jbranso
/
gnucode.me


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424
							<!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Submitting Opensmtpd Service to Guixrus — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="about.html">About</a></li><li><a href="business-ideas.html">Business-ideas</a></li></ul></nav></header><h1>Submitting Opensmtpd Service to Guixrus</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — December 22, 2022</h3><div><p>EDIT 02-24-2023:  Through this whole process, I have used this guide to set up email.
If you are going to try to set up your own email service, do check it out:
<a href="https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/">https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/</a></p><p>I was recently encouraged by the delightfully friendly raghavgururajan to try to
merge my opensmtpd service project into guixrus, which is a small community
actively working to upstream packages and services into guix proper.  I figured,
why not?  Sounds like fun.  The following post will describe my developmental
workflow, which is probably pretty poor…</p><p>tl;dr</p><p>Soonish, I will clean up the code for a proper ~opensmtpd-service-type~ with
~opensmtpd-records~ for guix system. It may take 6 months to get it in a clean
state. Until it is merged, you may find it here:</p><p><a href="https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046">https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046</a></p><p>The current documentation is here:</p><p><a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd-records-documentation.txt">https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd-records-documentation.txt</a></p><p>My server's config is here:</p><p><a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm">https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm</a></p><p>The current task list is here:</p><p><a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org">https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org</a></p><p>Added, the guixrus channel to my ~/.config/guix/channels.scm</p><pre><code>cat ~/.config/guix/channels.scm

(cons* (channel  ;; for firefox-wayland
        (name 'nonguix)
        (url &quot;https://gitlab.com/nonguix/nonguix&quot;)
        ;; Enable signature verification:
        (introduction
         (make-channel-introduction
          &quot;897c1a470da759236cc11798f4e0a5f7d4d59fbc&quot;
          (openpgp-fingerprint
           &quot;2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5&quot;))))
       (channel  ;; for sway-latest
        (name 'guixrus)
        (url &quot;https://git.sr.ht/~whereiseveryone/guixrus&quot;)
        (introduction
         (make-channel-introduction
          &quot;7c67c3a9f299517bfc4ce8235628657898dd26b2&quot;
          (openpgp-fingerprint
           &quot;CD2D 5EAA A98C CB37 DA91  D6B0 5F58 1664 7F8B E551&quot;))))
       %default-channels)</code></pre><p>Before I submit the patch, I should make sure that the code actually works. To
do that, I logged into my gnucode.me server tried to set up the opensmtpd
server.</p><pre><code>guix pull --url=https://notabug.org/jbranso/guix/src/newOpensmtpdBranch \
    --branch=newOpensmtpdBranch

Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'

guix pull --url=https://notabug.org/jbranso/guix \
    --commit=8abbb6c442d135ae8e7c1cb0e17525478fafe8f0

Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'</code></pre><p>Hmm, well my opensmtpd service is NOT using signed commits.  That’s probably the
problem.  Hmmm…  Well I guess I need to start signing my commits.  Generate an
gpg key.  grrr….</p><p>These three pages are seem promising:</p><p><a href="https://moser-isi.ethz.ch/gpg.html">https://moser-isi.ethz.ch/gpg.html</a></p><p><a href="https://wiki.debian.org/Keysigning">https://wiki.debian.org/Keysigning</a></p><p><a href="https://risanb.com/code/backup-restore-gpg-key/">https://risanb.com/code/backup-restore-gpg-key/</a></p><pre><code>gpg --full-generate-key

gpg: directory '/home/joshua/.gnupg/openpgp-revocs.d' created
h.lgpg: revocation certificate stored as '/home/joshua/.gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev'</code></pre><p>I copied my Revocation-Certificate into my spare usb:</p><pre><code>sudo cp .gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev /mnt/gnucode.gpg.rev</code></pre><p>Let’s export my gpg key to the server.</p><pre><code>gpg --auto-key-locate keyserver -a --send-keys 67A42A3CC23F979886F9686C750BCFEF3A579572

