Mailserver options

mailserver

mailserver.aliases

  • type: attribute set of ((Login Account) or non-empty (list of (Login Account)))

  • default: { }

  • example:

    {
  "abuse@example.com" = "user1@example.com";
  "multi@example.com" = [
    "user1@example.com"
    "user2@example.com"
  ];
  "postmaster@example.com" = "user1@example.com";
}

Aliases are additional mail addresses routed to one or more existing local accounts.

The target accounts are allowed to use the alias as the sender address.

Note

This feature is limited to local accounts and does not support LDAP or other external accounts.

mailserver.debug.all

  • type: boolean

  • default: false

Whether to enable verbose logging for all mailserver related services. This intended be used for development purposes only, you probably don't want to enable this unless you're hacking on nixos-mailserver.

mailserver.debug.dovecot

  • type: boolean

  • default: config.mailserver.debug.all

Whether to enable verbose logging for Dovecot.

mailserver.debug.rspamd

  • type: boolean

  • default: config.mailserver.debug.all

Whether to enable verbose logging for Rspamd.

mailserver.domains

  • type: list of string

  • default: [ ]

  • example:

    [
  "example.com"
]

The domains that this mail server serves.

mailserver.enable

  • type: boolean

  • default: false

  • example: true

Whether to enable nixos-mailserver.

mailserver.enableImap

  • type: boolean

  • default: false

Whether to enable IMAP with STARTTLS on port 143.

The use of this port is deprecated per RFC 8314 4.1.

mailserver.enableImapSsl

  • type: boolean

  • default: true

Whether to enable IMAP with TLS in wrapper-mode on port 993.

mailserver.enableManageSieve

  • type: boolean

  • default: false

Whether to enable ManageSieve, setting this option to true will open port 4190 in the firewall.

The ManageSieve protocol allows users to manage their Sieve scripts on a remote server with a supported client, including Thunderbird.

mailserver.enableNixpkgsReleaseCheck

  • type: boolean

  • default: true

Whether to check for a release mismatch between NixOS mailserver and Nixpkgs.

Using mismatched versions is likely to cause compatibility issues and may require migrations that make an eventual rollback tricky.

It is therefore highly recommended to use a release of NixOS mailserver that corresponds with your chosen release of Nixpkgs.

mailserver.enablePop3

  • type: boolean

  • default: false

Whether to enable POP3 with STARTTLS on port on port 110.

The use of this port is deprecated per RFC 8314 4.1.

mailserver.enablePop3Ssl

  • type: boolean

  • default: false

Whether to enable POP3 with TLS in wrapper-mode on port 995.

mailserver.enableSubmission

  • type: boolean

  • default: false

Whether to enable SMTP with STARTTLS on port 587.

The use of this port is discouraged per RFC 8314 3.3, see also Appendix A.

mailserver.enableSubmissionSsl

  • type: boolean

  • default: true

Whether to enable SMTP with TLS in wrapper-mode on port 465.

mailserver.forwards

  • type: attribute set of ((list of string) or string)

  • default: { }

  • example:

    {
  "gamenight@example.com" = [
    "bob@example.com"
    "frank@example.org"
    "wendy@example.net"
  ];
  "user@example.com" = "user@example.edu";
}

Forwards route mail from local addresses to one or more local or external addresses.

Unlike mailserver.aliases, the target addresses cannot send mail using the forward address.

mailserver.fqdn

  • type: string

  • example: "mx.example.com"

The fully qualified domain name of the mail server.

mailserver.hierarchySeparator

  • type: string

  • default: "."

The hierarchy separator for mailboxes used by dovecot for the namespace 'inbox'. Dovecot defaults to "." but recommends "/". This affects how mailboxes appear to mail clients and sieve scripts. For instance when using "." then in a sieve script "example.com" would refer to the mailbox "com" in the parent mailbox "example". This does not determine the way your mails are stored on disk. See https://doc.dovecot.org/2.4.4/core/config/namespaces.html#namespaces for details.

mailserver.imapMemoryLimit

  • type: signed integer

  • default: 256

The memory limit for the imap service, in megabytes.

mailserver.indexDir

  • type: null or string

  • default: null

  • example: "/var/lib/dovecot/indices"

Folder to store search indices. If null, indices are stored along with email, which could not necessarily be desirable, especially when mailserver.fullTextSearch.enable is true since indices it creates are voluminous and do not need to be backed up.

