Mailserver options

`mailserver`

mailserver.aliases

type: attribute set of ((Login Account) or non-empty (list of (Login Account)))
default: { }

example:

{
  "abuse@example.com" = "user1@example.com";
  "multi@example.com" = [
    "user1@example.com"
    "user2@example.com"
  ];
  "postmaster@example.com" = "user1@example.com";
}

Aliases are additional mail addresses routed to one or more existing local accounts.

The target accounts are allowed to use the alias as the sender address.

Note

This feature is limited to local accounts and does not support LDAP or other external accounts.

mailserver.debug.all

type: boolean
default: false

Whether to enable verbose logging for all mailserver related services. This intended be used for development purposes only, you probably don't want to enable this unless you're hacking on nixos-mailserver.

mailserver.debug.dovecot

type: boolean
default: config.mailserver.debug.all

Whether to enable verbose logging for Dovecot.

mailserver.debug.rspamd

type: boolean
default: config.mailserver.debug.all

Whether to enable verbose logging for Rspamd.

mailserver.domains

type: list of string
default: [ ]
example:
```
[
  "example.com"
]
```

The domains that this mail server serves.

mailserver.enable

type: boolean
default: false
example: true

Whether to enable nixos-mailserver.

mailserver.enableImap

type: boolean
default: false

Whether to enable IMAP with STARTTLS on port 143.

The use of this port is deprecated per RFC 8314 4.1.

mailserver.enableImapSsl

type: boolean
default: true

Whether to enable IMAP with TLS in wrapper-mode on port 993.

mailserver.enableManageSieve

type: boolean
default: false

Whether to enable ManageSieve, setting this option to true will open port 4190 in the firewall.

The ManageSieve protocol allows users to manage their Sieve scripts on a remote server with a supported client, including Thunderbird.

mailserver.enableNixpkgsReleaseCheck

type: boolean
default: true

Whether to check for a release mismatch between NixOS mailserver and Nixpkgs.

Using mismatched versions is likely to cause compatibility issues and may require migrations that make an eventual rollback tricky.

It is therefore highly recommended to use a release of NixOS mailserver that corresponds with your chosen release of Nixpkgs.

mailserver.enablePop3

type: boolean
default: false

Whether to enable POP3 with STARTTLS on port on port 110.

The use of this port is deprecated per RFC 8314 4.1.

mailserver.enablePop3Ssl

type: boolean
default: false

Whether to enable POP3 with TLS in wrapper-mode on port 995.

mailserver.enableSubmission

type: boolean
default: false

Whether to enable SMTP with STARTTLS on port 587.

The use of this port is discouraged per RFC 8314 3.3, see also Appendix A.

mailserver.enableSubmissionSsl

type: boolean
default: true

Whether to enable SMTP with TLS in wrapper-mode on port 465.

mailserver.forwards

type: attribute set of ((list of string) or string)
default: { }

example:

{
  "gamenight@example.com" = [
    "bob@example.com"
    "frank@example.org"
    "wendy@example.net"
  ];
  "user@example.com" = "user@example.edu";
}

Forwards route mail from local addresses to one or more local or external addresses.

Unlike mailserver.aliases, the target addresses cannot send mail using the forward address.

mailserver.fqdn

type: string
example: "mx.example.com"

The fully qualified domain name of the mail server.

mailserver.hierarchySeparator

type: string
default: "."

The hierarchy separator for mailboxes used by dovecot for the namespace 'inbox'. Dovecot defaults to "." but recommends "/". This affects how mailboxes appear to mail clients and sieve scripts. For instance when using "." then in a sieve script "example.com" would refer to the mailbox "com" in the parent mailbox "example". This does not determine the way your mails are stored on disk. See https://doc.dovecot.org/main/core/config/namespaces.html#namespaces for details.

mailserver.imapMemoryLimit

type: signed integer
default: 256

The memory limit for the imap service, in megabytes.

mailserver.indexDir

type: null or string
default: null
example: "/var/lib/dovecot/indices"

Folder to store search indices. If null, indices are stored along with email, which could not necessarily be desirable, especially when mailserver.fullTextSearch.enable is true since indices it creates are voluminous and do not need to be backed up.