gpg -a --export gnucode

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGOSU7sBEAC/8renj2OgTHKJfbqz7CRplPQ0su8aasJXTkunx70IhVpTFBS+
9Bwvjbo7HM2aBYD/NYa6n24J3OXla17uDxFt2i63ojhbl5AVntac3ZOeyn661Y2U
r9szIRM+edTieWZZvY5G49ZFTH5VJ+jZS2leRLpIqsYCst+Ru61MdUUggBNvPgBm
q97HAylBqQs0kf7XfctyqKbkChLsvkuD5cR1X8BQL8KAn/KDXrDSwj4hIO+tSdv5
VmaTC+6/xbdqfq6gpywJMEPkLNUjCArlF+Oz5UqQvLh1lRXWPejzFa0LmXsviqb3
RmQh+9cNvDVge+kYIRWHhCXY5dTau7ABnYsgxnW3zlBkFNbc+I5Sqiz6LDcuInlA
QznFw90GL3l0+1WGzeAD5DhNx6hgpOYvFZV7S3OgbOGeOHvF7bFBixB6Pa3oByMn
euKqol+rOZiUkjcaxo5XUKsglFLgOaxfmZujO7lwoipYXxiyD7jf1+ou1WZ5C3l+
YCOnia2qWE5DRpR/WDBRLQl3ZrCUtDQW7dKNAuweEgDT5T53k2m3Gqu1Z28SrzIS
is+SHZcZhv4dx9Cs6sX6me3WzQ3wgoI9DNW5v8XGitaGQFjIRI33Y8MeGjEBMip3
ZnT6Cl8WJgd0JBXsPQnKw1EO1sh2S5cU5drvHkuCPMA/PaBb8XrNpobSlwARAQAB
tDNKb3NodWEgQWxsZW4gQnJhbnNvbiAoZ251Y29kZSkgPGpicmFuc29AZGlzbWFp
bC5kZT6JAk4EEwEIADgWIQRnpCo8wj+XmIb5aGx1C8/vOleVcgUCY5JTuwIbAwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB1C8/vOleVcgwwEACp4ZwBIM/4Udc9
ndZvUJeegSP0W7o86v+9ELXfXdX99ZO0iErr6/XTWxov0mw7AaoDJRdETBTkYeU0
/CDrLcjklW8b7RZe98+Cr0+IB9XSozpqNVhiP7/TogL80lkbu2+Khtk29E/UYupt
8rihR+2tkDKPaWOufGgi+6ftw8A9P9jlFsV1N1Oxo4rA+gbcXHtxbDiZ1dR2UOAS
Ge7TJPpIjgSiG+nm6b9BIoAxLpjf5JrwpNm5wvDXic1YP27GC2Il9Ny7TdGyKpn9
RCZXR1yEMQTVNn4iEiMK6XIcoAFUS1oWAP2JKQ4bCfcxM/VGx31rsGgNL36iW6yj
zLD9yJYhbvm536CiRb2cTco+lAmwS9/iM4Bdpp/H9fZFPp2CxeB02mOd/P0HkC+2
Po2KXpEj6Ettjp0xJcAQye75vRvjDMkHvTvugfY4FQg6V6a6N3jxSbfwuFUp426F
fgfki4Y7OWm47mYa7goI4oDOG2qUdN5YkbhpVA+j2tGGHbbXmUtvj4MES4fnaSkF
vc6+xMZpFTWcFRt8rVTqS1Vu1w8zfT/VUV+FC/J6hdSxIQJ4dg4WsaD2kzGflZzO
