Mailserver options

mailserver

mailserver.acmeCertificateName

(mailserver.certificateScheme == acme)

When the acme certificateScheme is selected, you can use this option to override the default certificate name. This is useful if you've generated a wildcard certificate, for example.

  • type: string

  • default: config.mailserver.fqdn

  • example: "example.com"

mailserver.debug.all

Whether to enable verbose logging for all mailserver related services. This intended be used for development purposes only, you probably don't want to enable this unless you're hacking on nixos-mailserver.

  • type: boolean

  • default: false

mailserver.debug.dovecot

Whether to enable verbose logging for Dovecot.

  • type: boolean

  • default: config.mailserver.debug.all

mailserver.debug.rspamd

Whether to enable verbose logging for Rspamd.

  • type: boolean

  • default: config.mailserver.debug.all

mailserver.domains

The domains that this mail server serves.

  • type: list of string

  • default: [ ]

  • example:

    [
  "example.com"
]
mailserver.enable

Whether to enable nixos-mailserver.

  • type: boolean

  • default: false

  • example: true

mailserver.enableImap

Whether to enable IMAP with STARTTLS on port 143.

The use of this port is deprecated per RFC 8314 4.1.

  • type: boolean

  • default: false

mailserver.enableImapSsl

Whether to enable IMAP with TLS in wrapper-mode on port 993.

  • type: boolean

  • default: true

mailserver.enableManageSieve

Whether to enable ManageSieve, setting this option to true will open port 4190 in the firewall.

The ManageSieve protocol allows users to manage their Sieve scripts on a remote server with a supported client, including Thunderbird.

  • type: boolean

  • default: false

mailserver.enableNixpkgsReleaseCheck

Whether to check for a release mismatch between NixOS mailserver and Nixpkgs.

Using mismatched versions is likely to cause compatibility issues and may require migrations that make an eventual rollback tricky.

It is therefore highly recommended to use a release of NixOS mailserver that corresponds with your chosen release of Nixpkgs.

  • type: boolean

  • default: true

mailserver.enablePop3

Whether to enable POP3 with STARTTLS on port on port 110.

The use of this port is deprecated per RFC 8314 4.1.

  • type: boolean

  • default: false

mailserver.enablePop3Ssl

Whether to enable POP3 with TLS in wrapper-mode on port 995.

  • type: boolean

  • default: false

mailserver.enableSubmission

Whether to enable SMTP with STARTTLS on port 587.

The use of this port is discouraged per RFC 8314 3.3, see also Appendix A.

  • type: boolean

  • default: false

mailserver.enableSubmissionSsl

Whether to enable SMTP with TLS in wrapper-mode on port 465.

  • type: boolean

  • default: true

mailserver.extraVirtualAliases

Virtual Aliases. A virtual alias "info@example.com" = "user1@example.com" means that all mail to info@example.com is forwarded to user1@example.com. Note that it is expected that postmaster@example.com and abuse@example.com is forwarded to some valid email address. (Alternatively you can create login accounts for postmaster and (or) abuse). Furthermore, it also allows the user user1@example.com to send emails as info@example.com. It's also possible to create an alias for multiple accounts. In this example all mails for multi@example.com will be forwarded to both user1@example.com and user2@example.com.

  • type: attribute set of ((Login Account) or non-empty (list of (Login Account)))

  • default: { }

  • example:

    {
  "abuse@example.com" = "user1@example.com";
  "info@example.com" = "user1@example.com";
  "multi@example.com" = [
    "user1@example.com"
    "user2@example.com"
  ];
  "postmaster@example.com" = "user1@example.com";
}
mailserver.forwards

To forward mails to an external address. For instance, the value {"user@example.com" = "user@elsewhere.com";} means that mails to user@example.com are forwarded to user@elsewhere.com. The difference with the mailserver.extraVirtualAliases option is that user@elsewhere.com can't send mail as user@example.com. Also, this option allows to forward mails to external addresses.

  • type: attribute set of ((list of string) or string)

  • default: { }

  • example:

    {
  "user@example.com" = "user@elsewhere.com";
}
mailserver.fqdn

The fully qualified domain name of the mail server.