Be careful when changing this option value since all indices would be recreated at the new location (and clients would need to resynchronize).

Note the some variables can be used in the file path. See https://doc.dovecot.org/2.3/configuration_manual/mail_location/#variables for details.

mailserver.lmtpMemoryLimit

type: signed integer
default: 256

The memory limit for the LMTP service, in megabytes.

mailserver.lmtpSaveToDetailMailbox

type: boolean
default: true

If an email address is delimited by a "+", should it be filed into a mailbox matching the string after the "+"? For example, user1+test@example.com would be filed into the mailbox "test".

mailserver.localDnsResolver

type: boolean
default: true

Runs a local DNS resolver (kresd) as recommended when running rspamd. This prevents your log file from filling up with rspamd_monitored_dns_mon entries.

mailserver.mailboxes

type: unspecified value

default:

{
  Drafts = {
    auto = "subscribe";
    special_use = "\\Drafts";
  };
  Junk = {
    auto = "subscribe";
    fts_autoindex = false;
    special_use = "\\Junk";
  };
  Sent = {
    auto = "subscribe";
    special_use = "\\Sent";
  };
  Trash = {
    auto = "no";
    fts_autoindex = false;
    special_use = "\\Trash";
  };
}

The default mailboxes for Dovecot maildirs.

The [special_use] option must refer to an RFC6154 2 attribute and lead with an escaped backslash.

Depending on the mail client used it might be necessary to change some mailbox's name.

mailserver.maxConnectionsPerUser

type: signed integer
default: 100

Maximum number of IMAP/POP3 connections allowed for a user from each IP address. E.g. a value of 50 allows for 50 IMAP and 50 POP3 connections at the same time for a single user.

mailserver.messageSizeLimit

type: signed integer
default: 20971520
example: 52428800

Message size limit enforced by Postfix.

mailserver.openFirewall

type: boolean
default: true

Automatically open ports in the firewall.

mailserver.recipientDelimiter

type: string
default: "+"

Configure the recipient delimiter.

mailserver.rejectRecipients

type: list of string
default: [ ]

example:

[
  "sales@example.com"
  "info@example.com"
]

Reject emails addressed to these local addresses from unauthorized senders. Use if a spammer has found email addresses in a catchall domain but you do not want to disable the catchall.

mailserver.rejectSender

type: list of string
default: [ ]

example:

[
  "example.com"
  "spammer@example.net"
]

Reject emails from these addresses from unauthorized senders. Use if a spammer is using the same domain or the same sender over and over.

mailserver.rejectSenderMessage

type: string
default: ""
example: "Your e-mail has not been delivered because we have blocked your e-mail address. If you believe that your e-mail address has been blocked by mistake, or if you have any other legitimate concern, please contact <address>."

SMTP message returned to rejected senders. If not set the Postfix default will be used.

The message must be a single line and typically much shorter than 512 characters.

This could for example be used to provide a contact method (postal address, phone or alternative email) so rejected senders can exercise their Art. 21 GDPR right to object.

It is good practice to inform senders in advance that their email addresses may be processed for this purpose in accordance with Art. 13 GDPR. Storing their mail address for this purpose is generally regarded as a legitimate interest.

mailserver.rewriteMessageId

type: boolean
default: false

Rewrites the Message-ID's hostname-part of outgoing emails to the FQDN. Please be aware that this may cause problems with some mail clients relying on the original Message-ID.

mailserver.sendingFqdn

type: string
default: mailserver.fqdn
example: "myserver.example.com"

The fully qualified domain name of the mail server used to identify with remote servers.

If this server's IP serves purposes other than a mail server, it may be desirable for the server to have a name other than that to which the user will connect. For example, the user might connect to mx.example.com, but the server's IP has reverse DNS that resolves to myserver.example.com; in this scenario, some mail servers may reject or penalize the message.

This setting allows the server to identify as myserver.example.com when forwarding mail, independently of mailserver.fqdn (which, for SSL reasons, should generally be the name to which the user connects).