miTyxMYPvdQ6I7Nshp/bEyfd9F40sXm/kzL6r+qm9+ly2uR5V+bIo9gu6CfkM0ZJ
DDiIf9wkk+xSb/AGj1YVazQKpKS0wLkCDQRjklO7ARAAzrtyGaOFTtCHlItxxb51
s0Qt5LZwG3sNUjI9P7n3oZrzI35sbPrWxWCX2MMW0gUIx79dlMzQBt1RXQEKiipr
RdSrtuclTytxaMtLRP+VtmcRQkGgKb20ipCvFHX4oA7L+3Y8s2RQBsz+wo9h55Dt
iQRxoONm9biHXBUZ4EJnR4B8z0dp9j+fctTR4ds6OI3jIeKHcd4AALYIpyBnh5ue
5Iictiv0evBjcogfCttHlg/NK3TVZpq8YYOG8x+8XVrvvJ5WKtmXduZuFIL3+Wmv
jBv807a4zGLPLpB6OcD7fj/12Eo9n7d9gHZOV200rPguzt9YMIoRGgtSEEpMsvrJ
5upiFLPULj/14arXePdqZshlU01U0uE6glGJRUt7IVyU+1LbziQ8JqBlVTnRRYrb
uKDFqzmtd3zhLDPAPLkv7xLtEjYUPcFDmrf33dz22FHUGeOB0G5Ur+e9qTedfmj0
r5sHaoCspZzDcVR8sKyuUdAnRAGxJs9eIFUq2GkyxZGgfJoU2A9RMxg+YTfFfdQV
guvvPj6udOF4ugmIW1EnDXza08UyDqOITLIadNu4GqZL407JRIRtYfw48qQgL3Zo
6lqxC/3n7orkuRU/cKvHArqQt1sP7ZYzAy5N/yoY0/m3o2RV9Li7SkF2m5By8EjH
RNvQMPsipdvjWf4I+jLaAM0AEQEAAYkCNgQYAQgAIBYhBGekKjzCP5eYhvlobHUL
z+86V5VyBQJjklO7AhsMAAoJEHULz+86V5Vy6U0QAJtjybCfDAqE5DIcKkiBDbIN
erk+MTU+uOROuVigDCyvqJUuxtGaJPIRWdBQuHcQxnf6Bv1xoAeDk/7hyL7i5+rz
9vWZnSZRr4DB6pY8G5jz/HGdML4luEtuOrE5UMN8Bf5PM/9sj/c1QSuMhpAMw5TL
GoAu+MY/uDCHLb2nzwLIaCPFDTX0q5HgFQA7Do78fdxxPLqPlbg9xeTsAP5P6Egb
/8NUUa1SM4mfygriyL82nLH9SvwtnEbItovAWE+GH4XkE8xSjvWl6MpCk0+H0Xtr
WdbxtKqE7BPzs0lN3NOi+mOJABDt5ozPGfVcUsB/nqz00YiF33CQWu0ote1Q1TKn
NPOCLqFM3F1rG2z7Bf/LP9p6CpmfQGr54XmKpGinYNr8dqRtLEMVERCxGI+BuNhZ
ppQLuqOlHinKPaBO58LCwLA0uMScbmjgTQrJiXolCGHYXorCx3rcqitvMzbAcswr
wMeAXMREYKGM84Pf8fGxv+GZZwfQJHQNbOFrOTpnRITDAZvzKBD97yWkXcLGt6B7
A5iRXOI8sv9CGM3kI78b+MCcgbz8HNGF2RQipGNQZhEgL4ixbhpMaMVUuTo7BrKr
M3IeyVwUMpUBFbk5OqLsMqPbL2VvL6x1zgg4P0LmGQYoikKiwmPl/OyRQW6btWCG
1f7+w1RrcKjUANLQNjXm
=Vl9S
-----END PGP PUBLIC KEY BLOCK-----

