Mailserver options

`mailserver`

mailserver.aliases

Aliases are additional mail addresses routed to one or more existing local accounts.

The target accounts are allowed to use the alias as the sender address.

Note

This feature is limited to local accounts and does not support LDAP or other external accounts.

type: attribute set of ((Login Account) or non-empty (list of (Login Account)))
default: { }

example:

{
  "abuse@example.com" = "user1@example.com";
  "multi@example.com" = [
    "user1@example.com"
    "user2@example.com"
  ];
  "postmaster@example.com" = "user1@example.com";
}

mailserver.debug.all

Whether to enable verbose logging for all mailserver related services. This intended be used for development purposes only, you probably don't want to enable this unless you're hacking on nixos-mailserver.

type: boolean
default: false

mailserver.debug.dovecot

Whether to enable verbose logging for Dovecot.

type: boolean
default: config.mailserver.debug.all

mailserver.debug.rspamd

Whether to enable verbose logging for Rspamd.

type: boolean
default: config.mailserver.debug.all

mailserver.domains

The domains that this mail server serves.

type: list of string
default: [ ]
example:
```
[
  "example.com"
]
```

mailserver.enable

Whether to enable nixos-mailserver.

type: boolean
default: false
example: true

mailserver.enableImap

Whether to enable IMAP with STARTTLS on port 143.

The use of this port is deprecated per RFC 8314 4.1.

type: boolean
default: false

mailserver.enableImapSsl

Whether to enable IMAP with TLS in wrapper-mode on port 993.

type: boolean
default: true

mailserver.enableManageSieve

Whether to enable ManageSieve, setting this option to true will open port 4190 in the firewall.

The ManageSieve protocol allows users to manage their Sieve scripts on a remote server with a supported client, including Thunderbird.

type: boolean
default: false

mailserver.enableNixpkgsReleaseCheck

Whether to check for a release mismatch between NixOS mailserver and Nixpkgs.

Using mismatched versions is likely to cause compatibility issues and may require migrations that make an eventual rollback tricky.

It is therefore highly recommended to use a release of NixOS mailserver that corresponds with your chosen release of Nixpkgs.

type: boolean
default: true

mailserver.enablePop3

Whether to enable POP3 with STARTTLS on port on port 110.

The use of this port is deprecated per RFC 8314 4.1.

type: boolean
default: false

mailserver.enablePop3Ssl

Whether to enable POP3 with TLS in wrapper-mode on port 995.

type: boolean
default: false

mailserver.enableSubmission

Whether to enable SMTP with STARTTLS on port 587.

The use of this port is discouraged per RFC 8314 3.3, see also Appendix A.

type: boolean
default: false

mailserver.enableSubmissionSsl

Whether to enable SMTP with TLS in wrapper-mode on port 465.

type: boolean
default: true

mailserver.forwards

Forwards route mail from local addresses to one or more local or external addresses.

Unlike mailserver.aliases, the target addresses cannot send mail using the forward address.

type: attribute set of ((list of string) or string)
default: { }

example:

{
  "gamenight@example.com" = [
    "bob@example.com"
    "frank@example.org"
    "wendy@example.net"
  ];
  "user@example.com" = "user@example.edu";
}

mailserver.fqdn

The fully qualified domain name of the mail server.

type: string
example: "mx.example.com"

mailserver.hierarchySeparator

The hierarchy separator for mailboxes used by dovecot for the namespace 'inbox'. Dovecot defaults to "." but recommends "/". This affects how mailboxes appear to mail clients and sieve scripts. For instance when using "." then in a sieve script "example.com" would refer to the mailbox "com" in the parent mailbox "example". This does not determine the way your mails are stored on disk. See https://doc.dovecot.org/main/core/config/namespaces.html#namespaces for details.

type: string
default: "."

mailserver.imapMemoryLimit

The memory limit for the imap service, in megabytes.

type: signed integer
default: 256

mailserver.indexDir

Folder to store search indices. If null, indices are stored along with email, which could not necessarily be desirable, especially when mailserver.fullTextSearch.enable is true since indices it creates are voluminous and do not need to be backed up.