Set this to the name to which the sending IP's reverse DNS resolves.

mailserver.stateVersion

type: null or (positive integer, meaning >0)
default: null

Tracking stateful version changes as an incrementing number.

When a new release comes out we may require manual migration steps to be completed, before the new version can be put into production.

If your stateVersion is too low one or multiple assertions may trigger to give you instructions on what migrations steps are required to continue. Increase the stateVersion as instructed by the assertion message.

mailserver.systemContact

type: string
example: "postmaster@example.com"

The email address where the administrative contact for this mail server is reachable.

Currently, this is only required when one of the following features is enabled:

SMTP TLS reports (mailserver.tlsrpt.enable)

mailserver.systemDomain

type: string

default:

if config.networking.domain != null && lib.elem config.networking.domain cfg.domains then
  config.networking.domain
else
  lib.head cfg.domains

example: config.networking.domain

The primary domain used for sending automated reports.

mailserver.systemName

type: string
default: ${config.mailserver.systemDomain} mail system
example: "ACME Corp."

The sender name given in automated reports.

mailserver.useUTF8FolderNames

type: boolean
default: false

Store mailbox names on disk using UTF-8 instead of modified UTF-7 (mUTF-7).

mailserver.virusScanning

type: boolean
default: false

Whether to activate virus scanning. Note that virus scanning is very expensive memory wise.

`mailserver.accounts`

mailserver.accounts

type: attribute set of (submodule)
default: { }

example:

{
  user1 = {
    # This password hash leaks into the Nix store
    hashedPassword = "$y$j9T$y6eZ1o.IvVNfdGMAsUEvh1$6K/llP52uw2iDh4iSwtAn54/JYy7FzCcoCHmjmx00H5";
  };
  user2 = {
    # Hashed password passed as a file
    hashedPasswordFile = "/run/keys/user2-pw-hash";
  };
  user3 = {
    # Plaintext password file
    passwordFile = "/run/keys/user3-pw";
  };
}

Attribute set of mail accounts.

Each entry defines a mailbox and login credentials, where the attribute name is used as the login username and optionally routed mail address.

Use mkpasswd to generate password hashes.

mailserver.accounts.<name>.aliases

type: list of string
default: [ ]

example:

[
  "abuse@example.com"
  "postmaster@example.com"
]

List of additional mail addresses (aliases) that get routed to this account.

Catch-all with sending permissions

Configure @example.com to create a catch-all for this domain that also allows sending from all addresses.

mailserver.accounts.<name>.aliasesRegexp

type: list of string
default: [ ]
example:
```
[
  "/^tom\\..*@domain\\.com$/"
]
```

Same as mailserver.accounts.<name>.aliases but using PCRE (Perl compatible regex).

mailserver.accounts.<name>.catchAll

type: list of value "example.com" (singular enum)
default: [ ]
example:
```
[
  "example.com"
  "example2.com"
]
```

For which domains should this account act as a catch all?

Warning

Does not allow sending from all addresses of these domains. Use mailserver.accounts.<name>.aliases if that is required.

mailserver.accounts.<name>.hashedPassword

type: null or string
default: null
example: "$y$j9T$vfGrwkAaXCjCEWtVNMQck1$383uIXQmn2z0hnmVAA8kwFQmjNj78.nYbvWeyNLIaP1"

The hashed login password for this account.

Use mkpasswd to create password hashes:

nix-shell -p mkpasswd --run 'mkpasswd -s'

Note

This is a convenience option, when your threat model allows storing hashed secrets in the world-readable Nix store.

Passing the hash through mailserver.accounts.<name>.hashedPasswordFile allows relying on filesystem discretionary access control as another security boundary.

mailserver.accounts.<name>.hashedPasswordFile

type: null or absolute path
default: null
example: "/run/keys/user1-pw-hash"

The hashed login password for this account read from a file.

Use `mkpasswd to create password hashes:

nix-shell -p mkpasswd --run 'mkpasswd -s'

mailserver.accounts.<name>.passwordFile

type: null or path not in the Nix store
default: null
example: "/run/keys/user1-pw"

The plaintext login password for this account read from a file.