  • type: string

  • example: "mx.example.com"

mailserver.hierarchySeparator

The hierarchy separator for mailboxes used by dovecot for the namespace 'inbox'. Dovecot defaults to "." but recommends "/". This affects how mailboxes appear to mail clients and sieve scripts. For instance when using "." then in a sieve script "example.com" would refer to the mailbox "com" in the parent mailbox "example". This does not determine the way your mails are stored on disk. See https://doc.dovecot.org/main/core/config/namespaces.html#namespaces for details.

  • type: string

  • default: "."

mailserver.imapMemoryLimit

The memory limit for the imap service, in megabytes.

  • type: signed integer

  • default: 256

mailserver.indexDir

Folder to store search indices. If null, indices are stored along with email, which could not necessarily be desirable, especially when mailserver.fullTextSearch.enable is true since indices it creates are voluminous and do not need to be backed up.

Be careful when changing this option value since all indices would be recreated at the new location (and clients would need to resynchronize).

Note the some variables can be used in the file path. See https://doc.dovecot.org/2.3/configuration_manual/mail_location/#variables for details.

  • type: null or string

  • default: null

  • example: "/var/lib/dovecot/indices"

mailserver.keyFile

(mailserver.certificateScheme == manual)

Location of the key file.

  • type: absolute path

  • example: "/root/mail-server.key"

mailserver.lmtpMemoryLimit

The memory limit for the LMTP service, in megabytes.

  • type: signed integer

  • default: 256

mailserver.lmtpSaveToDetailMailbox

If an email address is delimited by a "+", should it be filed into a mailbox matching the string after the "+"? For example, user1+test@example.com would be filed into the mailbox "test".

  • type: one of "yes", "no"

  • default: "yes"

mailserver.localDnsResolver

Runs a local DNS resolver (kresd) as recommended when running rspamd. This prevents your log file from filling up with rspamd_monitored_dns_mon entries.

  • type: boolean

  • default: true

mailserver.mailDirectory

Where to store the mail.

  • type: absolute path

  • default: "/var/vmail"

mailserver.mailboxes

The mailboxes for dovecot. Depending on the mail client used it might be necessary to change some mailbox's name.

  • type: unspecified value

  • default:

    {
  Drafts = {
    auto = "subscribe";
    specialUse = "Drafts";
  };
  Junk = {
    auto = "subscribe";
    specialUse = "Junk";
  };
  Sent = {
    auto = "subscribe";
    specialUse = "Sent";
  };
  Trash = {
    auto = "no";
    specialUse = "Trash";
  };
}
mailserver.maxConnectionsPerUser

Maximum number of IMAP/POP3 connections allowed for a user from each IP address. E.g. a value of 50 allows for 50 IMAP and 50 POP3 connections at the same time for a single user.

  • type: signed integer

  • default: 100

mailserver.messageSizeLimit

Message size limit enforced by Postfix.

  • type: signed integer

  • default: 20971520

  • example: 52428800

mailserver.openFirewall

Automatically open ports in the firewall.

  • type: boolean

  • default: true

mailserver.quotaStatusMemoryLimit

The memory limit for the quota-status service, in megabytes.

  • type: signed integer

  • default: 256

mailserver.recipientDelimiter

Configure the recipient delimiter.

  • type: string

  • default: "+"

mailserver.rejectRecipients

Reject emails addressed to these local addresses from unauthorized senders. Use if a spammer has found email addresses in a catchall domain but you do not want to disable the catchall.

  • type: list of string

  • default: [ ]

  • example:

    [
  "sales@example.com"
  "info@example.com"
]
mailserver.rejectSender

Reject emails from these addresses from unauthorized senders. Use if a spammer is using the same domain or the same sender over and over.

  • type: list of string

  • default: [ ]

  • example:

    [
  "example.com"
  "spammer@example.net"
]
mailserver.rewriteMessageId

Rewrites the Message-ID's hostname-part of outgoing emails to the FQDN. Please be aware that this may cause problems with some mail clients relying on the original Message-ID.