Be careful when changing this option value since all indices would be recreated at the new location (and clients would need to resynchronize).

Note the some variables can be used in the file path. See https://doc.dovecot.org/2.3/configuration_manual/mail_location/#variables for details.

type: null or string
default: null
example: "/var/lib/dovecot/indices"

mailserver.lmtpMemoryLimit

The memory limit for the LMTP service, in megabytes.

type: signed integer
default: 256

mailserver.lmtpSaveToDetailMailbox

If an email address is delimited by a "+", should it be filed into a mailbox matching the string after the "+"? For example, user1+test@example.com would be filed into the mailbox "test".

type: one of "yes", "no"
default: "yes"

mailserver.localDnsResolver

Runs a local DNS resolver (kresd) as recommended when running rspamd. This prevents your log file from filling up with rspamd_monitored_dns_mon entries.

type: boolean
default: true

mailserver.mailboxes

The mailboxes for dovecot. Depending on the mail client used it might be necessary to change some mailbox's name.

type: unspecified value

default:

{
  Drafts = {
    auto = "subscribe";
    specialUse = "Drafts";
  };
  Junk = {
    auto = "subscribe";
    specialUse = "Junk";
  };
  Sent = {
    auto = "subscribe";
    specialUse = "Sent";
  };
  Trash = {
    auto = "no";
    specialUse = "Trash";
  };
}

mailserver.maxConnectionsPerUser

Maximum number of IMAP/POP3 connections allowed for a user from each IP address. E.g. a value of 50 allows for 50 IMAP and 50 POP3 connections at the same time for a single user.

type: signed integer
default: 100

mailserver.messageSizeLimit

Message size limit enforced by Postfix.

type: signed integer
default: 20971520
example: 52428800

mailserver.openFirewall

Automatically open ports in the firewall.

type: boolean
default: true

mailserver.quotaStatusMemoryLimit

The memory limit for the quota-status service, in megabytes.

type: signed integer
default: 256

mailserver.recipientDelimiter

Configure the recipient delimiter.

type: string
default: "+"

mailserver.rejectRecipients

Reject emails addressed to these local addresses from unauthorized senders. Use if a spammer has found email addresses in a catchall domain but you do not want to disable the catchall.

type: list of string
default: [ ]

example:

[
  "sales@example.com"
  "info@example.com"
]

mailserver.rejectSender

Reject emails from these addresses from unauthorized senders. Use if a spammer is using the same domain or the same sender over and over.

type: list of string
default: [ ]

example:

[
  "example.com"
  "spammer@example.net"
]

mailserver.rejectSenderMessage

SMTP message returned to rejected senders. If not set the Postfix default will be used.

The message must be a single line and typically much shorter than 512 characters.

This could for example be used to provide a contact method (postal address, phone or alternative email) so rejected senders can exercise their Art. 21 GDPR right to object.

It is good practice to inform senders in advance that their email addresses may be processed for this purpose in accordance with Art. 13 GDPR. Storing their mail address for this purpose is generally regarded as a legitimate interest.

type: string
default: ""
example: "Your e-mail has not been delivered because we have blocked your e-mai address. If you believe that your e-mail address has been blocked by mistake, or if you have any other legitimate concern, please contact <address>."

mailserver.rewriteMessageId

Rewrites the Message-ID's hostname-part of outgoing emails to the FQDN. Please be aware that this may cause problems with some mail clients relying on the original Message-ID.

type: boolean
default: false

mailserver.sendingFqdn

The fully qualified domain name of the mail server used to identify with remote servers.

If this server's IP serves purposes other than a mail server, it may be desirable for the server to have a name other than that to which the user will connect. For example, the user might connect to mx.example.com, but the server's IP has reverse DNS that resolves to myserver.example.com; in this scenario, some mail servers may reject or penalize the message.

