              ${if cfg.enablePop3Ssl then ''
+                port = 995
+                ssl = yes
+              '' else ''
+                port = 0
+              ''}
+            }
+          }
+        ''}
+
         protocol imap {
           mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
           mail_plugins = $mail_plugins imap_sieve
diff --git a/mail-server/networking.nix b/mail-server/networking.nix
index 056e411..8c8a500 100644
--- a/mail-server/networking.nix
+++ b/mail-server/networking.nix
@@ -23,7 +23,9 @@ in
   config = with cfg; lib.mkIf enable {
 
     networking.firewall = {
-      allowedTCPPorts = [ 25 587 ]
+      allowedTCPPorts = [ 25 ]
+        ++ lib.optional enableSubmission 587
+        ++ lib.optional enableSubmissionSsl 465
         ++ lib.optional enableImap 143
         ++ lib.optional enableImapSsl 993
         ++ lib.optional enablePop3 110
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 77256df..d5281eb 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -121,6 +121,21 @@ let
   ''));
 
   mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
+
+  submissionOptions =
+    {
+      smtpd_tls_security_level = "encrypt";
+      smtpd_sasl_auth_enable = "yes";
+      smtpd_sasl_type = "dovecot";
+      smtpd_sasl_path = "/run/dovecot2/auth";
+      smtpd_sasl_security_options = "noanonymous";
+      smtpd_sasl_local_domain = "$myhostname";
+      smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+      smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
+      smtpd_sender_restrictions = "reject_sender_login_mismatch";
+      smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
+      cleanup_service_name = "submission-header-cleanup";
+    };
 in
 {
   config = with cfg; lib.mkIf enable {
@@ -136,7 +151,8 @@ in
       mapFiles."reject_recipients" = reject_recipients_file;
       sslCert = certificatePath;
       sslKey = keyPath;
-      enableSubmission = true;
+      enableSubmission = cfg.enableSubmission;
+      enableSubmissions = cfg.enableSubmissionSsl;
       virtual =
         (lib.concatStringsSep "\n" (all_valiases_postfix ++ catchAllPostfix ++ forwards));
 
@@ -219,20 +235,10 @@ in
         milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
 
       };
-      submissionOptions =
-      {
-        smtpd_tls_security_level = "encrypt";
-        smtpd_sasl_auth_enable = "yes";
-        smtpd_sasl_type = "dovecot";
-        smtpd_sasl_path = "/run/dovecot2/auth";
-        smtpd_sasl_security_options = "noanonymous";
-        smtpd_sasl_local_domain = "$myhostname";
-        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
-        smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
-        smtpd_sender_restrictions = "reject_sender_login_mismatch";
-        smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
-        cleanup_service_name = "submission-header-cleanup";
-      };
+
+      submissionOptions = submissionOptions;
+      submissionsOptions = submissionOptions;
+
       masterConfig = {
         "policy-spf" = {
           type = "unix";