The
NERDBUDE, the
CCH! and the
DFK have been running on the NixOS server for quite some time now and are stable (assuming I don't mess anything up -.-). The last thing that was missing was the emails... and that cost me "some" time. That's why the update is only three months later - but the emails work now.
SNM - Simple NixOS Mailserver
Thanks to NixOS, there is a ready-made implementation of a mail server, namely SNM, the Simple NixOS Mailserver.
The SNM is completely integrated into the
configuration.nix and configured via it.
The entire documentation and configuration is available at
SNM - Simple NixOS Mailserver. There are a few simple steps to set up the server.
The only requirements are a functioning web server with a public IP, a domain and the ability to store an rDNS record.
Let's get started.
1. DNS Record
First, a DNS A entry is created for the mail server. This means that the mail server can also be reached from outside:
NAME: mail.nerdbude.com
TTL: 10800
TYPE: A
VALUE: deine-ip
Once the DNS entry is set up, you can use
ping to test whether the DNS record is set correctly:
TERMINAL
ping mail.nerdbude.com
64 bytes from mail.nerdbude.com (162.55.61.209): icmp_seq=1 ttl=46 time=21.3 ms
...
If that is successful, go to
configuration.nix. This is where you enter the basic settings for the mail server.
2. CONFIGURATION.NIX
Like pretty much everything, the mail server also goes into the central
configuration.nix.
CONFIGURATION.NIX
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/A-COMMIT-ID/nixos-mailserver-A-COMMIT-ID.tar.gz";
sha256 = "enter_hashvalue_here";
})
];
mailserver = {
enable = true;
fqdn = "mail.nerdbude.com";
domains = [ "nerdbude.com" ];
loginAccounts = {
"post@example.com" = {
hashedPasswordFile = "/path/to/passwordfile";
aliases = ["@example.com"];
};
};
certificateScheme = 3;
};
}
It looks like a lot at first, but it's actually quite manageable. Let's take a look.
In the first block, we first define the source for all the required parts and verify everything with the hash value:
CONFIGURATION.NIX
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/A-COMMIT-ID/nixos-mailserver-A-COMMIT-ID.tar.gz";
sha256 = "enter_hashvalue_here";
})
];
Then the mail server itself is configured:
CONFIGURATION.NIX
mailserver = {
enable = true;
fqdn = "mail.nerdbude.com";
domains = [ "nerdbude.com" ];
loginAccounts = {
"post@nerdbude.com" = {
hashedPasswordFile = "/path/to/passwordfile";
aliases = ["@nerdbude.com"];
};
};
certificateScheme = 3;
};
}
As a first step, we activate the mail server with
enable = true;. Then the Full Qualified Domain Name, or
FQDN for short, is configured.
This is done using
fqdn = "mail.nerdbude.com";. Here, the subdomain mail.nerdbude.com is defined as the address for the mail server. With
domain we give the server the general domain name.
The next block takes care of the email addresses and aliases with which emails can be sent and received. In addition to the accounts or email addresses, the password file is also defined.
The password file contains a hashed password that is later used to log in to the email address. The file can be generated quite easily with the following command:
TERMINAL
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt > passwordfile
You will then be asked for a password. The password you enter is then hashed and written to the file "passwordfile". You can put the file anywhere on the server.
The last entry
certificateScheme = 3; regulates the SSL certificate for our mail server. Done.
Not quite. The mail server still needs an entry
security.acme.certs because a contact person or an associated email address is required for the SSL certificate.
CONFIGURATION.NIX
security.acme.certs = {
"mail.nerdbude.com".email = "post@nerdbude.com";
};
Now the
CONFIGURATION.NIX can be rebuilt with
nixos-rebuild switch. The whole thing should run through and build without any problems. At this point, at least on the NixOS Config side, everything is done.
What is still missing now are the last DNS entries so that the mail server can find its place on the Internet.
3. MORE DNS EINTRÄGE
First we set the MX record:
NAME: nerdbude.com
PRIO: 10
TYPE: MX
VALUE: mail.nerdbude.com
The next entry is the SPF record:
NAME: nerdbude.com
TTL: 10800
TYPE: TXT
VALUE: v=spf1 a:mail.nerdbude.com -all
Then there is the DKIM signature and the DMARC record. The DKIM record looks like this:
NAME: mail._domainkey.nerdbude.com
TTL: 10800
TYPE: TXT
VALUE: v=DKIM1; p=key
The key that goes into the value can be found under
/var/dkim/nerdbude.com.mail.txt
Last but not least, the DMARC record:
NAME: _dmarc.nerdbude.com
TTL: 10800
TYPE: TXT
VALUE: v=DMARC; p=none
That would actually be all done and emails should go in and out. Unfortunately, that wasn't the case for me.
4. DEBUGGING
The rebuild runs through and doesn't throw up any errors and of course you want to try straight away whether everything is working.
So the whole thing goes into the mail client of least suspicion and is disappointed. The mail inbox works and
mails come in. But when emails are supposed to go out, there's a problem. They don't go out.
Unfortunately,
journalctl -fu postfix spits out an SPF error, which made me look in that direction first.
But that was the wrong direction, because the SPF failed because there was simply no reverse DNS entry or it was wrongly linked.
So we go to the provider web interface and store an rDNS entry from the IP to the domain.
BOOM! - The emails go out.
5. CONCLUSION
All in all, setting up the mail server is really simple. A few DNS entries and a few lines in the
configuration.nix and your own mail server is up and running.
This provides the basic infrastructure for the
NERDBUDE, podcasts, etc.
Now we move on to planning the backups and other gimmicks. Let's see what else comes of it.
PARTS:
[01] - Intro
[02] - Requirements
[03] - Webserver
[04] - Mailserver