This setting allows the server to identify as myserver.example.com when forwarding mail, independently of mailserver.fqdn (which, for SSL reasons, should generally be the name to which the user connects).

Set this to the name to which the sending IP's reverse DNS resolves.

type: string
default: mailserver.fqdn
example: "myserver.example.com"

mailserver.sieveDirectory

Where to store the sieve scripts.

type: absolute path
default: "/var/sieve"

mailserver.stateVersion

Tracking stateful version changes as an incrementing number.

When a new release comes out we may require manual migration steps to be completed, before the new version can be put into production.

If your stateVersion is too low one or multiple assertions may trigger to give you instructions on what migrations steps are required to continue. Increase the stateVersion as instructed by the assertion message.

type: null or (positive integer, meaning >0)
default: null

mailserver.systemContact

The email address where the administrative contact for this mail server is reachable.

Currently, this is only required when one of the following features is enabled:

SMTP TLS reports (mailserver.tlsrpt.enable)
type: string
example: "postmaster@example.com"

mailserver.systemDomain

The primary domain used for sending automated reports.

type: string

default:

if config.networking.domain != null && lib.elem config.networking.domain cfg.domains then
  config.networking.domain
else
  lib.head cfg.domains

example: config.networking.domain

mailserver.systemName

The sender name given in automated reports.

type: string
default: ${config.mailserver.systemDomain} mail system
example: "ACME Corp."

mailserver.useUTF8FolderNames

Store mailbox names on disk using UTF-8 instead of modified UTF-7 (mUTF-7).

type: boolean
default: false

mailserver.virusScanning

Whether to activate virus scanning. Note that virus scanning is very expensive memory wise.

type: boolean
default: false

`mailserver.accounts`

mailserver.accounts

Attribute set of mail accounts.

Each entry defines a mailbox and login credentials, where the attribute name is used as the login username and optionally routed mail address.

Use mkpasswd to generate password hashes.

type: attribute set of (submodule)
default: { }

example:

{
  user1 = {
    # This password hash leaks into the Nix store
    hashedPassword = "$y$j9T$y6eZ1o.IvVNfdGMAsUEvh1$6K/llP52uw2iDh4iSwtAn54/JYy7FzCcoCHmjmx00H5";
  };
  user2 = {
    # Hashed password passed as a file
    hashedPasswordFile = "/run/keys/user2-pw-hash";
  };
  user3 = {
    # Plaintext password file
    passwordFile = "/run/keys/user3-pw";
  };
}

mailserver.accounts.<name>.aliases

List of additional mail addresses (aliases) that get routed to this account.

Catch-all with sending permissions

Configure @example.com to create a catch-all for this domain that also allows sending from all addresses.

type: list of string
default: [ ]

example:

[
  "abuse@example.com"
  "postmaster@example.com"
]

mailserver.accounts.<name>.aliasesRegexp

Same as mailserver.accounts.<name>.aliases but using PCRE (Perl compatible regex).

type: list of string
default: [ ]
example:
```
[
  "/^tom\\..*@domain\\.com$/"
]
```

mailserver.accounts.<name>.catchAll

For which domains should this account act as a catch all?

Warning

Does not allow sending from all addresses of these domains. Use mailserver.accounts.<name>.aliases if that is required.

type: list of value "example.com" (singular enum)
default: [ ]
example:
```
[
  "example.com"
  "example2.com"
]
```

mailserver.accounts.<name>.hashedPassword

The hashed login password for this account.

Use mkpasswd to create password hashes:

nix-shell -p mkpasswd --run 'mkpasswd -s'

Note

This is a convenience option, when your threat model allows storing hashed secrets in the world-readable Nix store.

Passing the hash through mailserver.accounts.<name>.hashedPasswordFile allows relying on filesystem discretionary access control as another security boundary.

type: null or string
default: null
example: "$y$j9T$vfGrwkAaXCjCEWtVNMQck1$383uIXQmn2z0hnmVAA8kwFQmjNj78.nYbvWeyNLIaP1"

mailserver.accounts.<name>.hashedPasswordFile

The hashed login password for this account read from a file.