Be careful when changing this option value since all indices would be recreated at the new location (and clients would need to resynchronize).

mailserver.lmtpMemoryLimit

  • type: signed integer

  • default: 256

The memory limit for the LMTP service, in megabytes.

mailserver.lmtpSaveToDetailMailbox

  • type: boolean

  • default: true

If an email address is delimited by a "+", should it be filed into a mailbox matching the string after the "+"? For example, user1+test@example.com would be filed into the mailbox "test".

mailserver.localDnsResolver

  • type: boolean

  • default: true

Runs a local DNS resolver (kresd) as recommended when running rspamd. This prevents your log file from filling up with rspamd_monitored_dns_mon entries.

mailserver.mailboxes

  • type: unspecified value

  • default:

    {
  Drafts = {
    auto = "subscribe";
    special_use = "\\Drafts";
  };
  Junk = {
    auto = "subscribe";
    fts_autoindex = false;
    special_use = "\\Junk";
  };
  Sent = {
    auto = "subscribe";
    special_use = "\\Sent";
  };
  Trash = {
    auto = "no";
    fts_autoindex = false;
    special_use = "\\Trash";
  };
}

The default mailboxes for Dovecot maildirs.

The [special_use] option must refer to an RFC6154 2 attribute and lead with an escaped backslash.

Depending on the mail client used it might be necessary to change some mailbox's name.

mailserver.maxConnectionsPerUser

  • type: signed integer

  • default: 100

Maximum number of IMAP/POP3 connections allowed for a user from each IP address. E.g. a value of 50 allows for 50 IMAP and 50 POP3 connections at the same time for a single user.

mailserver.messageSizeLimit

  • type: signed integer

  • default: 20971520

  • example: 52428800

Message size limit enforced by Postfix.

mailserver.openFirewall

  • type: boolean

  • default: true

Automatically open ports in the firewall.

mailserver.recipientDelimiter

  • type: string

  • default: "+"

Configure the recipient delimiter.

mailserver.rejectRecipients

  • type: list of string

  • default: [ ]

  • example:

    [
  "sales@example.com"
  "info@example.com"
]

Reject emails addressed to these local addresses from unauthorized senders. Use if a spammer has found email addresses in a catchall domain but you do not want to disable the catchall.

mailserver.rejectSender

  • type: list of string

  • default: [ ]

  • example:

    [
  "example.com"
  "spammer@example.net"
]

Reject emails from these addresses from unauthorized senders. Use if a spammer is using the same domain or the same sender over and over.

mailserver.rejectSenderMessage

  • type: string

  • default: ""

  • example: "Your e-mail has not been delivered because we have blocked your e-mail address. If you believe that your e-mail address has been blocked by mistake, or if you have any other legitimate concern, please contact <address>."

SMTP message returned to rejected senders. If not set the Postfix default will be used.

The message must be a single line and typically much shorter than 512 characters.

This could for example be used to provide a contact method (postal address, phone or alternative email) so rejected senders can exercise their Art. 21 GDPR right to object.

It is good practice to inform senders in advance that their email addresses may be processed for this purpose in accordance with Art. 13 GDPR. Storing their mail address for this purpose is generally regarded as a legitimate interest.

mailserver.rewriteMessageId

  • type: boolean

  • default: false

Rewrites the Message-ID's hostname-part of outgoing emails to the FQDN. Please be aware that this may cause problems with some mail clients relying on the original Message-ID.

mailserver.sendingFqdn

The fully qualified domain name of the mail server used to identify with remote servers.

If this server's IP serves purposes other than a mail server, it may be desirable for the server to have a name other than that to which the user will connect. For example, the user might connect to mx.example.com, but the server's IP has reverse DNS that resolves to myserver.example.com; in this scenario, some mail servers may reject or penalize the message.

This setting allows the server to identify as myserver.example.com when forwarding mail, independently of mailserver.fqdn (which, for SSL reasons, should generally be the name to which the user connects).

