commit 1aed0ca236c714c890e8e0d6d3585840949bc6e2
from: Oliver Lowe <o@olowe.co>
date: Sat Feb 26 11:50:12 2022 UTC

initial commit

commit - /dev/null
commit + 1aed0ca236c714c890e8e0d6d3585840949bc6e2
blob - /dev/null
blob + 67f23bd2b7a7908dd3368f0854e12eef4254a7e5 (mode 644)
--- /dev/null
+++ README
@@ -0,0 +1,54 @@
+First, run install.sh as a privileged user (root).
+
+	doas sh install.sh
+
+It is safe to run more than once.
+install.sh does the following:
+
+- installs packages
+- enables daemons
+- creates directories
+- creates an unprivileged mail delivery system user
+- installs configuration files
+- initialises the accounts database if not present already
+- restarts daemons
+
+Extra steps that need to be run manually follow.
+
+TLS certificate
+------
+
+Renew the certificate every night with an entry in root's crontab:
+
+	0 4 * * * acme-client mail.srcbeat.com && rcctl restart smtpd dovecot
+
+The required httpd and acme-client configuration are installed by install.sh.
+
+Dovecot
+------
+
+Add the user and password database configuration to /etc/dovecot/conf.d/10-auth.conf:
+
+	userdb {
+	        driver = static
+	        args = uid=vmail gid=vmail home=/mail/box/%d/%n
+	}
+	passdb {
+	        driver = sql
+	        args = /etc/dovecot/dovecot-sql.conf.ext
+	}
+
+dovecot-sql.conf.ext is already installed by install.sh.
+
+Add the mail location to /etc/dovecot/conf.d/10-mail.conf:
+
+	mail_location = maildir:/mail/box/%d/%n/Maildir:LAYOUT=fs
+
+With this configuration mail for the account with the username "test@example.com"
+is stored at /mail/box/example.com/test/Maildir.
+
+Configure dovecot to load the TLS keys by adding the following to /etc/dovecot/conf.d/10-ssl.conf:
+
+	ssl = required
+	ssl_cert = </etc/ssl/mail.srcbeat.com.crt
+	ssl_key = </etc/ssl/private/mail.srcbeat.com.key
blob - /dev/null
blob + 68d707dcb9a1b960396164937f6416eb77a2c5a8 (mode 644)
--- /dev/null
+++ accounts.conf
@@ -0,0 +1,4 @@
+dbpath /mail/lib/accounts.db
+query_alias SELECT destination FROM aliases WHERE recipient=?;
+query_credentials SELECT username, password FROM users WHERE username=?;
+query_domain SELECT domain FROM domains WHERE domain=?;
blob - /dev/null
blob + ca72d619c10304ac0ddf5928d5a7cd6466630fc1 (mode 644)
--- /dev/null
+++ acme-client.conf
@@ -0,0 +1,12 @@
+authority letsencrypt {
+        api url "https://acme-v02.api.letsencrypt.org/directory"
+        account key "/etc/ssl/private/my-acme.key"
+}
+
+domain mail.srcbeat.com {
+        alternative names { imap.srcbeat.com smtp.srcbeat.com }
+        domain key "/etc/ssl/private/mail.srcbeat.com.key"
+        domain certificate "/etc/ssl/mail.srcbeat.com.crt"
+        domain full chain certificate "mail.srcbeat.com.fullchain.pem"
+        sign with letsencrypt
+}
blob - /dev/null
blob + 41066eef9490b51e7974d4ca7208c571f9022fe5 (mode 644)
--- /dev/null
+++ dovecot-sql.conf.ext
@@ -0,0 +1,6 @@
+driver = sqlite
+connect = /mail/lib/accounts.db
+default_pass_scheme = BLF-CRYPT
+password_query = SELECT username AS user, password FROM users WHERE username = '%u'
+
+#iterate_query = SELECT username AS user FROM users
blob - /dev/null
blob + 9eaa7143dbfd11ce2710062abdcf81c7bf319987 (mode 644)
--- /dev/null
+++ httpd.conf
@@ -0,0 +1,9 @@
+server "mail.srcbeat.com" {
+        alias "imap.srcbeat.com"
+        alias "smtp.srcbeat.com"
+        listen on egress port http
+        location "/.well-known/acme-challenge/*" {
+                root "/acme"
+                request strip 2
+        }
+}
blob - /dev/null
blob + 5b2fd74c54ac1ee9f3160916521c10fdee29d982 (mode 644)
--- /dev/null
+++ init.sql
@@ -0,0 +1,16 @@
+CREATE TABLE aliases (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	recipient VARCHAR(255) NOT NULL,
+	destination VARCHAR(255) NOT NULL
+);
+
+CREATE TABLE users (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	username VARCHAR(255) NOT NULL,
+	password VARCHAR(255) NOT NULL
+);
+
+CREATE TABLE domains (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	domain VARCHAR(255) NOT NULL
+);
blob - /dev/null
blob + 8178784184d962e19b8f7bb47d7e1990f8526e20 (mode 644)
--- /dev/null
+++ install.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+pkg_add opensmtpd-extras dovecot
+
+rcctl enable httpd smtpd dovecot
+
+mkdir -p /mail/box /mail/lib
+
+useradd -g =uid -c "Virtual Mail" -d /mail/box -s /sbin/nologin vmail
+chown -R vmail:vmail /mail/box
+
+cp smtpd.conf /etc/mail/smtpd.conf
+cp httpd.conf /etc
+cp acme-client.conf /etc
+cp accounts.conf /mail/lib
+cp dovecot-sql.conf.ext /etc/dovecot
+
+if ! test -f /mail/lib/accounts.db
+then
+	sqlite3 /mail/lib/accounts.db < init.sql
+fi
+
+rcctl restart httpd smtpd dovecot
blob - /dev/null
blob + 9ae16c94d3e946d8815b9be4777d8ba98257852b (mode 644)
--- /dev/null
+++ smtpd.conf
@@ -0,0 +1,20 @@
+table domains sqlite:/mail/lib/accounts.conf
+table accounts sqlite:/mail/lib/accounts.conf
+table aliases sqlite:/mail/lib/accounts.conf
+table localaliases file:/etc/mail/aliases
+
+listen on socket
+listen on lo0
+
+# pki mail.example.com cert "/etc/ssl/mail.example.com.fullchain.pem"
+# pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
+# listen on egress tls pki mail.example.com
+# listen on egress smtps pki mail.example.com auth <accounts>
+
+action "local_mail" mbox alias <localaliases>
+action "deliver" maildir "/mail/box/%{dest.domain}/%{dest.user}/Maildir" virtual <aliases>
+
+match from any for domain <domains> action deliver
+# match auth from any for any action { relay }
+
+match from local for local action "local_mail"