Use `mkpasswd to create password hashes:

nix-shell -p mkpasswd --run 'mkpasswd -s'

type: null or absolute path
default: null
example: "/run/keys/user1-pw-hash"

mailserver.accounts.<name>.passwordFile

The plaintext login password for this account read from a file.

Note

The password is hashed before it is passed on to Dovecot.

type: null or path not in the Nix store
default: null
example: "/run/keys/user1-pw"

mailserver.accounts.<name>.quota

Per user quota rules. Accepted sizes are xx k/M/G/T with the obvious meaning. Leave blank for the standard quota 100G.

type: null or string
default: null
example: "2G"

mailserver.accounts.<name>.sendOnly

Specifies if the account should be a send-only account.

Emails sent to send-only accounts will be rejected with the reason configured in mailserver.accounts.<name>.sendOnlyRejectMessage.

type: boolean
default: false

mailserver.accounts.<name>.sendOnlyRejectMessage

The message returned to the sender for a send-only account.

See mailserver.accounts.<name>.sendOnly.

type: string
default: "This account cannot receive emails."

mailserver.accounts.<name>.sieveScript

Per-user sieve script.

type: null or strings concatenated with "\n"
default: null

example:

''
  require ["fileinto", "mailbox"];

  if address :is "from" "gitlab@mg.gitlab.com" {
    fileinto :create "GitLab";
    stop;
  }

  # This must be the last rule, it will check if list-id is set, and
  # file the message into the Lists folder for further investigation
  elsif header :matches "list-id" "<?*>" {
    fileinto :create "Lists";
    stop;
  }
''

`mailserver.x509`

mailserver.x509.certificateFile

Path to the signed X509 certificate including intermediate certificates.

This is commonly referred to as fullchain.pem.

Mutually exclusive with mailserver.x509.useACMEHost.

type: null or absolute path
default: null
example: "/var/keys/certs/fullchain.pem"

mailserver.x509.privateKeyFile

Path to the X509 private key.

This is commonly referred to as privkey.pem.

Mutually exclusive with mailserver.x509.useACMEHost.

type: null or string
default: null
example: "/var/keys/certs/privkey.pem"

mailserver.x509.useACMEHost

Common name used in the relevant security.acme.certs configuration.

Mutually exclusive with mailserver.x509.certificateFile and mailserver.x509.privateKeyFile.

type: null or string
default: null
example: config.mailserver.fqdn

`mailserver.storage`

mailserver.storage.directoryLayout

Sets whether dovecot should organize mail in subdirectories:

/var/vmail/example.com/user/.folder.subfolder/ (Maildir++ layout)
/var/vmail/example.com/user/folder/subfolder/ (FS layout)

See https://doc.dovecot.org/main/core/config/mailbox_formats/maildir.html#directory-layout for further details.

type: one of "fs", "maildir++"
default: "maildir++"

mailserver.storage.gid

The group id of the primary group of the vmail user.

This group owns the mail storage directories. Access can be delegated to other users via group membership.

Warning

If you change this value you also need to manually adjust the ownership of your mailserver.storage.path.

type: positive integer, meaning >0
default: 5000

mailserver.storage.group

The primary group name of the user that owns the mailserver.storage.path.

type: string
default: "virtualMail"

mailserver.storage.owner

The name of the user that owns the mailserver.storage.path.

type: string
default: "virtualMail"

mailserver.storage.path

Path on disk where mail home directories are stored.

type: absolute path
default: "/var/vmail"

mailserver.storage.uid

The user id assigned to the vmail user.

This user owns the mail storage files and directories and is used by services accessing the mail store.

Warning

If you change this value you also need to manually adjust the ownership of your mailserver.storage.path.

type: positive integer, meaning >0
default: 5000

`mailserver.dkim`

mailserver.dkim.defaults.keyLength

The default key length used for generating new DKIM keys.