Set this to the name to which the sending IP's reverse DNS resolves.

mailserver.stateVersion

  • type: null or (positive integer, meaning >0)

  • default: null

Tracking stateful version changes as an incrementing number.

When a new release comes out we may require manual migration steps to be completed, before the new version can be put into production.

If your stateVersion is too low one or multiple assertions may trigger to give you instructions on what migrations steps are required to continue. Increase the stateVersion as instructed by the assertion message.

mailserver.systemContact

  • type: string

  • example: "postmaster@example.com"

The email address where the administrative contact for this mail server is reachable.

Currently, this is only required when one of the following features is enabled:

  • SMTP TLS reports (mailserver.tlsrpt.enable)

mailserver.systemDomain

  • type: string

  • default:

    if config.networking.domain != null && lib.elem config.networking.domain cfg.domains then
  config.networking.domain
else
  lib.head cfg.domains

  • example: config.networking.domain

The primary domain used for sending automated reports.

mailserver.systemName

  • type: string

  • default: ${config.mailserver.systemDomain} mail system

  • example: "ACME Corp."

The sender name given in automated reports.

mailserver.useUTF8FolderNames

  • type: boolean

  • default: false

Store mailbox names on disk using UTF-8 instead of modified UTF-7 (mUTF-7).

mailserver.virusScanning

  • type: boolean

  • default: false

Whether to activate virus scanning. Note that virus scanning is very expensive memory wise.

mailserver.accounts

mailserver.accounts

  • type: attribute set of (submodule)

  • default: { }

  • example:

    {
  user1 = {
    # This password hash leaks into the Nix store
    hashedPassword = "$y$j9T$y6eZ1o.IvVNfdGMAsUEvh1$6K/llP52uw2iDh4iSwtAn54/JYy7FzCcoCHmjmx00H5";
  };
  user2 = {
    # Hashed password passed as a file
    hashedPasswordFile = "/run/keys/user2-pw-hash";
  };
  user3 = {
    # Plaintext password file
    passwordFile = "/run/keys/user3-pw";
  };
}

Attribute set of mail accounts.

Each entry defines a mailbox and login credentials, where the attribute name is used as the login username and optionally routed mail address.

Use mkpasswd to generate password hashes.

mailserver.accounts.<name>.aliases

  • type: list of string

  • default: [ ]

  • example:

    [
  "abuse@example.com"
  "postmaster@example.com"
]

List of additional mail addresses (aliases) that get routed to this account.

Catch-all with sending permissions

Configure @example.com to create a catch-all for this domain that also allows sending from all addresses.

mailserver.accounts.<name>.aliasesRegexp

  • type: list of string

  • default: [ ]

  • example:

    [
  "/^tom\\..*@domain\\.com$/"
]

Same as mailserver.accounts.<name>.aliases but using PCRE (Perl compatible regex).

mailserver.accounts.<name>.catchAll

  • type: list of value "example.com" (singular enum)

  • default: [ ]

  • example:

    [
  "example.com"
  "example2.com"
]

For which domains should this account act as a catch all?

Warning

Does not allow sending from all addresses of these domains. Use mailserver.accounts.<name>.aliases if that is required.

mailserver.accounts.<name>.hashedPassword

  • type: null or string

  • default: null

  • example: "$y$j9T$vfGrwkAaXCjCEWtVNMQck1$383uIXQmn2z0hnmVAA8kwFQmjNj78.nYbvWeyNLIaP1"

The hashed login password for this account.

Use mkpasswd to create password hashes:

nix-shell -p mkpasswd --run 'mkpasswd -s'

Note

This is a convenience option, when your threat model allows storing hashed secrets in the world-readable Nix store.

Passing the hash through mailserver.accounts.<name>.hashedPasswordFile allows relying on filesystem discretionary access control as another security boundary.

mailserver.accounts.<name>.hashedPasswordFile

  • type: null or absolute path

  • default: null

  • example: "/run/keys/user1-pw-hash"

The hashed login password for this account read from a file.