gpg -a --export gnucode &gt; gnucode.pub
sudo cp gnucode.pub /mnt/</code></pre><p>Now let’s backup the gpg key.</p><pre><code>  gpg --export-secret-keys --armor gnucode &gt; secret-key-backup.asc
sudo mv secret-key-backup.asc /mnt/</code></pre><p>If I ever need to move that gpg key to another computer, all I have to do is:</p><pre><code>gpg --import /path/to/secret-key-backup.asc</code></pre><p>Let’s try testing a signed commit.</p><pre><code>git config --global commit.gpgsign true</code></pre><p><a href="https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key">https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key</a></p><pre><code>gpg --list-secret-keys --keyid-format=long

# git config --global user.signingkey MYSIGNINGKEY
git config --global alias.logs &quot;log --show-signature&quot;
git commit -m &quot;mail.scm: minor sanitization improvements.&quot;</code></pre><p>Ok well let’s try this to see what the error was:</p><pre><code>GIT_TRACE=1 git commit -m &quot;blah&quot; -S

23:07:37.656401 git.c:460               trace: built-in: git commit -m blah -S
23:07:37.678825 run-command.c:655       trace: run_command: gpg --status-fd=2 -bsau 750BCFEF3A579572
error: gpg failed to sign the data
fatal: failed to write commit object

gpg --status-fd=2 -bsau 750BCFEF3A579572</code></pre><p>As I was running through the above command, I realized that, it is possible that
I did not have pinentry installed:</p><pre><code>guix install pinentry

git logs</code></pre><p>Now I think I will try rebooting and check to see if I can still sign git
commits.</p><p>And after I rebooted, I cannot sign commits with emacs…</p><p>Emacs says “hint: Waiting for your editor to close the file…”
“Waiting for Emacs”</p><p>Well online, I see this as a possible solution</p><pre><code>git config --global core.editor emacs</code></pre><p>Well that didn’t quite work.  I was able to squash two commits, via emacs, but
only after I had the gpg agent had cached my private key password.  That makes
me think that magit is having a hard time querying my for my password.</p><p>Well let me try updating doom emacs.  I doubt that will work, but I’ll try it.
That didn’t work.  :(</p><p>Well I found a possible error here:</p><p><a href="https://github.com/magit/with-editor/issues/69">https://github.com/magit/with-editor/issues/69</a></p><p><a href="https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os">https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os</a></p><p><a href="https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html">https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html</a></p><p>Then I thought, how about I disable the with-editor elisp package that doom
emacs ships and instead <code>guix install emacs-with-editor</code>.  Let’s try that.</p><pre><code>cat .doom.d/packages.el | grep with-editor

(package! with-editor :disable t)

doom upgrade
doom sync
guix install emacs-with-editor</code></pre><p>Nope.  That didn’t work either.  Hmmm.  I can get emacs to commit the message,
after the gpg agent caches my key’s password.</p><p>Well let’s try running emacs without any configuration:  <code>emacs -q</code>.  Nope.  That
also didn’t work.  :(</p><p>My current theory is that my wayland only session is prohibiting the pinentry
from displaying, which is NOT allowing me to enter in my gpg password.  I shall
try temporarily enabling Xwayland and see if that fixed it.</p><pre><code>cat config | grep xwayland

# disable xwayland.  Just trying it out
xwayland enable</code></pre><p>Yup!  That fixed it.  With the above, I can now sign my commits with emacs!  But
I would rather keep my wayland only session.  Let’s try pinetry-bemenu:</p><pre><code>guix package -i pinentry-bemenu -r pinentry

cat config | grep xwayland

# disable xwayland.
xwayland disable</code></pre><p>Well that didn’t work.  Let’s try pinetry-gnome3.</p><pre><code>guix package -r pinentry-bemenu -i pinentry-gnome3</code></pre><p>Nope.  It’s X only.  Let’s try qt:</p><pre><code>guix package -r pinentry-gnome3 -i pinentry-qt</code></pre><p>Nope.  That also seems to be X only.  grr.  Maybe this bemenu thing works, but I
need to configure it properly.</p><p>Well let’s install pinentry, and temporarily enable xwayland.</p><pre><code>guix package -r pinentry-tty -i pinentry

cat config | grep xwayland

# enable xwayland.
xwayland enable</code></pre><p>Well I should probably try eventually to edit <code>.config/gpg.conf</code> and tell it to
use pinentry-bemu as the pinentry program.</p><p>I think that spending all that time working on getting gpg key signing to work
was probably a big waste of time.  :(   I think instead of keeping my opensmtpd
code in guix-src/gnu/services/mail.scm, I will move it to
guixrus/services/opensmtpd.scm.  Then I can just copy opensmtpd.scm file to my
linode server, and manually load in that code to start my opensmtpd service.</p><p>First I will delete the opensmtpd record stuff in gnu/services/mail.scm.  I
don’t want myself getting confused where I am storing my developmental code.</p><p>Now I will cp my opensmtpd.scm code into my linode service git repo.</p><pre><code>cp opensmtpd.scm ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/
ls ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
cat ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm | tail

/home/joshua/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
          (service-extension pam-root-service-type
                             (const %opensmtpd-pam-services))
          (service-extension profile-service-type
                             (compose list opensmtpd-configuration-package))
          (service-extension shepherd-root-service-type
                             opensmtpd-shepherd-service)
          (service-extension setuid-program-service-type
                             opensmtpd-set-gids)))
   (description &quot;Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
Transfer Protocol} server.&quot;)))</code></pre><p>Now I will commit the changes to my linode git repo and push them.</p><pre><code>git add opensmtpd.scm
git commit -m &quot;copying opensmtpd.scm from guixrus.&quot;