  • type: boolean

  • default: false

mailserver.sendingFqdn

The fully qualified domain name of the mail server used to identify with remote servers.

If this server's IP serves purposes other than a mail server, it may be desirable for the server to have a name other than that to which the user will connect. For example, the user might connect to mx.example.com, but the server's IP has reverse DNS that resolves to myserver.example.com; in this scenario, some mail servers may reject or penalize the message.

This setting allows the server to identify as myserver.example.com when forwarding mail, independently of mailserver.fqdn (which, for SSL reasons, should generally be the name to which the user connects).

Set this to the name to which the sending IP's reverse DNS resolves.

mailserver.sieveDirectory

Where to store the sieve scripts.

  • type: absolute path

  • default: "/var/sieve"

mailserver.stateVersion

Tracking stateful version changes as an incrementing number.

When a new release comes out we may require manual migration steps to be completed, before the new version can be put into production.

If your stateVersion is too low one or multiple assertions may trigger to give you instructions on what migrations steps are required to continue. Increase the stateVersion as instructed by the assertion message.

  • type: null or (positive integer, meaning >0)

  • default: null

mailserver.systemContact

The email address where the administrative contact for this mail server is reachable.

Currently, this is only required when one of the following features is enabled:

  • SMTP TLS reports (mailserver.tlsrpt.enable)

  • type: string

  • example: "postmaster@example.com"

mailserver.systemDomain

The primary domain used for sending automated reports.

  • type: string

  • default:

    if config.networking.domain != null && lib.elem config.networking.domain cfg.domains then
  config.networking.domain
else
  lib.head cfg.domains

  • example: config.networking.domain

mailserver.systemName

The sender name given in automated reports.

  • type: string

  • default: ${config.mailserver.systemDomain} mail system

  • example: "ACME Corp."

mailserver.tlsrpt.enable

Whether to enable delivery of SMTP TLS reports according to RFC 8460.

  • type: boolean

  • default: false

  • example: true

mailserver.useFsLayout

Sets whether dovecot should organize mail in subdirectories:

  • /var/vmail/example.com/user/.folder.subfolder/ (default layout)

  • /var/vmail/example.com/user/folder/subfolder/ (FS layout)

See https://doc.dovecot.org/main/core/config/mailbox_formats/maildir.html#maildir-mailbox-format for details.

  • type: boolean

  • default: false

mailserver.useUTF8FolderNames

Store mailbox names on disk using UTF-8 instead of modified UTF-7 (mUTF-7).

  • type: boolean

  • default: false

mailserver.virusScanning

Whether to activate virus scanning. Note that virus scanning is very expensive memory wise.

  • type: boolean

  • default: false

mailserver.vmailGroupName

The user name and group name of the user that owns the directory where all the mail is stored.

  • type: string

  • default: "virtualMail"

mailserver.vmailUID

The unix UID of the virtual mail user. Be mindful that if this is changed, you will need to manually adjust the permissions of mailDirectory.

  • type: signed integer

  • default: 5000

mailserver.vmailUserName

The user name and group name of the user that owns the directory where all the mail is stored.

  • type: string

  • default: "virtualMail"

mailserver.loginAccounts

mailserver.loginAccounts

The login account of the domain. Every account is mapped to a unix user, e.g. user1@example.com. To generate the passwords use mkpasswd as follows

nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'

  • type: attribute set of (submodule)

  • default: { }

  • example:

    {
  user1 = {
    hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
  };
  user2 = {
    hashedPassword = "$6$oE0ZNv2n7Vk9gOf$9xcZWCCLGdMflIfuA0vR1Q1Xblw6RZqPrP94mEit2/81/7AKj2bqUai5yPyWE.QYPyv6wLMHZvjw3Rlg7yTCD/";
  };
}
mailserver.loginAccounts.<name>.aliases

A list of aliases of this login account. Note: Use list entries like "@example.com" to create a catchAll that allows sending from all email addresses in these domain.

  • type: list of string

  • default: [ ]

  • example:

    [
  "abuse@example.com"
  "postmaster@example.com"
]
mailserver.loginAccounts.<name>.aliasesRegexp

Same as mailserver.aliases but using PCRE (Perl compatible regex).