Only applies for RSA keys, Ed25519 keys use a fixed key length.

Per RFC8301 3.2 the minimum RSA key length should be at least 2048 bit.

This value should most likely not be changed. Once DKIM keys for domain and selector are generated changing this value will not regenerate the keypair. Instead create a new selector and configure mailserver.dkim.domains.<name>.selectors.<name>.keyLength.

type: signed integer
default: 2048

mailserver.dkim.defaults.keyType

The key type used for generating DKIM keys. Ed25519 support was introduced in RFC6376 (2018).

Warning

Ed25519 DKIM keys are currently not recommended for sole use, as various DKIM validators out there lack support and consider the keypair invalid.

This value should most likely not be changed. Once DKIM keys for domain and selector are generated changing this value will not regenerate the keypair. Instead create a new selector and configure mailserver.dkim.domains.<name>.selectors.<name>.keyType.

type: one of "rsa", "ed25519"
default: "rsa"

mailserver.dkim.defaults.selector

The default selector used to reference and lookup DKIM keys.

This value should most likely not be changed. Instead manage mailserver.dkim.domains.<name>.selectors to sign with one or multiple DKIM key pairs and manage migrations.

type: string
default: "mail"

mailserver.dkim.domains

DKIM configuration per domain.

type: attribute set of (submodule)
default: { }

example:

{
  "example.com".selectors = {
    "mail" = {
      # inherit defaults from mailserver.dkim.defaults
    };
    "rsa-2026-03".keyFile = "/run/keys/example.com-dkim-rsa-2026-03.key";
  };
};

mailserver.dkim.domains.<name>.selectors

DKIM selectors used for signing outgoing mail for this domain.

When no selector is configured a default selector will be created with settings inherited from mailserver.dkim.defaults.

type: attribute set of (submodule)
default: { }

example:

{
  "mail" = {
    # inherit defaults from mailserver.dkim.defaults
  };
  "rsa-2026-03".keyFile = "/run/keys/example.com-dkim-rsa-2026-03.key";
};

mailserver.dkim.domains.<name>.selectors.<name>.keyFile

Path to an existing DKIM private key file.

DKIM keys can be generated using rspamadm dkim_keygen.

This option is mutually exclusive with keyType and keyLength.

type: null or path not in the Nix store
default: null
example: "/run/keys/example.com-dkim-rsa-2026-03.key"

mailserver.dkim.domains.<name>.selectors.<name>.keyLength

The key length used for generating this DKIM key.

Only applies for RSA keys, Ed25519 keys use a fixed key size.

This option is mutually exclusive with keyFile.

type: null or signed integer
default: null
example: 2048

mailserver.dkim.domains.<name>.selectors.<name>.keyType

The key type used for generating this DKIM keypair.

Warning

Ed25519 DKIM keys are currently not recommended for sole use, as various DKIM validators out there lack support and consider the keypair invalid.

This option is mutually exclusive with keyFile.

type: null or one of "rsa", "ed25519"
default: null
example: "rsa"

mailserver.dkim.enable

Whether to enable DKIM signing.

type: boolean
default: true
example: true

mailserver.dkim.keyDirectory

The path where DKIM siging keys are stored.

type: absolute path
default: "/var/dkim"

`mailserver.srs`

mailserver.srs.domain

Mail domain used for ephemeral SRS envelope addresses.

Note

This domain can only support relaxed SPF alignment.

Important

For privacy reasons you should use a dedicated domain when serving multiple unrelated domains.

type: null or string
default: config.mailserver.systemDomain
example: "srs.example.com"

mailserver.srs.enable

Whether to enable Sender Rewrite Scheme.

type: boolean
default: false
example: true

`mailserver.dmarcReporting`

mailserver.dmarcReporting.enable

Whether to send out aggregated, daily DMARC reports in response to incoming mail, when the sender domain defines a DMARC policy including the RUA tag.