Note

The password is hashed before it is passed on to Dovecot.

mailserver.accounts.<name>.quota

type: null or string
default: null
example: "2G"

The quota limit for this user.

The value is must use a size format like 500M, 2G, 10G.

If unset, will fall back to mailserver.quota.defaults.perUser if set.

mailserver.accounts.<name>.sendOnly

type: boolean
default: false

Specifies if the account should be a send-only account.

Emails sent to send-only accounts will be rejected with the reason configured in mailserver.accounts.<name>.sendOnlyRejectMessage.

mailserver.accounts.<name>.sendOnlyRejectMessage

type: string
default: "This account cannot receive emails."

The message returned to the sender for a send-only account.

See mailserver.accounts.<name>.sendOnly.

mailserver.accounts.<name>.sieveScript

type: null or strings concatenated with "\n"
default: null

example:

''
  require ["fileinto", "mailbox"];

  if address :is "from" "gitlab@mg.gitlab.com" {
    fileinto :create "GitLab";
    stop;
  }

  # This must be the last rule, it will check if list-id is set, and
  # file the message into the Lists folder for further investigation
  elsif header :matches "list-id" "<?*>" {
    fileinto :create "Lists";
    stop;
  }
''

Per-user sieve script.

`mailserver.x509`

mailserver.x509.certificateFile

type: null or absolute path
default: null
example: "/var/keys/certs/fullchain.pem"

Path to the signed X509 certificate including intermediate certificates.

This is commonly referred to as fullchain.pem.

Mutually exclusive with mailserver.x509.useACMEHost.

mailserver.x509.privateKeyFile

type: null or string
default: null
example: "/var/keys/certs/privkey.pem"

Path to the X509 private key.

This is commonly referred to as privkey.pem.

Mutually exclusive with mailserver.x509.useACMEHost.

mailserver.x509.useACMEHost

type: null or string
default: null
example: config.mailserver.fqdn

Common name used in the relevant security.acme.certs configuration.

Mutually exclusive with mailserver.x509.certificateFile and mailserver.x509.privateKeyFile.

`mailserver.storage`

mailserver.storage.directoryLayout

type: one of "fs", "Maildir++"
default: "Maildir++"

Sets whether dovecot should organize mail in subdirectories:

/var/vmail/example.com/user/.folder.subfolder/ (Maildir++ layout)
/var/vmail/example.com/user/folder/subfolder/ (FS layout)

See https://doc.dovecot.org/main/core/config/mailbox_formats/maildir.html#directory-layout for further details.

mailserver.storage.gid

type: positive integer, meaning >0
default: 5000

The group id of the primary group of the vmail user.

This group owns the mail storage directories. Access can be delegated to other users via group membership.

Warning

If you change this value you also need to manually adjust the ownership of your mailserver.storage.path.

mailserver.storage.group

type: string
default: "virtualMail"

The primary group name of the user that owns the mailserver.storage.path.

mailserver.storage.owner

type: string
default: "virtualMail"

The name of the user that owns the mailserver.storage.path.

mailserver.storage.path

type: absolute path
default: "/var/vmail"

Path on disk where mail home directories are stored.

mailserver.storage.uid

type: positive integer, meaning >0
default: 5000

The user id assigned to the vmail user.

This user owns the mail storage files and directories and is used by services accessing the mail store.

Warning

If you change this value you also need to manually adjust the ownership of your mailserver.storage.path.

`mailserver.dkim`

mailserver.dkim.defaults.keyLength

type: signed integer
default: 2048

The default key length used for generating new DKIM keys.

Only applies for RSA keys, Ed25519 keys use a fixed key length.

Per RFC8301 3.2 the minimum RSA key length should be at least 2048 bit.

This value should most likely not be changed. Once DKIM keys for domain and selector are generated changing this value will not regenerate the keypair. Instead create a new selector and configure mailserver.dkim.domains.<name>.selectors.<name>.keyLength.

mailserver.dkim.defaults.keyType

type: one of "rsa", "ed25519"
default: "rsa"

The key type used for generating DKIM keys. Ed25519 support was introduced in RFC6376 (2018).

Warning

Ed25519 DKIM keys are currently not recommended for sole use, as various DKIM validators out there lack support and consider the keypair invalid.