Use `mkpasswd to create password hashes:

nix-shell -p mkpasswd --run 'mkpasswd -s'
mailserver.accounts.<name>.passwordFile

  • type: null or path not in the Nix store

  • default: null

  • example: "/run/keys/user1-pw"

The plaintext login password for this account read from a file.

Note

The password is hashed before it is passed on to Dovecot.

mailserver.accounts.<name>.quota

  • type: null or string

  • default: null

  • example: "2G"

The quota limit for this user.

The value is must use a size format like 500M, 2G, 10G.

If unset, will fall back to mailserver.quota.defaults.perUser if set.

mailserver.accounts.<name>.sendOnly

  • type: boolean

  • default: false

Specifies if the account should be a send-only account.

Emails sent to send-only accounts will be rejected with the reason configured in mailserver.accounts.<name>.sendOnlyRejectMessage.

mailserver.accounts.<name>.sendOnlyRejectMessage

  • type: string

  • default: "This account cannot receive emails."

The message returned to the sender for a send-only account.

See mailserver.accounts.<name>.sendOnly.

mailserver.accounts.<name>.sieveScript

  • type: null or strings concatenated with "\n"

  • default: null

  • example:

    ''
  require ["fileinto", "mailbox"];

  if address :is "from" "gitlab@mg.gitlab.com" {
    fileinto :create "GitLab";
    stop;
  }

  # This must be the last rule, it will check if list-id is set, and
  # file the message into the Lists folder for further investigation
  elsif header :matches "list-id" "<?*>" {
    fileinto :create "Lists";
    stop;
  }
''

Per-user sieve script.

mailserver.x509

mailserver.x509.certificateFile

  • type: null or absolute path

  • default: null

  • example: "/var/keys/certs/fullchain.pem"

Path to the signed X509 certificate including intermediate certificates.

This is commonly referred to as fullchain.pem.

Mutually exclusive with mailserver.x509.useACMEHost.

mailserver.x509.privateKeyFile

  • type: null or string

  • default: null

  • example: "/var/keys/certs/privkey.pem"

Path to the X509 private key.

This is commonly referred to as privkey.pem.

Mutually exclusive with mailserver.x509.useACMEHost.

mailserver.x509.useACMEHost

  • type: null or string

  • default: null

  • example: config.mailserver.fqdn

Common name used in the relevant security.acme.certs configuration.

Mutually exclusive with mailserver.x509.certificateFile and mailserver.x509.privateKeyFile.

mailserver.storage

mailserver.storage.directoryLayout

  • type: one of "fs", "Maildir++"

  • default: "Maildir++"

Sets whether dovecot should organize mail in subdirectories:

  • /var/vmail/example.com/user/.folder.subfolder/ (Maildir++ layout)

  • /var/vmail/example.com/user/folder/subfolder/ (FS layout)

See https://doc.dovecot.org/2.4.4/core/config/mailbox_formats/maildir.html#directory-layout for further details.

mailserver.storage.gid

  • type: positive integer, meaning >0

  • default: 5000

The group id of the primary group of the vmail user.

This group owns the mail storage directories. Access can be delegated to other users via group membership.

Warning

If you change this value you also need to manually adjust the ownership of your mailserver.storage.path.

mailserver.storage.group

  • type: string

  • default: "virtualMail"

The primary group name of the user that owns the mailserver.storage.path.

mailserver.storage.owner

  • type: string

  • default: "virtualMail"

The name of the user that owns the mailserver.storage.path.

mailserver.storage.path

  • type: absolute path

  • default: "/var/vmail"

Path on disk where mail home directories are stored.

mailserver.storage.uid

  • type: positive integer, meaning >0

  • default: 5000

The user id assigned to the vmail user.

This user owns the mail storage files and directories and is used by services accessing the mail store.

Warning

If you change this value you also need to manually adjust the ownership of your mailserver.storage.path.

mailserver.dkim

mailserver.dkim.defaults.keyLength

  • type: signed integer

  • default: 2048

The default key length used for generating new DKIM keys.

Only applies for RSA keys, Ed25519 keys use a fixed key length.

Per RFC8301 3.2 the minimum RSA key length should be at least 2048 bit.