  • type: list of string

  • default: [ ]

  • example:

    [
  "/^tom\\..*@domain\\.com$/"
]
mailserver.loginAccounts.<name>.catchAll

For which domains should this account act as a catch all? Note: Does not allow sending from all addresses of these domains.

  • type: list of value "example.com" (singular enum)

  • default: [ ]

  • example:

    [
  "example.com"
  "example2.com"
]
mailserver.loginAccounts.<name>.hashedPassword

The user's hashed password. Use mkpasswd as follows

nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'

Warning: this is stored in plaintext in the Nix store! Use mailserver.loginAccounts.<name>.hashedPasswordFile instead.

  • type: null or string

  • default: null

  • example: "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/"

mailserver.loginAccounts.<name>.hashedPasswordFile

A file containing the user's hashed password. Use mkpasswd as follows

nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'

  • type: null or absolute path

  • default: null

  • example: "/run/keys/user1-passwordhash"

mailserver.loginAccounts.<name>.name

Username

  • type: string

  • example: "user1@example.com"

mailserver.loginAccounts.<name>.quota

Per user quota rules. Accepted sizes are xx k/M/G/T with the obvious meaning. Leave blank for the standard quota 100G.

  • type: null or string

  • default: null

  • example: "2G"

mailserver.loginAccounts.<name>.sendOnly

Specifies if the account should be a send-only account. Emails sent to send-only accounts will be rejected from unauthorized senders with the sendOnlyRejectMessage stating the reason.

  • type: boolean

  • default: false

mailserver.loginAccounts.<name>.sendOnlyRejectMessage

The message that will be returned to the sender when an email is sent to a send-only account. Only used if the account is marked as send-only.

  • type: string

  • default: "This account cannot receive emails."

mailserver.loginAccounts.<name>.sieveScript

Per-user sieve script.

  • type: null or strings concatenated with "\n"

  • default: null

  • example:

    ''
  require ["fileinto", "mailbox"];

  if address :is "from" "gitlab@mg.gitlab.com" {
    fileinto :create "GitLab";
    stop;
  }

  # This must be the last rule, it will check if list-id is set, and
  # file the message into the Lists folder for further investigation
  elsif header :matches "list-id" "<?*>" {
    fileinto :create "Lists";
    stop;
  }
''

mailserver.certificate

mailserver.certificateDirectory

(mailserver.certificateScheme == selfsigned)

This is the folder where the self-signed certificate will be created. The name is hardcoded to "cert-DOMAIN.pem" and "key-DOMAIN.pem" and the certificate is valid for 10 years.

  • type: absolute path

  • default: "/var/certs"

mailserver.certificateDomains

(mailserver.certificateScheme == acme-nginx)

Secondary domains and subdomains for which it is necessary to generate a certificate.

  • type: list of string

  • default: [ ]

  • example:

    [
  "imap.example.com"
  "pop3.example.com"
]
mailserver.certificateFile

(mailserver.certificateScheme == manual)

Location of the certificate.

  • type: absolute path

  • example: "/root/mail-server.crt"

mailserver.certificateScheme

The scheme to use for managing TLS certificates:

  1. manual: you specify locations via mailserver.certificateFile and mailserver.keyFile and manually copy certificates there.

  2. selfsigned: you let the server create new (self-signed) certificates on the fly.

  3. acme-nginx: you let the server request certificates from Let's Encrypt via NixOS' ACME module. By default, this will set up a stripped-down Nginx server for mailserver.fqdn and open port 80. For this to work, the FQDN must be properly configured to point to your server (see the setup guide for more information).

  4. acme: you already have an ACME certificate set up (for example, you're already running a TLS-enabled Nginx server on the FQDN). This is better than manual because the appropriate services will be reloaded when the certificate is renewed.

  • type: (one of "manual", "selfsigned", "acme-nginx", "acme") or (one of 1, 2, 3) convertible to it

  • default: "selfsigned"

mailserver.dkim

mailserver.dkimKeyBits

How many bits in generated DKIM keys. RFC8301 suggests a minimum RSA key length of 2048 bit.