This value should most likely not be changed. Once DKIM keys for domain and selector are generated changing this value will not regenerate the keypair. Instead create a new selector and configure mailserver.dkim.domains.<name>.selectors.<name>.keyType.

mailserver.dkim.defaults.selector

type: string
default: "mail"

The default selector used to reference and lookup DKIM keys.

This value should most likely not be changed. Instead manage mailserver.dkim.domains.<name>.selectors to sign with one or multiple DKIM key pairs and manage migrations.

mailserver.dkim.domains

type: attribute set of (submodule)
default: { }

example:

{
  "example.com".selectors = {
    "mail" = {
      # inherit defaults from mailserver.dkim.defaults
    };
    "rsa-2026-03".keyFile = "/run/keys/example.com-dkim-rsa-2026-03.key";
  };
};

DKIM configuration per domain.

mailserver.dkim.domains.<name>.selectors

type: attribute set of (submodule)
default: { }

example:

{
  "mail" = {
    # inherit defaults from mailserver.dkim.defaults
  };
  "rsa-2026-03".keyFile = "/run/keys/example.com-dkim-rsa-2026-03.key";
};

DKIM selectors used for signing outgoing mail for this domain.

When no selector is configured a default selector will be created with settings inherited from mailserver.dkim.defaults.

mailserver.dkim.domains.<name>.selectors.<name>.keyFile

type: null or path not in the Nix store
default: null
example: "/run/keys/example.com-dkim-rsa-2026-03.key"

Path to an existing DKIM private key file.

DKIM keys can be generated using rspamadm dkim_keygen.

This option is mutually exclusive with keyType and keyLength.

mailserver.dkim.domains.<name>.selectors.<name>.keyLength

type: null or signed integer
default: null
example: 2048

The key length used for generating this DKIM key.

Only applies for RSA keys, Ed25519 keys use a fixed key size.

This option is mutually exclusive with keyFile.

mailserver.dkim.domains.<name>.selectors.<name>.keyType

type: null or one of "rsa", "ed25519"
default: null
example: "rsa"

The key type used for generating this DKIM keypair.

Warning

Ed25519 DKIM keys are currently not recommended for sole use, as various DKIM validators out there lack support and consider the keypair invalid.

This option is mutually exclusive with keyFile.

mailserver.dkim.enable

type: boolean
default: true
example: true

Whether to enable DKIM signing.

mailserver.dkim.keyDirectory

type: absolute path
default: "/var/dkim"

The path where DKIM siging keys are stored.

`mailserver.srs`

mailserver.srs.domain

type: null or string
default: config.mailserver.systemDomain
example: "srs.example.com"

Mail domain used for ephemeral SRS envelope addresses.

Note

This domain can only support relaxed SPF alignment.

Important

For privacy reasons you should use a dedicated domain when serving multiple unrelated domains.

mailserver.srs.enable

type: boolean
default: false
example: true

Whether to enable Sender Rewrite Scheme.

`mailserver.dmarcReporting`

mailserver.dmarcReporting.enable

type: boolean
default: false

Whether to send out aggregated, daily DMARC reports in response to incoming mail, when the sender domain defines a DMARC policy including the RUA tag.

This is helpful for the mail ecosystem, because it allows third parties to get notified about SPF/DKIM violations originating from their sender domains.

See https://rspamd.com/doc/modules/dmarc.html#reporting

mailserver.dmarcReporting.excludeDomains

type: list of string
default: [ ]

List of domains or eSLDs to be excluded from DMARC reports.

`mailserver.tlsrpt`

mailserver.tlsrpt.enable

type: boolean
default: false
example: true

Whether to enable delivery of SMTP TLS reports according to RFC 8460.

`mailserver.fullTextSearch`

mailserver.fullTextSearch.autoIndex

type: boolean
default: true

Enable automatic indexing of messages as they are received or modified.