[master 7399550] copying opensmtpd.scm from guixrus.
 1 file changed, 7 insertions(+)
 rename opensmtpd.scm =&gt; guixrus/services/opensmtpd.scm (99%)</code></pre><p>Hmmm, was that commit signed?  No idea.</p><p>Now let’s push that commit.</p><pre><code>git push</code></pre><p>Now let's log into the gnucode service and pull that commit.</p><pre><code>git pull
cat opensmtpd.scm | tail

Updating a8d88b9..7399550
Fast-forward
 opensmtpd.scm =&gt; guixrus/services/opensmtpd.scm | 7 +++++++
 1 file changed, 7 insertions(+)
 rename opensmtpd.scm =&gt; guixrus/services/opensmtpd.scm (99%)</code></pre><p>I am realizing that it will probably be easiest to reconfigure my server with my
opensmtpd records, if my server has the same directory structure as my local
machine. Namely my git repos are in the same directories. So I did some changes
on my server to make sure that my server's directory structure matches my local
one. Now my server’s <code>config.scm</code> is no longer at
~/linode-guix-system-configuration/linode-locke-lamora-current-config.scm. Now
it is at:</p><pre><code>find . -name '*current-config.scm'

./prog/gnu/guix/guix-config/linode-guix-system-configuration/linode-locke-lamora-current-config.scm</code></pre><p>I want to make sure that my remote server has a copy of the guixrus source code
with my newest commit committing <code>services/opensmtpd.scm</code>.</p><p>So, I made a guixrus repo on <a href="https://notabug.org/jbranso/guixrus">notabug.org</a>, then I pulled that repo on my server:</p><pre><code>git clone  https://notabug.org/jbranso/guixrus

git show HEAD | head

commit 147a9ce316be2f9f7c9ed25b3e097fd84b8b01eb
Author: Joshua Branson &lt;jbranso@dismail.de&gt;
Date:   Thu Dec 22 09:21:19 2022 -0500

    services (opensmtpd): add opensmtpd records to enhance opensmtpd-configuration.

    Openmstpd-configuration may only be configured by a config-file that
    uses the smtpd.conf syntax.  This patch, enables one to configure
    opensmtpd by using record types.</code></pre><p>It would be nice to test the configuration locally, to see if it will work
before I push it to the server.</p><pre><code>guix system vm linode-locke-lamora-current-config.scm