This is helpful for the mail ecosystem, because it allows third parties to get notified about SPF/DKIM violations originating from their sender domains.

See https://rspamd.com/doc/modules/dmarc.html#reporting

type: boolean
default: false

mailserver.dmarcReporting.excludeDomains

List of domains or eSLDs to be excluded from DMARC reports.

type: list of string
default: [ ]

`mailserver.tlsrpt`

mailserver.tlsrpt.enable

Whether to enable delivery of SMTP TLS reports according to RFC 8460.

type: boolean
default: false
example: true

`mailserver.fullTextSearch`

mailserver.fullTextSearch.autoIndex

Enable automatic indexing of messages as they are received or modified.

type: boolean
default: true

mailserver.fullTextSearch.autoIndexExclude

Mailboxes to exclude from automatic indexing.

type: list of string
default: [ ]

example:

[
  "\\Trash"
  "SomeFolder"
  "Other/*"
]

mailserver.fullTextSearch.enable

Whether to enable Full text search indexing with Xapian through the fts_flatcurve plugin. This has significant performance and disk space cost. .

type: boolean
default: false
example: true

mailserver.fullTextSearch.enforced

Fail searches when no index is available. If set to body, then only body searches (as opposed to header) are affected. If set to no, searches may fall back to a very slow brute force search.

type: one of "yes", "no", "body"
default: "no"

mailserver.fullTextSearch.filters

The list of filters to apply. https://doc.dovecot.org/main/core/plugins/fts.html#filter-configuration.

type: list of string

default:

[
  "normalizer-icu"
  "snowball"
  "stopwords"
]

mailserver.fullTextSearch.headerExcludes

The list of headers to exclude. See https://doc.dovecot.org/main/core/plugins/fts.html#fts_header_excludes.

type: list of string

default:

[
  "Received"
  "DKIM-*"
  "X-*"
  "Comments"
]

mailserver.fullTextSearch.languages

A list of languages that the full text search should detect. At least one language must be specified. The language listed first is the default and is used when language recognition fails. See https://doc.dovecot.org/main/core/plugins/fts.html#fts_languages.

type: non-empty (list of string)
default:
```
[
  "en"
]
```
example:
```
[
  "en"
  "de"
]
```

mailserver.fullTextSearch.memoryLimit

Memory limit for the indexer process, in MiB. If null, leaves the default (which is rather low), and if 0, no limit.

type: null or signed integer
default: null
example: 2000

mailserver.fullTextSearch.substringSearch

If enabled, allows substring searches. See https://doc.dovecot.org/main/core/plugins/fts_flatcurve.html#fts_flatcurve_substring_search.

Enabling this requires significant additional storage space.

type: boolean
default: false

`mailserver.redis`

mailserver.redis.address

Path, IP address or hostname that Rspamd should use to contact Redis.

type: string
default: config.services.redis.servers.rspamd.unixSocket

mailserver.redis.configureLocally

Whether to provision a local Redis instance.

type: boolean
default: true

mailserver.redis.password

Password that rspamd should use to contact redis, or null if not required.

type: null or string
default: config.services.redis.servers.rspamd.requirePass

mailserver.redis.port

Port that Rspamd should use to contact Redis.

type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
default: null
example: config.services.redis.servers.rspamd.port

`mailserver.ldap`

mailserver.ldap.attributes.mail

The attribute name used for looking up accounts by mail address.

Typically this can be the mail attribute from the inetOrgPerson schema, or the maildrop attribute from the unofficial Postfix schema.

type: string
default: "mail"
example: "maildrop"

mailserver.ldap.attributes.password

The LDAP attribute referencing the account password used to login with.

Typically the userPassword attribute which is part of the inetOrgPerson schema.

type: string
default: "userPassword"
example: "unix_password"

mailserver.ldap.attributes.username

The LDAP attribute referencing the username used to login with.