Tip

Can be overridden per mailbox by setting fts_autoindex for mailserver.mailboxes. By default the Junk and Trash folders are already excluded.

mailserver.fullTextSearch.enable

type: boolean
default: false
example: true

Whether to enable Full text search indexing with Xapian through the fts_flatcurve plugin. This has significant performance and disk space cost. .

mailserver.fullTextSearch.fallback

type: boolean
default: true

Whether to fallback to slow non-indexed search, if FTS lookup and indexing have failed.

See https://doc.dovecot.org/main/core/plugins/fts.html#fts_search_read_fallback.

mailserver.fullTextSearch.filters

type: list of string

default:

[
  "normalizer-icu"
  "snowball"
  "stopwords"
]

The list of language filters to apply.

mailserver.fullTextSearch.headerExcludes

type: list of string

default:

[
  "Received"
  "DKIM-*"
  "X-*"
  "Comments"
]

The list of headers to exclude while indexing.

See https://doc.dovecot.org/main/core/plugins/fts.html#fts_header_excludes.

mailserver.fullTextSearch.languages

type: non-empty (list of string)
default:
```
[
  "en"
]
```
example:
```
[
  "en"
  "de"
]
```

A list of languages that the full text search should detect.

At least one language must be specified. The language listed first is the default and is used when language recognition fails.

See https://doc.dovecot.org/main/core/plugins/fts.html#languages.

mailserver.fullTextSearch.memoryLimit

type: null or signed integer
default: null
example: 1024

Memory limit for the indexer process, in MiB.

When null the default_vsz_limit applies while with 0 no limit is applied.

mailserver.fullTextSearch.substringSearch

type: boolean
default: false

Whether to allows substring searches. By default only prefix searches are supported.

Warning

Enabling this significantly increases storage requirements.

See https://doc.dovecot.org/main/core/plugins/fts_flatcurve.html#fts_flatcurve_substring_search.

`mailserver.quota`

mailserver.quota.defaults.perUser

type: null or string
default: null
example: "10G"

Default quota applied to all users.

The value must use a size format like 500M, 2G, 10G.

If set to null, no default per user quota is applied and only explicit per user quotas apply, if set.

mailserver.quota.enable

type: boolean
default: true

Whether to enable quota support.

When enabled, incoming mail can be rejected if a mailbox exceeds its quota.

mailserver.quotaStatusMemoryLimit

type: signed integer
default: 256

The memory limit for the quota-status service, in megabytes.

`mailserver.redis`

mailserver.redis.address

type: string
default: config.services.redis.servers.rspamd.unixSocket

Path, IP address or hostname that Rspamd should use to contact Redis.

mailserver.redis.configureLocally

type: boolean
default: true

Whether to provision a local Redis instance.

mailserver.redis.password

type: null or string
default: config.services.redis.servers.rspamd.requirePass

Password that rspamd should use to contact redis, or null if not required.

mailserver.redis.port

type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
default: null
example: config.services.redis.servers.rspamd.port

Port that Rspamd should use to contact Redis.

`mailserver.ldap`

mailserver.ldap.attributes.mail

type: string
default: "mail"
example: "maildrop"

The attribute name used for looking up accounts by mail address.

Typically this can be the mail attribute from the inetOrgPerson schema, or the maildrop attribute from the unofficial Postfix schema.

mailserver.ldap.attributes.password

type: null or string
default: null
example: "userPassword"

The LDAP attribute referencing the account password used to login with.

The account passwords stored in LDAP must be hashed with a supported Password Scheme in order for Dovecot to understand them.

Typically the userPassword attribute which is part of the inetOrgPerson schema.

If null, Authentication Binds will be used instead.

mailserver.ldap.attributes.username

type: string
default: "uid"
example: "name"

The LDAP attribute referencing the username used to login with.

Typically the uid attribute which is part of the inetOrgPerson schema.

mailserver.ldap.attributes.uuid

type: string
default: "entryUUID"
example: "uuid"

The long-term stable LDAP attribute to reference accounts across username changes. Used to determine a stable Dovecot home and mail directory location.

Typically the entryUUID attribute as defined by RFC4530.

mailserver.ldap.base

type: string
example: "ou=people,ou=accounts,dc=example,dc=com"

Base DN below which user accounts are searched for.

mailserver.ldap.bind.dn

type: string
example: "cn=mail,ou=accounts,dc=example,dc=com"

DN used to bind against the LDAP server.