This value should most likely not be changed. Once DKIM keys for domain and selector are generated changing this value will not regenerate the keypair. Instead create a new selector and configure mailserver.dkim.domains.<name>.selectors.<name>.keyLength.

mailserver.dkim.defaults.keyType

  • type: one of "rsa", "ed25519"

  • default: "rsa"

The key type used for generating DKIM keys. Ed25519 support was introduced in RFC6376 (2018).

Warning

Ed25519 DKIM keys are currently not recommended for sole use, as various DKIM validators out there lack support and consider the keypair invalid.

This value should most likely not be changed. Once DKIM keys for domain and selector are generated changing this value will not regenerate the keypair. Instead create a new selector and configure mailserver.dkim.domains.<name>.selectors.<name>.keyType.

mailserver.dkim.defaults.selector

  • type: string

  • default: "mail"

The default selector used to reference and lookup DKIM keys.

This value should most likely not be changed. Instead manage mailserver.dkim.domains.<name>.selectors to sign with one or multiple DKIM key pairs and manage migrations.

mailserver.dkim.domains

  • type: attribute set of (submodule)

  • default: { }

  • example:

    {
  "example.com".selectors = {
    "mail" = {
      # inherit defaults from mailserver.dkim.defaults
    };
    "rsa-2026-03".keyFile = "/run/keys/example.com-dkim-rsa-2026-03.key";
  };
};

DKIM configuration per domain.

mailserver.dkim.domains.<name>.selectors

  • type: attribute set of (submodule)

  • default: { }

  • example:

    {
  "mail" = {
    # inherit defaults from mailserver.dkim.defaults
  };
  "rsa-2026-03".keyFile = "/run/keys/example.com-dkim-rsa-2026-03.key";
};

DKIM selectors used for signing outgoing mail for this domain.

When no selector is configured a default selector will be created with settings inherited from mailserver.dkim.defaults.

mailserver.dkim.domains.<name>.selectors.<name>.keyFile

  • type: null or path not in the Nix store

  • default: null

  • example: "/run/keys/example.com-dkim-rsa-2026-03.key"

Path to an existing DKIM private key file.

DKIM keys can be generated using rspamadm dkim_keygen.

This option is mutually exclusive with keyType and keyLength.

mailserver.dkim.domains.<name>.selectors.<name>.keyLength

  • type: null or signed integer

  • default: null

  • example: 2048

The key length used for generating this DKIM key.

Only applies for RSA keys, Ed25519 keys use a fixed key size.

This option is mutually exclusive with keyFile.

mailserver.dkim.domains.<name>.selectors.<name>.keyType

  • type: null or one of "rsa", "ed25519"

  • default: null

  • example: "rsa"

The key type used for generating this DKIM keypair.

Warning

Ed25519 DKIM keys are currently not recommended for sole use, as various DKIM validators out there lack support and consider the keypair invalid.

This option is mutually exclusive with keyFile.

mailserver.dkim.enable

  • type: boolean

  • default: true

  • example: true

Whether to enable DKIM signing.

mailserver.dkim.keyDirectory

  • type: absolute path

  • default: "/var/dkim"

The path where DKIM siging keys are stored.

mailserver.srs

mailserver.srs.domain

  • type: null or string

  • default: config.mailserver.systemDomain

  • example: "srs.example.com"

Mail domain used for ephemeral SRS envelope addresses.

Note

This domain can only support relaxed SPF alignment.

Important

For privacy reasons you should use a dedicated domain when serving multiple unrelated domains.

mailserver.srs.enable

  • type: boolean

  • default: false

  • example: true

Whether to enable Sender Rewrite Scheme.

mailserver.dmarcReporting

mailserver.dmarcReporting.enable

  • type: boolean

  • default: false

Whether to send out aggregated, daily DMARC reports in response to incoming mail, when the sender domain defines a DMARC policy including the RUA tag.

This is helpful for the mail ecosystem, because it allows third parties to get notified about SPF/DKIM violations originating from their sender domains.