If you have already deployed a key with a different number of bits than specified here, then you should use a different selector (mailserver.dkimSelector). In order to get this package to generate a key with the new number of bits, you will either have to change the selector or delete the old key file.

  • type: signed integer

  • default: 2048

mailserver.dkimKeyDirectory

The DKIM directory.

  • type: absolute path

  • default: "/var/dkim"

mailserver.dkimKeyType

The key type used for generating DKIM keys. ED25519 was introduced in RFC6376 (2018).

If you have already deployed a key with a different type than specified here, then you should use a different selector (mailserver.dkimSelector). In order to get this package to generate a key with the new type, you will either have to change the selector or delete the old key file.

  • type: one of "rsa", "ed25519"

  • default: "rsa"

mailserver.dkimSelector

The DKIM selector.

  • type: string

  • default: "mail"

mailserver.dkimSigning

Whether to activate dkim signing.

  • type: boolean

  • default: true

mailserver.srs

mailserver.srs.domain

Mail domain used for ephemeral SRS envelope addresses.

Note

This domain can only support relaxed SPF alignment.

Important

For privacy reasons you should use a dedicated domain when serving multiple unrelated domains.

  • type: null or string

  • default: config.mailserver.systemDomain

  • example: "srs.example.com"

mailserver.srs.enable

Whether to enable Sender Rewrite Scheme.

  • type: boolean

  • default: false

  • example: true

mailserver.dmarcReporting

mailserver.dmarcReporting.enable

Whether to send out aggregated, daily DMARC reports in response to incoming mail, when the sender domain defines a DMARC policy including the RUA tag.

This is helpful for the mail ecosystem, because it allows third parties to get notified about SPF/DKIM violations originating from their sender domains.

See https://rspamd.com/doc/modules/dmarc.html#reporting

  • type: boolean

  • default: false

mailserver.dmarcReporting.excludeDomains

List of domains or eSLDs to be excluded from DMARC reports.

  • type: list of string

  • default: [ ]

mailserver.fullTextSearch

mailserver.fullTextSearch.autoIndex

Enable automatic indexing of messages as they are received or modified.

  • type: boolean

  • default: true

mailserver.fullTextSearch.autoIndexExclude

Mailboxes to exclude from automatic indexing.

  • type: list of string

  • default: [ ]

  • example:

    [
  "\\Trash"
  "SomeFolder"
  "Other/*"
]
mailserver.fullTextSearch.enable

Whether to enable Full text search indexing with Xapian through the fts_flatcurve plugin. This has significant performance and disk space cost. .

  • type: boolean

  • default: false

  • example: true

mailserver.fullTextSearch.enforced

Fail searches when no index is available. If set to body, then only body searches (as opposed to header) are affected. If set to no, searches may fall back to a very slow brute force search.

  • type: one of "yes", "no", "body"

  • default: "no"

mailserver.fullTextSearch.filters

The list of filters to apply. https://doc.dovecot.org/main/core/plugins/fts.html#filter-configuration.

  • type: list of string

  • default:

    [
  "normalizer-icu"
  "snowball"
  "stopwords"
]
mailserver.fullTextSearch.headerExcludes

The list of headers to exclude. See https://doc.dovecot.org/main/core/plugins/fts.html#fts_header_excludes.

  • type: list of string

  • default:

    [
  "Received"
  "DKIM-*"
  "X-*"
  "Comments"
]
mailserver.fullTextSearch.languages

A list of languages that the full text search should detect. At least one language must be specified. The language listed first is the default and is used when language recognition fails. See https://doc.dovecot.org/main/core/plugins/fts.html#fts_languages.

  • type: non-empty (list of string)

  • default:

    [
  "en"
]

  • example:

    [
  "en"
  "de"
]
mailserver.fullTextSearch.memoryLimit

Memory limit for the indexer process, in MiB. If null, leaves the default (which is rather low), and if 0, no limit.

  • type: null or signed integer

  • default: null

  • example: 2000

mailserver.fullTextSearch.substringSearch

If enabled, allows substring searches. See https://doc.dovecot.org/main/core/plugins/fts_flatcurve.html#fts_flatcurve_substring_search.