The server uses this account to lookup and filter accounts.

mailserver.ldap.bind.passwordFile

type: path not in the Nix store
example: "/run/my-secret"

File containing the password required to bind against the LDAP server.

Warning

The password file is read verbatim. Any trailing newline will become part of the password and may cause authentication failures.

mailserver.ldap.caFile

type: absolute path
default: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

Bundle of CA certificates used to authenticate the LDAP server certificate.

mailserver.ldap.dovecot.passFilter

type: null or string

default:

with config.mailserver.ldap.attributes; "${username}=%{user}";

example: "(&(memberOf=cn=mail_users,ou=groups,dc=example,dc=com)(uid=%{user}))"

LDAP filter used to restrict which users are eligible to authenticate against Dovecot.

See the pass_filter reference in the Dovecot manual.

mailserver.ldap.dovecot.userFilter

type: string

default:

with config.mailserver.ldap.attributes; "(|(${mail}=%{user})(${username}=%{user}))";

example: "(|(mail=%{user})(uid=%{user}))"

LDAP filter used for LMTP delivery from Postfix and post-login information construction, like the home directory.

See the user_filter reference at in the Dovecot manual.

mailserver.ldap.enable

type: boolean
default: false
example: true

Whether to enable LDAP support.

mailserver.ldap.postfix.filter

type: string

default:

with config.mailserver.ldap.attributes; "${mail}=%s";

example: "(mail=%s)"

LDAP filter used to search for an account by mail, where %s is a substitute for the address in question.

mailserver.ldap.scope

type: one of "base", "one", "sub"
default: "sub"

Search scope relative to the mailserver.ldap.base.

base: Only the exact Base DN
one: Immediate child entries of the Base DN, but not the Base DN itself.
sub: Base DN and all descendant entries at any depth.

In practice only one or sub are suitable for multiple LDAP users.

mailserver.ldap.startTls

type: boolean
default: false

Whether to enable StartTLS on ldap:// connections.

mailserver.ldap.uris

type: list of string
default: [ ]

example:

[
  "ldaps://ldap1.example.com"
  "ldaps://ldap2.example.com"
]

List of LDAP server URIs. Multiple can be specified.

Use ldaps:// for implicit TLS or ldap:// for a plain connection. See also mailserver.ldap.startTls to enable StartTLS on plain connections.

`mailserver.workarounds`

mailserver.workarounds.all

type: boolean
default: true

Whether to enable various workarounds for compatibility with other mail servers or clients. This is safe to enable and workarounds come and go. At times, this option may have no effect at all.

mailserver.workarounds.digicertRootDiscontinuation

type: boolean
default: config.mailserver.workarounds.all

Whether to patch Postfix's CA bundle to continue trusting the discontinued DigiCert Root CA.

This will allow Postfix to deliver mails to mail servers that still serve a certificate signed by this CA. Without this patch connections that enforce DANE or MTA-STS will break.

Microsoft Outlook is known to do this.

`mailserver.monitoring`

mailserver.monitoring.alertAddress

type: string

The email address to send alerts to.

mailserver.monitoring.config

type: string
default: see source

The configuration used for monitoring via monit. Use a mail address that you actively check and set it via 'set alert ...'.

mailserver.monitoring.enable

type: boolean
default: false
example: true

Whether to enable monitoring via monit.

`mailserver.backup`

mailserver.backup.cmdPostexec

type: null or string
default: null

The command to be executed after each backup operation. This is wrapped in a shell script to be called by rsnapshot.

mailserver.backup.cmdPreexec

type: null or string
default: null

The command to be executed before each backup operation. This is wrapped in a shell script to be called by rsnapshot.

mailserver.backup.cronIntervals

type: attribute set of string

default:

{
  daily = "30  3  *  *  *";
  hourly = " 0  *  *  *  *";
  weekly = " 0  5  *  *  0";
}

Periodicity at which intervals should be run by cron. Note that the intervals also have to exist in configuration as retain options.

mailserver.backup.enable

type: boolean
default: false
example: true

Whether to enable backup via rsnapshot.

mailserver.backup.retain.daily

type: signed integer
default: 7

How many daily snapshots are retained.

mailserver.backup.retain.hourly

type: signed integer
default: 24

How many hourly snapshots are retained.

mailserver.backup.retain.weekly

type: signed integer
default: 54

How many weekly snapshots are retained.

mailserver.backup.snapshotRoot

type: absolute path
default: "/var/rsnapshot"

The directory where rsnapshot stores the backup.