guix system: error: (cert &quot;/etc/letsencrypt/live/gnucode.me/fullchain.pem&quot;) is invalid.
hint: Try a file.</code></pre><p>The above is actually a good sign.  I do not have that certificate locally, but
it is available on the server.  If that is the only error, then let’s go ahead
and try to reconfigure the server.</p><p>The relevant opensmtpd-service looks like:</p><pre><code>(service opensmtpd-service-type
         (let ([action-receive (opensmtpd-local-delivery
                                (name &quot;receive&quot;)
                                (method (opensmtpd-maildir
                                         (pathname &quot;/home/%{rcpt.user}/Maildir&quot;)
                                         (junk #t)))
                                (virtual (opensmtpd-table
                                          (name &quot;vusers&quot;)
                                          (data '((&quot;joshua@gnucode.me&quot;  . &quot;joshua&quot;)
                                                  (&quot;jbranso@gnucode.me&quot; . &quot;joshua&quot;)
                                                  (&quot;postmaster@gnucode.me&quot; .  &quot;joshua&quot;))))))]
               [pki-gnucode (opensmtpd-pki
                             (domain &quot;smtp.gnucode.me&quot;)
                             (cert &quot;/etc/letsencrypt/live/gnucode.me/fullchain.pem&quot;)
                             (key &quot;/etc/letsencrypt/live/gnucode.me/privkey.pem&quot;))]
               [filter-dkimsign (opensmtpd-filter
                                 (name &quot;dkimsign&quot;)
                                 (exec #t)
                                 (proc (list (file-append opensmtpd-filter-dkimsign &quot;/libexec/opensmtpd/filter-dkimsign&quot;)
                                             &quot; -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k &quot;
                                             &quot;/etc/dkim/private.key &quot;
                                             &quot;user nobody group nogroup&quot;)))]
               [table-creds (opensmtpd-table
                             (name &quot;creds&quot;)
                             (data
                              (list
                               (cons &quot;joshua&quot;
                                     &quot;$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86.&quot;))))])
           (opensmtpd-configuration
            (interfaces
             (list
              ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
              ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
              ;; this listens for email from the outside world
              (opensmtpd-interface
               (interface &quot;eth0&quot;)
               (port 25)
               (secure-connection &quot;tls&quot;)
               (pki pki-gnucode))
              ;; this lets local users logged into the system via ssh send email
              (opensmtpd-interface
               (interface &quot;lo&quot;)
               (port 25)
               (secure-connection &quot;tls&quot;)
               (pki pki-gnucode))
              (opensmtpd-interface
               (interface &quot;eth0&quot;)
               (port 465)
               (secure-connection &quot;smtps&quot;)
               (pki pki-gnucode)
               (auth table-creds)
               (filters (list filter-dkimsign)))
              (opensmtpd-interface
               (interface &quot;eth0&quot;)
               (port 587)
               (secure-connection &quot;tls-require&quot;)
               (pki pki-gnucode)
               (auth table-creds)
               (filters (list filter-dkimsign)))))
            (matches (list
                      (opensmtpd-match
                       (action (opensmtpd-relay
                                (name &quot;relay&quot;)))
                       (options
                        (list
                         (opensmtpd-option
                          (option &quot;for any&quot;))
                         (opensmtpd-option
                          (option &quot;from any&quot;))
                         (opensmtpd-option
                          (option &quot;auth&quot;)))))
                      (opensmtpd-match
                       (action action-receive)
                       (options
                        (list
                         (opensmtpd-option
                          (option &quot;from any&quot;))
                         (opensmtpd-option
                          (option &quot;for domain&quot;)
                          (data (opensmtpd-table
                                 (name &quot;vdoms&quot;)
                                 (data (list &quot;gnucode.me&quot;
                                             &quot;gnu-hurd.com&quot;))))))))
                      (opensmtpd-match
                       (action action-receive)
                       (options
                        (list
                         (opensmtpd-option
                          (option &quot;for local&quot;))))))))))</code></pre><p>I was curious to see how outdated my server is.  It’s dated apparently.</p><pre><code>guix system describe

[1mGeneration 118  Aug 14 2022 02:45:18[0m    (current)
  file name: /var/guix/profiles/system-118-link
  canonical file name: /gnu/store/7jkrafkf61bw3fdxlrlzvkrl98ys1icj-system
  label: GNU with Linux-Libre 5.18.16
  bootloader: grub
  root device: /dev/sda
  kernel: /gnu/store/iz6xn1b1dyk6pwaf6dym3jm3vwnh4gz9-linux-libre-5.18.16/bzImage
  channels:
    guix:
      repository URL: https://git.savannah.gnu.org/git/guix.git
      branch: master
      commit: 43decd1f7ea4ebd911199ad10c0ca555d0dffbd6
  configuration file: /gnu/store/rv7rhwn5kd9yxv8kayqlsgxwyhcz55ca-configuration.scm</code></pre><p>Let's try reconfiguring my server with the opensmtpd configuration.</p><pre><code>guix pull
sudo guix system reconfigure linode-locke-lamora-current-config.scm