Typically the uid attribute which is part of the inetOrgPerson schema.

type: string
default: "uid"
example: "name"

mailserver.ldap.attributes.uuid

The long-term stable LDAP attribute to reference accounts across username changes. Used to determine a stable Dovecot home and mail directory location.

Typically the entryUUID attribute as defined by RFC4530.

type: string
default: "entryUUID"
example: "uuid"

mailserver.ldap.base

Base DN below which user accounts are searched for.

type: string
example: "ou=people,ou=accounts,dc=example,dc=com"

mailserver.ldap.bind.dn

DN used to bind against the LDAP server.

The server uses this account to lookup and filter accounts.

type: string
example: "cn=mail,ou=accounts,dc=example,dc=com"

mailserver.ldap.bind.passwordFile

File containing the password required to bind against the LDAP server.

type: path not in the Nix store
example: "/run/my-secret"

mailserver.ldap.caFile

Bundle of CA certificates used to authenticate the LDAP server certificate.

type: absolute path
default: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

mailserver.ldap.dovecot.passFilter

LDAP filter used to restrict which users are eligible to authenticate against Dovecot.

See the pass_filter reference in the Dovecot manual.

type: null or string

default:

with config.mailserver.ldap.attributes; "${username}=%{user}";

example: "(&(memberOf=cn=mail_users,ou=groups,dc=example,dc=com)(uid=%{user}))"

mailserver.ldap.dovecot.userFilter

LDAP filter used for LMTP delivery from Postfix and post-login information construction, like the home directory.

See the user_filter reference at in the Dovecot manual.

type: string

default:

with config.mailserver.ldap.attributes; "(|(${mail}=%{user})(${username}=%{user}))";

example: "(|(mail=%{user})(uid=%{user}))"

mailserver.ldap.enable

Whether to enable LDAP support.

type: boolean
default: false
example: true

mailserver.ldap.postfix.filter

LDAP filter used to search for an account by mail, where %s is a substitute for the address in question.

type: string

default:

with config.mailserver.ldap.attributes; "${mail}=%s";

example: "(mail=%s)"

mailserver.ldap.scope

Search scope relative to the mailserver.ldap.base.

base: Only the exact Base DN
one: Immediate child entries of the Base DN, but not the Base DN itself.
sub: Base DN and all descendant entries at any depth.

In practice only one or sub are suitable for multiple LDAP users.

type: one of "base", "one", "sub"
default: "sub"

mailserver.ldap.startTls

Whether to enable StartTLS on ldap:// connections.

type: boolean
default: false

mailserver.ldap.uris

List of LDAP server URIs. Multiple can be specified.

Use ldaps:// for implicit TLS or ldap:// for a plain connection. See also mailserver.ldap.startTls to enable StartTLS on plain connections.

type: list of string
default: [ ]

example:

[
  "ldaps://ldap1.example.com"
  "ldaps://ldap2.example.com"
]

`mailserver.monitoring`

mailserver.monitoring.alertAddress

The email address to send alerts to.

type: string

mailserver.monitoring.config

The configuration used for monitoring via monit. Use a mail address that you actively check and set it via 'set alert ...'.

type: string
default: see source

mailserver.monitoring.enable

Whether to enable monitoring via monit.

type: boolean
default: false
example: true

`mailserver.backup`

mailserver.backup.cmdPostexec

The command to be executed after each backup operation. This is wrapped in a shell script to be called by rsnapshot.

type: null or string
default: null

mailserver.backup.cmdPreexec

The command to be executed before each backup operation. This is wrapped in a shell script to be called by rsnapshot.

type: null or string
default: null

mailserver.backup.cronIntervals

Periodicity at which intervals should be run by cron. Note that the intervals also have to exist in configuration as retain options.

type: attribute set of string

default:

{
  daily = "30  3  *  *  *";
  hourly = " 0  *  *  *  *";
  weekly = " 0  5  *  *  0";
}

mailserver.backup.enable

Whether to enable backup via rsnapshot.

type: boolean
default: false
example: true

mailserver.backup.retain.daily

How many daily snapshots are retained.