See https://rspamd.com/doc/modules/dmarc.html#reporting

mailserver.dmarcReporting.excludeDomains

  • type: list of string

  • default: [ ]

List of domains or eSLDs to be excluded from DMARC reports.

mailserver.tlsrpt

mailserver.tlsrpt.enable

  • type: boolean

  • default: false

  • example: true

Whether to enable delivery of SMTP TLS reports according to RFC 8460.

mailserver.fullTextSearch

mailserver.fullTextSearch.autoIndex

  • type: boolean

  • default: true

Enable automatic indexing of messages as they are received or modified.

Tip

Can be overridden per mailbox by setting fts_autoindex for mailserver.mailboxes. By default the Junk and Trash folders are already excluded.

mailserver.fullTextSearch.enable

  • type: boolean

  • default: false

  • example: true

Whether to enable Full text search indexing with Xapian through the fts_flatcurve plugin. This has significant performance and disk space cost. .

mailserver.fullTextSearch.fallback

  • type: boolean

  • default: true

Whether to fallback to slow non-indexed search, if FTS lookup and indexing have failed.

See https://doc.dovecot.org/2.4.4/core/plugins/fts.html#fts_search_read_fallback.

mailserver.fullTextSearch.filters

  • type: list of string

  • default:

    [
  "normalizer-icu"
  "snowball"
  "stopwords"
]

The list of language filters to apply.

mailserver.fullTextSearch.headerExcludes

  • type: list of string

  • default:

    [
  "Received"
  "DKIM-*"
  "X-*"
  "Comments"
]

The list of headers to exclude while indexing.

See https://doc.dovecot.org/2.4.4/core/plugins/fts.html#fts_header_excludes.

mailserver.fullTextSearch.languages

  • type: non-empty (list of string)

  • default:

    [
  "en"
]

  • example:

    [
  "en"
  "de"
]

A list of languages that the full text search should detect.

At least one language must be specified. The language listed first is the default and is used when language recognition fails.

See https://doc.dovecot.org/2.4.4/core/plugins/fts.html#languages.

mailserver.fullTextSearch.memoryLimit

  • type: null or signed integer

  • default: null

  • example: 1024

Memory limit for the indexer process, in MiB.

When null the [default_vsz_limit] applies while with 0 no limit is applied.

default_vsz_limit

mailserver.fullTextSearch.substringSearch

  • type: boolean

  • default: false

Whether to allows substring searches. By default only prefix searches are supported.

Warning

Enabling this significantly increases storage requirements.

See https://doc.dovecot.org/2.4.4/core/plugins/fts_flatcurve.html#fts_flatcurve_substring_search.

mailserver.quota

mailserver.quota.defaults.perUser

  • type: null or string

  • default: null

  • example: "10G"

Default quota applied to all users.

The value must use a size format like 500M, 2G, 10G.

If set to null, no default per user quota is applied and only explicit per user quotas apply, if set.

mailserver.quota.enable

  • type: boolean

  • default: true

Whether to enable quota support.

When enabled, incoming mail can be rejected if a mailbox exceeds its quota.

mailserver.quotaStatusMemoryLimit

  • type: signed integer

  • default: 256

The memory limit for the quota-status service, in megabytes.

mailserver.redis

mailserver.redis.address

  • type: string

  • default: config.services.redis.servers.rspamd.unixSocket

Path, IP address or hostname that Rspamd should use to contact Redis.

mailserver.redis.configureLocally

  • type: boolean

  • default: true

Whether to provision a local Redis instance.

mailserver.redis.password

  • type: null or string

  • default: config.services.redis.servers.rspamd.requirePass

Password that rspamd should use to contact redis, or null if not required.

mailserver.redis.port

  • type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  • default: null

  • example: config.services.redis.servers.rspamd.port

Port that Rspamd should use to contact Redis.

mailserver.ldap

mailserver.ldap.attributes.mail

  • type: string

  • default: "mail"

  • example: "maildrop"

The attribute name used for looking up accounts by mail address.

Typically this can be the mail attribute from the inetOrgPerson schema, or the maildrop attribute from the unofficial Postfix schema.

mailserver.ldap.attributes.password

  • type: null or string

  • default: null

  • example: "userPassword"

The LDAP attribute referencing the account password used to login with.