In srfi/srfi-1.scm:
   586:29 19 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type mingetty 7f8…&gt; …))
   586:29 18 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type mingetty 7f8…&gt; …))
   586:29 17 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type mingetty 7f8…&gt; …))
   586:29 16 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type mingetty 7f8…&gt; …))
   586:29 15 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type mingetty 7f8…&gt; …))
   586:29 14 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type agetty 7f8c1…&gt; …))
   586:29 13 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type syslog 7f8c1…&gt; …))
   586:29 12 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type console-font…&gt; …))
   586:29 11 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type virtual-term…&gt; …))
   586:17 10 (map1 (#&lt;&lt;service&gt; type: #&lt;service-type opensmtpd 7f…&gt; …))
In guixrus/services/opensmtpd.scm:
  2567:27  9 (opensmtpd-shepherd-service #&lt;&lt;opensmtpd-configuration&gt;…&gt;)
  2541:19  8 (opensmtpd-configuration-&gt;mixed-text-file #&lt;&lt;opensmtpd-…&gt;)
   2496:3  7 (opensmtpd-configuration-&gt;string #&lt;&lt;opensmtpd-configura…&gt;)
   2421:9  6 (opensmtpd-configuration-fieldname-&gt;string #&lt;&lt;opensmtp…&gt; …)
  2430:10  5 (list-of-records-&gt;string (#&lt;&lt;opensmtpd-interface&gt; i…&gt; …) …)
  2434:17  4 (loop (#&lt;&lt;opensmtpd-interface&gt; interface: &quot;eth0&quot; fam…&gt; …))
   1848:5  3 (opensmtpd-interface-&gt;string #&lt;&lt;opensmtpd-interface&gt; in…&gt;)
In unknown file:
           2 (string-append &quot;&quot; &quot;&quot; &quot;&quot; &quot;&quot; &quot;&quot; &quot;tls &quot; #&lt;unspecified&gt; &quot;p…&quot; …)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure string-append: Wrong type (expecting string): #&lt;unspecified&gt;</code></pre><p>Ahh, I know what that problem is!  Let’s fix that.  So now I have make a local
commit.  Push it to my notabug.org/guixrus, ssh into lamora, run <code>git pull</code> on
the guixrus repo, then try to reconfigure.  This seems like a very odd/poor way
to test changes.  By making a commit locally, pushing it, pulling it, and then
wondering if the reconfigure will work.  I should really set up guix deploy.</p><pre><code>sudo guix system reconfigure linode-locke-lamora-current-config.scm

 module-import-compiled  1.0MiB                                         1.6MiB/s 00:01 [##################] 100.0%
building /gnu/store/mw8x4pbl11a5pdgxqcw2vvczdccpmicf-switch-to-system.scm.drv...
making '/gnu/store/0v5sbvlx9r151gjlc906lxyhps7xx1h8-system' the current system...
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/1n0l349b03h7dclwai9l0kxglb8kwyv0-etc...
checking syntax of /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf
/gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:14: syntax error
/gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:21: no such dispatcher: relay</code></pre><p>Ok, so I have a configuration error.  Let’s take a look at the generated
configuration file:</p><ul><li><p>The first error is this:</p><pre><code>cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep '&lt;&quot;&lt;&quot;'

listen on eth0 filter &quot;dkimsign&quot; smtps port 465 pki smtp.gnucode.me auth &lt;&quot;&lt;&quot;creds&quot;&gt;&quot;&gt;
listen on eth0 filter &quot;dkimsign&quot; tls-require port 587 pki smtp.gnucode.me auth &lt;&quot;&lt;&quot;creds&quot;&gt;&quot;&gt;</code></pre><p>It should be &lt;“creds”&gt;.</p></li><li><p>Another error is this:</p><pre><code>cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf  | grep match

match !for any !from any !auth action &quot;relay&quot;
match !from any !for domain &lt;&quot;vdoms&quot;&gt; action &quot;receive&quot;
match !for local action &quot;receive&quot;</code></pre></li></ul><p>These match options should NOT be false. Let's quickly fix those issues
reconfigure again:</p><pre><code>sudo guix system reconfigure linode-locke-lamora-current-config.scm

checking syntax of /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
configuration OK</code></pre><p>That’s a good sign!</p><p>Let’s reboot and see what happens!</p><p>Well when I reboot, smtpd refused to start.  Let’s look at the config file.</p><pre><code>cat /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf

filter &quot;dkimsign&quot; proc-exec &quot;/gnu/store/n2f5waxzdzcsdvh0xydhnc174n3kingw-opensmtpd-filter-dkimsign-0.6/libexec/opensmtpd/filter-dkimsign -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k /etc/dkim/private.key user nobody group nogroup&quot;

mta max-deferred 100

table &quot;creds&quot; { &quot;joshua&quot; = &quot;$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86.&quot; }
table &quot;vusers&quot; { &quot;joshua@gnucode.me&quot; = &quot;joshua&quot;, &quot;jbranso@gnucode.me&quot; = &quot;joshua&quot;, &quot;postmaster@gnucode.me&quot; = &quot;joshua&quot; }
table &quot;vdoms&quot; { &quot;gnucode.me&quot;, &quot;gnu-hurd.com&quot; }