Enabling this requires significant additional storage space.

  • type: boolean

  • default: false

mailserver.redis

mailserver.redis.address

Path, IP address or hostname that Rspamd should use to contact Redis.

  • type: string

  • default: config.services.redis.servers.rspamd.unixSocket

mailserver.redis.configureLocally

Whether to provision a local Redis instance.

  • type: boolean

  • default: true

mailserver.redis.password

Password that rspamd should use to contact redis, or null if not required.

  • type: null or string

  • default: config.services.redis.servers.rspamd.requirePass

mailserver.redis.port

Port that Rspamd should use to contact Redis.

  • type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  • default: null

  • example: config.services.redis.servers.rspamd.port

mailserver.ldap

mailserver.ldap.bind.dn

Distinguished name used by the mail server to do lookups against the LDAP servers.

  • type: string

  • example: "cn=mail,ou=accounts,dc=example,dc=com"

mailserver.ldap.bind.passwordFile

A file containing the password required to authenticate against the LDAP servers.

  • type: string

  • example: "/run/my-secret"

mailserver.ldap.dovecot.passAttrs

LDAP attributes to be retrieved during passdb lookups.

See the pass_attrs reference at https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#pass-attrs in the Dovecot manual.

  • type: string

  • default: "userPassword=password"

mailserver.ldap.dovecot.passFilter

Filter for password lookups in Dovecot.

See the pass_filter reference for https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#pass-filter in the Dovecot manual.

  • type: null or string

  • default: "mail=%{user}"

  • example: "(&(objectClass=inetOrgPerson)(mail=%{user}))"

mailserver.ldap.dovecot.userAttrs

LDAP attributes to be retrieved during userdb lookups.

See the users_attrs reference at https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#user-attrs in the Dovecot manual.

  • type: null or string

  • default: null

mailserver.ldap.dovecot.userFilter

Filter for user lookups in Dovecot.

See the user_filter reference at https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#user-filter in the Dovecot manual.

  • type: string

  • default: "mail=%{user}"

  • example: "(&(objectClass=inetOrgPerson)(mail=%{user}))"

mailserver.ldap.enable

Whether to enable LDAP support.

  • type: boolean

  • default: false

  • example: true

mailserver.ldap.postfix.filter

LDAP filter used to search for an account by mail, where %s is a substitute for the address in question.

  • type: string

  • default: "mail=%s"

  • example: "(&(objectClass=inetOrgPerson)(mail=%s))"

mailserver.ldap.postfix.mailAttribute

The LDAP attribute holding mail addresses for a user.

  • type: string

  • default: "mail"

mailserver.ldap.postfix.uidAttribute

The LDAP attribute referencing the account name for a user.

  • type: string

  • default: "mail"

  • example: "uid"

mailserver.ldap.searchBase

Base DN at below which to search for users accounts.

  • type: string

  • example: "ou=people,ou=accounts,dc=example,dc=com"

mailserver.ldap.searchScope

Search scope below which users accounts are looked for.

  • type: one of "sub", "base", "one"

  • default: "sub"

mailserver.ldap.startTls

Whether to enable StartTLS upon connection to the server.

  • type: boolean

  • default: false

mailserver.ldap.tlsCAFile

Certifificate trust anchors used to verify the LDAP server certificate.

  • type: absolute path

  • default: see source

mailserver.ldap.uris

URIs where your LDAP server can be reached

  • type: list of string

  • example:

    [
  "ldaps://ldap1.example.com"
  "ldaps://ldap2.example.com"
]

mailserver.monitoring

mailserver.monitoring.alertAddress

The email address to send alerts to.

  • type: string

mailserver.monitoring.config

The configuration used for monitoring via monit. Use a mail address that you actively check and set it via 'set alert ...'.

  • type: string

  • default: see source

mailserver.monitoring.enable

Whether to enable monitoring via monit.

  • type: boolean

  • default: false

  • example: true

mailserver.backup

mailserver.backup.cmdPostexec

The command to be executed after each backup operation. This is wrapped in a shell script to be called by rsnapshot.