`mailserver.borgbackup`

mailserver.borgbackup.cmdPostexec

type: null or string
default: null

The command to be executed after each backup operation. This is called after borg create completed successfully and in the same script that runs cmdPreexec, borg init and create.

mailserver.borgbackup.cmdPreexec

type: null or string
default: null

example:

''
  export BORG_RSH="ssh -i /path/to/private/key"
''

The command to be executed before each backup operation. This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.

mailserver.borgbackup.compression.auto

type: boolean
default: false

Leaves it to borg to determine whether an individual file should be compressed.

mailserver.borgbackup.compression.level

type: null or signed integer
default: null

Denotes the level of compression used by borg. Most methods accept levels from 0 to 9 but zstd which accepts values from 1 to 22. If null the decision is left up to borg.

mailserver.borgbackup.compression.method

type: null or one of "none", "lz4", "zstd", "zlib", "lzma"
default: null

Leaving this unset allows borg to choose. The default for borg 1.1.4 is lz4.

mailserver.borgbackup.enable

type: boolean
default: false
example: true

Whether to enable backup via borgbackup.

mailserver.borgbackup.encryption.method

type: one of "none", "authenticated", "authenticated-blake2", "repokey", "keyfile", "repokey-blake2", "keyfile-blake2"
default: "none"

The backup can be encrypted by choosing any other value than 'none'. When using encryption the password/passphrase must be provided in passphraseFile.

mailserver.borgbackup.encryption.passphraseFile

type: null or absolute path
default: null

Path to a file containing the encryption password or passphrase.

mailserver.borgbackup.extraArgumentsForCreate

type: list of string
default: [ ]

Additional arguments to add to the borg create command line e.g. '--stats'.

mailserver.borgbackup.extraArgumentsForInit

type: list of string
default:
```
[
  "--critical"
]
```

Additional arguments to add to the borg init command line.

mailserver.borgbackup.group

type: string
default: "virtualMail"

The group borg and its launch script is run as.

mailserver.borgbackup.locations

type: list of absolute path
default: [ config.mailserver.storage.path ]

The locations that are to be backed up by borg.

mailserver.borgbackup.name

type: string
default: "{hostname}-{user}-{now}"

The name of the individual backups as used by borg. Certain placeholders will be replaced by borg.

mailserver.borgbackup.repoLocation

type: string
default: "/var/borgbackup"

The location where borg saves the backups. This can be a local path or a remote location such as user@host:/path/to/repo. It is exported and thus available as an environment variable to mailserver.borgbackup.cmdPreexec and mailserver.borgbackup.cmdPostexec.

mailserver.borgbackup.startAt

type: string
default: "hourly"

When or how often the backup should run. Must be in the format described in systemd.time 7.

mailserver.borgbackup.user

type: string
default: "virtualMail"

The user borg and its launch script is run as.

Mailserver options

mailserver

mailserver.accounts

mailserver.x509

mailserver.storage

mailserver.dkim

mailserver.srs

mailserver.dmarcReporting

mailserver.tlsrpt

mailserver.fullTextSearch

mailserver.quota

mailserver.redis

mailserver.ldap

mailserver.workarounds

mailserver.monitoring

mailserver.backup

mailserver.borgbackup

`mailserver`

`mailserver.accounts`

`mailserver.x509`

`mailserver.storage`

`mailserver.dkim`

`mailserver.srs`

`mailserver.dmarcReporting`

`mailserver.tlsrpt`

`mailserver.fullTextSearch`

`mailserver.quota`

`mailserver.redis`

`mailserver.ldap`

`mailserver.workarounds`

`mailserver.monitoring`

`mailserver.backup`

`mailserver.borgbackup`