The account passwords stored in LDAP must be hashed with a supported Password Scheme in order for Dovecot to understand them.

Typically the userPassword attribute which is part of the inetOrgPerson schema.

If null, Authentication Binds will be used instead.

mailserver.ldap.attributes.username

  • type: string

  • default: "uid"

  • example: "name"

The LDAP attribute referencing the username used to login with.

Typically the uid attribute which is part of the inetOrgPerson schema.

mailserver.ldap.attributes.uuid

  • type: string

  • default: "entryUUID"

  • example: "uuid"

The long-term stable LDAP attribute to reference accounts across username changes. Used to determine a stable Dovecot home and mail directory location.

Typically the entryUUID attribute as defined by RFC4530.

mailserver.ldap.base

  • type: string

  • example: "ou=people,ou=accounts,dc=example,dc=com"

Base DN below which user accounts are searched for.

mailserver.ldap.bind.dn

  • type: string

  • example: "cn=mail,ou=accounts,dc=example,dc=com"

DN used to bind against the LDAP server.

The server uses this account to lookup and filter accounts.

mailserver.ldap.bind.passwordFile

  • type: path not in the Nix store

  • example: "/run/my-secret"

File containing the password required to bind against the LDAP server.

Warning

The password file is read verbatim. Any trailing newline will become part of the password and may cause authentication failures.

mailserver.ldap.caFile

  • type: absolute path

  • default: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

Bundle of CA certificates used to authenticate the LDAP server certificate.

mailserver.ldap.dovecot.passFilter

  • type: null or string

  • default:

    with config.mailserver.ldap.attributes; "${username}=%{user}";

  • example: "(&(memberOf=cn=mail_users,ou=groups,dc=example,dc=com)(uid=%{user}))"

LDAP filter used to restrict which users are eligible to authenticate against Dovecot.

See the passdb_ldap_filter reference in the Dovecot manual.

mailserver.ldap.dovecot.userFilter

  • type: string

  • default:

    with config.mailserver.ldap.attributes; "(|(${mail}=%{user})(${username}=%{user}))";

  • example: "(|(mail=%{user})(uid=%{user}))"

LDAP filter used for LMTP delivery from Postfix and post-login information construction, like the home directory.

See the userdb_ldap_filter reference at in the Dovecot manual.

mailserver.ldap.enable

  • type: boolean

  • default: false

  • example: true

Whether to enable LDAP support.

mailserver.ldap.postfix.filter

  • type: string

  • default:

    with config.mailserver.ldap.attributes; "${mail}=%s";

  • example: "(mail=%s)"

LDAP filter used to search for an account by mail, where %s is a substitute for the address in question.

mailserver.ldap.scope

  • type: one of "base", "one", "sub"

  • default: "sub"

Search scope relative to the mailserver.ldap.base.

  • base: Only the exact Base DN

  • one: Immediate child entries of the Base DN, but not the Base DN itself.

  • sub: Base DN and all descendant entries at any depth.

In practice only one or sub are suitable for multiple LDAP users.

mailserver.ldap.startTls

  • type: boolean

  • default: false

Whether to enable StartTLS on ldap:// connections.

mailserver.ldap.uris

  • type: list of string

  • default: [ ]

  • example:

    [
  "ldaps://ldap1.example.com"
  "ldaps://ldap2.example.com"
]

List of LDAP server URIs. Multiple can be specified.

Use ldaps:// for implicit TLS or ldap:// for a plain connection. See also mailserver.ldap.startTls to enable StartTLS on plain connections.

mailserver.workarounds

mailserver.workarounds.all

  • type: boolean

  • default: true

Whether to enable various workarounds for compatibility with other mail servers or clients. This is safe to enable and workarounds come and go. At times, this option may have no effect at all.

mailserver.workarounds.digicertRootDiscontinuation

  • type: boolean

  • default: config.mailserver.workarounds.all

Whether to patch Postfix's CA bundle to continue trusting the discontinued DigiCert Root CA.

This will allow Postfix to deliver mails to mail servers that still serve a certificate signed by this CA. Without this patch connections that enforce DANE or MTA-STS will break.

Microsoft Outlook is known to do this.