  • type: null or string

  • default: null

mailserver.backup.cmdPreexec

The command to be executed before each backup operation. This is wrapped in a shell script to be called by rsnapshot.

  • type: null or string

  • default: null

mailserver.backup.cronIntervals

Periodicity at which intervals should be run by cron. Note that the intervals also have to exist in configuration as retain options.

  • type: attribute set of string

  • default:

    {
  daily = "30  3  *  *  *";
  hourly = " 0  *  *  *  *";
  weekly = " 0  5  *  *  0";
}
mailserver.backup.enable

Whether to enable backup via rsnapshot.

  • type: boolean

  • default: false

  • example: true

mailserver.backup.retain.daily

How many daily snapshots are retained.

  • type: signed integer

  • default: 7

mailserver.backup.retain.hourly

How many hourly snapshots are retained.

  • type: signed integer

  • default: 24

mailserver.backup.retain.weekly

How many weekly snapshots are retained.

  • type: signed integer

  • default: 54

mailserver.backup.snapshotRoot

The directory where rsnapshot stores the backup.

  • type: absolute path

  • default: "/var/rsnapshot"

mailserver.borgbackup

mailserver.borgbackup.cmdPostexec

The command to be executed after each backup operation. This is called after borg create completed successfully and in the same script that runs cmdPreexec, borg init and create.

  • type: null or string

  • default: null

mailserver.borgbackup.cmdPreexec

The command to be executed before each backup operation. This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.

  • type: null or string

  • default: null

  • example:

    ''
  export BORG_RSH="ssh -i /path/to/private/key"
''
mailserver.borgbackup.compression.auto

Leaves it to borg to determine whether an individual file should be compressed.

  • type: boolean

  • default: false

mailserver.borgbackup.compression.level

Denotes the level of compression used by borg. Most methods accept levels from 0 to 9 but zstd which accepts values from 1 to 22. If null the decision is left up to borg.

  • type: null or signed integer

  • default: null

mailserver.borgbackup.compression.method

Leaving this unset allows borg to choose. The default for borg 1.1.4 is lz4.

  • type: null or one of "none", "lz4", "zstd", "zlib", "lzma"

  • default: null

mailserver.borgbackup.enable

Whether to enable backup via borgbackup.

  • type: boolean

  • default: false

  • example: true

mailserver.borgbackup.encryption.method

The backup can be encrypted by choosing any other value than 'none'. When using encryption the password/passphrase must be provided in passphraseFile.

  • type: one of "none", "authenticated", "authenticated-blake2", "repokey", "keyfile", "repokey-blake2", "keyfile-blake2"

  • default: "none"

mailserver.borgbackup.encryption.passphraseFile

Path to a file containing the encryption password or passphrase.

  • type: null or absolute path

  • default: null

mailserver.borgbackup.extraArgumentsForCreate

Additional arguments to add to the borg create command line e.g. '--stats'.

  • type: list of string

  • default: [ ]

mailserver.borgbackup.extraArgumentsForInit

Additional arguments to add to the borg init command line.

  • type: list of string

  • default:

    [
  "--critical"
]
mailserver.borgbackup.group

The group borg and its launch script is run as.

  • type: string

  • default: "virtualMail"

mailserver.borgbackup.locations

The locations that are to be backed up by borg.

  • type: list of absolute path

  • default: [ config.mailserver.mailDirectory ]

mailserver.borgbackup.name

The name of the individual backups as used by borg. Certain placeholders will be replaced by borg.

  • type: string

  • default: "{hostname}-{user}-{now}"

mailserver.borgbackup.repoLocation

The location where borg saves the backups. This can be a local path or a remote location such as user@host:/path/to/repo. It is exported and thus available as an environment variable to mailserver.borgbackup.cmdPreexec and mailserver.borgbackup.cmdPostexec.

  • type: string

  • default: "/var/borgbackup"

mailserver.borgbackup.startAt

When or how often the backup should run. Must be in the format described in systemd.time 7.

  • type: string

  • default: "hourly"

mailserver.borgbackup.user

The user borg and its launch script is run as.

  • type: string

  • default: "virtualMail"