pki smtp.gnucode.me cert &quot;/etc/letsencrypt/live/gnucode.me/fullchain.pem&quot;
pki smtp.gnucode.me key &quot;/etc/letsencrypt/live/gnucode.me/privkey.pem&quot;

listen on eth0 tls port 25 pki smtp.gnucode.me
listen on lo tls port 25 pki smtp.gnucode.me
listen on eth0 filter &quot;dkimsign&quot; smtps port 465 pki smtp.gnucode.me auth &lt;&quot;creds&quot;&gt;
listen on eth0 filter &quot;dkimsign&quot; tls-require port 587 pki smtp.gnucode.me auth &lt;&quot;creds&quot;&gt;

action &quot;relay&quot; relay

action &quot;receive&quot; maildir &quot;/home/%{rcpt.user}/Maildir&quot; junk virtual &lt;&quot;vusers&quot;&gt;

match for any from any auth action &quot;relay&quot;
match from any for domain &lt;&quot;vdoms&quot;&gt; action &quot;receive&quot;
match for local action &quot;receive&quot;</code></pre><p>It seems to be just fine...hmmm.  What does the error log say?</p><pre><code>cat /var/log/maillog | tail

Dec 22 10:05:41 localhost smtpd[19325]: warn: lost processor: dkimsign exited abnormally
Dec 22 10:05:41 localhost smtpd[19328]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
Dec 22 10:05:41 localhost smtpd[19330]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 10:05:41 localhost smtpd[19325]: Exiting
Dec 22 11:22:18 localhost smtpd[268]: info: OpenSMTPD 6.8.0p2 starting
Dec 22 11:22:18 localhost smtpd[269]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:22:18 localhost smtpd[272]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
Dec 22 11:22:18 localhost smtpd[274]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:22:18 localhost smtpd[269]: Exiting</code></pre><p>Ok, well I think I found the problem. haha.  Let’s see, ah, looks like that key
is here:</p><pre><code>find . -name '*key'

/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key</code></pre><p>Let’s commit my current-config locally, push it upstream, pull it from my server
and reconfigure.</p><pre><code>sudo guix system reconfigure linode-locke-lamora-current-config.scm

checking syntax of /gnu/store/42q90z8n03zi9rx29gwdnms4sdr2g2p9-smtpd.conf
configuration OK</code></pre><p>After I rebooted, smtpd still was not starting.  Let’s try to find out why:</p><pre><code>cat /var/log/maillog | tail

Dec 22 11:38:03 localhost smtpd[498]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:38:03 localhost smtpd[493]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:38:03 localhost smtpd[496]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
Dec 22 11:38:03 localhost smtpd[493]: Exiting
Dec 22 11:40:02 localhost dovecot: master: Dovecot v2.3.19.1 (9b53102964) starting up for imap (core dumps disabled)
Dec 22 11:42:41 localhost smtpd[258]: info: OpenSMTPD 6.8.0p2 starting
Dec 22 11:42:41 localhost smtpd[259]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:42:41 localhost smtpd[262]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
Dec 22 11:42:41 localhost smtpd[264]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:42:41 localhost smtpd[259]: Exiting</code></pre><p>Ok, this is just a permissions error.  That’s an easy fix!  I changed a
<code>sudo chown -R smtpd /etc/opensmtpd</code>.  Then I got this beauty:</p><pre><code>sudo herd start smtpd

Service smtpd has been started.</code></pre><p>Woo hoo!  Now let’s try to send an email and see if it works!</p><p>I sent an email to gmail, and if you select an email in gmail, you can click on
view original.  It showed me that I did pass dkimsigning!  That’s awesome!  And
my email was in my gmail inbox.  That’s a really good sign!  Now I am off to
submit a patch to guixrus!</p><p>I did get a tip from someone on irc that mentioned that I should verify my
dkimsigning and SPF via https://dkimvalidator.com/ And when I used that tool, I
discovered that my SPF was failing, so I will need to fix that.</p></div></article></section></main><footer><p>© 2020 Joshua Branson.  The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme.  Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>