95 lines
3 KiB
Diff
95 lines
3 KiB
Diff
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
|
|
index 6ebf5cf95742fb..01b9c278c6307d 100644
|
|
--- a/nixos/modules/services/mail/dovecot.nix
|
|
+++ b/nixos/modules/services/mail/dovecot.nix
|
|
@@ -692,67 +692,23 @@ in
|
|
|
|
environment.etc."dovecot/dovecot.conf".source = cfg.configFile;
|
|
|
|
- systemd.services.dovecot = {
|
|
- aliases = [ "dovecot2.service" ];
|
|
+ systemd.services.dovecot2 = {
|
|
description = "Dovecot IMAP/POP3 server";
|
|
- documentation = [
|
|
- "man:dovecot(1)"
|
|
- "https://doc.dovecot.org"
|
|
- ];
|
|
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
- restartTriggers = [ cfg.configFile ];
|
|
+ restartTriggers = [
|
|
+ cfg.configFile
|
|
+ ];
|
|
|
|
startLimitIntervalSec = 60; # 1 min
|
|
serviceConfig = {
|
|
Type = "notify";
|
|
ExecStart = "${dovecotPkg}/sbin/dovecot -F";
|
|
ExecReload = "${dovecotPkg}/sbin/doveadm reload";
|
|
-
|
|
- CapabilityBoundingSet = [
|
|
- "CAP_CHOWN"
|
|
- "CAP_DAC_OVERRIDE"
|
|
- "CAP_FOWNER"
|
|
- "CAP_NET_BIND_SERVICE"
|
|
- "CAP_SETGID"
|
|
- "CAP_SETUID"
|
|
- "CAP_SYS_CHROOT"
|
|
- "CAP_SYS_RESOURCE"
|
|
- ];
|
|
- LockPersonality = true;
|
|
- MemoryDenyWriteExecute = true;
|
|
- NoNewPrivileges = true;
|
|
- OOMPolicy = "continue";
|
|
- PrivateTmp = true;
|
|
- ProcSubset = "pid";
|
|
- ProtectClock = true;
|
|
- ProtectControlGroups = true;
|
|
- ProtectHome = lib.mkDefault false;
|
|
- ProtectHostname = true;
|
|
- ProtectKernelLogs = true;
|
|
- ProtectKernelModules = true;
|
|
- ProtectKernelTunables = true;
|
|
- ProtectProc = "invisible";
|
|
- ProtectSystem = "full";
|
|
- PrivateDevices = true;
|
|
Restart = "on-failure";
|
|
RestartSec = "1s";
|
|
- RestrictAddressFamilies = [
|
|
- "AF_INET"
|
|
- "AF_INET6"
|
|
- "AF_UNIX"
|
|
- ];
|
|
- RestrictNamespaces = true;
|
|
- RestrictRealtime = true;
|
|
- RestrictSUIDSGID = false; # sets sgid on maildirs
|
|
RuntimeDirectory = [ "dovecot2" ];
|
|
- SystemCallArchitectures = "native";
|
|
- SystemCallFilter = [
|
|
- "@system-service @resources"
|
|
- "~@privileged"
|
|
- "@chown @setuid capset chroot"
|
|
- ];
|
|
};
|
|
|
|
# When copying sieve scripts preserve the original time stamp
|
|
diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix
|
|
index 83b3781c773d6b..3d2b8c45b12c77 100644
|
|
--- a/nixos/tests/dovecot.nix
|
|
+++ b/nixos/tests/dovecot.nix
|
|
@@ -84,13 +84,11 @@
|
|
|
|
testScript = ''
|
|
machine.wait_for_unit("postfix.service")
|
|
- machine.wait_for_unit("dovecot.service")
|
|
+ machine.wait_for_unit("dovecot2.service")
|
|
machine.succeed("send-testmail")
|
|
machine.succeed("send-lda")
|
|
machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
|
machine.succeed("test-imap")
|
|
machine.succeed("test-pop")
|
|
-
|
|
- machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓"))
|
|
'';
|
|
}
|