type: signed integer
default: 7

mailserver.backup.retain.hourly

How many hourly snapshots are retained.

type: signed integer
default: 24

mailserver.backup.retain.weekly

How many weekly snapshots are retained.

type: signed integer
default: 54

mailserver.backup.snapshotRoot

The directory where rsnapshot stores the backup.

type: absolute path
default: "/var/rsnapshot"

`mailserver.borgbackup`

mailserver.borgbackup.cmdPostexec

The command to be executed after each backup operation. This is called after borg create completed successfully and in the same script that runs cmdPreexec, borg init and create.

type: null or string
default: null

mailserver.borgbackup.cmdPreexec

The command to be executed before each backup operation. This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.

type: null or string
default: null

example:

''
  export BORG_RSH="ssh -i /path/to/private/key"
''

mailserver.borgbackup.compression.auto

Leaves it to borg to determine whether an individual file should be compressed.

type: boolean
default: false

mailserver.borgbackup.compression.level

Denotes the level of compression used by borg. Most methods accept levels from 0 to 9 but zstd which accepts values from 1 to 22. If null the decision is left up to borg.

type: null or signed integer
default: null

mailserver.borgbackup.compression.method

Leaving this unset allows borg to choose. The default for borg 1.1.4 is lz4.

type: null or one of "none", "lz4", "zstd", "zlib", "lzma"
default: null

mailserver.borgbackup.enable

Whether to enable backup via borgbackup.

type: boolean
default: false
example: true

mailserver.borgbackup.encryption.method

The backup can be encrypted by choosing any other value than 'none'. When using encryption the password/passphrase must be provided in passphraseFile.

type: one of "none", "authenticated", "authenticated-blake2", "repokey", "keyfile", "repokey-blake2", "keyfile-blake2"
default: "none"

mailserver.borgbackup.encryption.passphraseFile

Path to a file containing the encryption password or passphrase.

type: null or absolute path
default: null

mailserver.borgbackup.extraArgumentsForCreate

Additional arguments to add to the borg create command line e.g. '--stats'.

type: list of string
default: [ ]

mailserver.borgbackup.extraArgumentsForInit

Additional arguments to add to the borg init command line.

type: list of string
default:
```
[
  "--critical"
]
```

mailserver.borgbackup.group

The group borg and its launch script is run as.

type: string
default: "virtualMail"

mailserver.borgbackup.locations

The locations that are to be backed up by borg.

type: list of absolute path
default: [ config.mailserver.storage.path ]

mailserver.borgbackup.name

The name of the individual backups as used by borg. Certain placeholders will be replaced by borg.

type: string
default: "{hostname}-{user}-{now}"

mailserver.borgbackup.repoLocation

The location where borg saves the backups. This can be a local path or a remote location such as user@host:/path/to/repo. It is exported and thus available as an environment variable to mailserver.borgbackup.cmdPreexec and mailserver.borgbackup.cmdPostexec.

type: string
default: "/var/borgbackup"

mailserver.borgbackup.startAt

When or how often the backup should run. Must be in the format described in systemd.time 7.

type: string
default: "hourly"

mailserver.borgbackup.user

The user borg and its launch script is run as.

type: string
default: "virtualMail"

Mailserver options

mailserver

mailserver.accounts

mailserver.x509

mailserver.storage

mailserver.dkim

mailserver.srs

mailserver.dmarcReporting

mailserver.tlsrpt

mailserver.fullTextSearch

mailserver.redis

mailserver.ldap

mailserver.monitoring

mailserver.backup

mailserver.borgbackup

`mailserver`

`mailserver.accounts`

`mailserver.x509`

`mailserver.storage`

`mailserver.dkim`

`mailserver.srs`

`mailserver.dmarcReporting`

`mailserver.tlsrpt`

`mailserver.fullTextSearch`

`mailserver.redis`

`mailserver.ldap`

`mailserver.monitoring`

`mailserver.backup`

`mailserver.borgbackup`