123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424 |
- <!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Submitting Opensmtpd Service to Guixrus — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="about.html">About</a></li><li><a href="business-ideas.html">Business-ideas</a></li></ul></nav></header><h1>Submitting Opensmtpd Service to Guixrus</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — December 22, 2022</h3><div><p>EDIT 02-24-2023: Through this whole process, I have used this guide to set up email.
- If you are going to try to set up your own email service, do check it out:
- <a href="https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/">https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/</a></p><p>I was recently encouraged by the delightfully friendly raghavgururajan to try to
- merge my opensmtpd service project into guixrus, which is a small community
- actively working to upstream packages and services into guix proper. I figured,
- why not? Sounds like fun. The following post will describe my developmental
- workflow, which is probably pretty poor…</p><p>tl;dr</p><p>Soonish, I will clean up the code for a proper ~opensmtpd-service-type~ with
- ~opensmtpd-records~ for guix system. It may take 6 months to get it in a clean
- state. Until it is merged, you may find it here:</p><p><a href="https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046">https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046</a></p><p>The current documentation is here:</p><p><a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd-records-documentation.txt">https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd-records-documentation.txt</a></p><p>My server's config is here:</p><p><a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm">https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm</a></p><p>The current task list is here:</p><p><a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org">https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org</a></p><p>Added, the guixrus channel to my ~/.config/guix/channels.scm</p><pre><code>cat ~/.config/guix/channels.scm
- (cons* (channel ;; for firefox-wayland
- (name 'nonguix)
- (url "https://gitlab.com/nonguix/nonguix")
- ;; Enable signature verification:
- (introduction
- (make-channel-introduction
- "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
- (openpgp-fingerprint
- "2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5"))))
- (channel ;; for sway-latest
- (name 'guixrus)
- (url "https://git.sr.ht/~whereiseveryone/guixrus")
- (introduction
- (make-channel-introduction
- "7c67c3a9f299517bfc4ce8235628657898dd26b2"
- (openpgp-fingerprint
- "CD2D 5EAA A98C CB37 DA91 D6B0 5F58 1664 7F8B E551"))))
- %default-channels)</code></pre><p>Before I submit the patch, I should make sure that the code actually works. To
- do that, I logged into my gnucode.me server tried to set up the opensmtpd
- server.</p><pre><code>guix pull --url=https://notabug.org/jbranso/guix/src/newOpensmtpdBranch \
- --branch=newOpensmtpdBranch
- Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
- guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'
- guix pull --url=https://notabug.org/jbranso/guix \
- --commit=8abbb6c442d135ae8e7c1cb0e17525478fafe8f0
- Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
- guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'</code></pre><p>Hmm, well my opensmtpd service is NOT using signed commits. That’s probably the
- problem. Hmmm… Well I guess I need to start signing my commits. Generate an
- gpg key. grrr….</p><p>These three pages are seem promising:</p><p><a href="https://moser-isi.ethz.ch/gpg.html">https://moser-isi.ethz.ch/gpg.html</a></p><p><a href="https://wiki.debian.org/Keysigning">https://wiki.debian.org/Keysigning</a></p><p><a href="https://risanb.com/code/backup-restore-gpg-key/">https://risanb.com/code/backup-restore-gpg-key/</a></p><pre><code>gpg --full-generate-key
- gpg: directory '/home/joshua/.gnupg/openpgp-revocs.d' created
- h.lgpg: revocation certificate stored as '/home/joshua/.gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev'</code></pre><p>I copied my Revocation-Certificate into my spare usb:</p><pre><code>sudo cp .gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev /mnt/gnucode.gpg.rev</code></pre><p>Let’s export my gpg key to the server.</p><pre><code>gpg --auto-key-locate keyserver -a --send-keys 67A42A3CC23F979886F9686C750BCFEF3A579572
- gpg -a --export gnucode
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- mQINBGOSU7sBEAC/8renj2OgTHKJfbqz7CRplPQ0su8aasJXTkunx70IhVpTFBS+
- 9Bwvjbo7HM2aBYD/NYa6n24J3OXla17uDxFt2i63ojhbl5AVntac3ZOeyn661Y2U
- r9szIRM+edTieWZZvY5G49ZFTH5VJ+jZS2leRLpIqsYCst+Ru61MdUUggBNvPgBm
- q97HAylBqQs0kf7XfctyqKbkChLsvkuD5cR1X8BQL8KAn/KDXrDSwj4hIO+tSdv5
- VmaTC+6/xbdqfq6gpywJMEPkLNUjCArlF+Oz5UqQvLh1lRXWPejzFa0LmXsviqb3
- RmQh+9cNvDVge+kYIRWHhCXY5dTau7ABnYsgxnW3zlBkFNbc+I5Sqiz6LDcuInlA
- QznFw90GL3l0+1WGzeAD5DhNx6hgpOYvFZV7S3OgbOGeOHvF7bFBixB6Pa3oByMn
- euKqol+rOZiUkjcaxo5XUKsglFLgOaxfmZujO7lwoipYXxiyD7jf1+ou1WZ5C3l+
- YCOnia2qWE5DRpR/WDBRLQl3ZrCUtDQW7dKNAuweEgDT5T53k2m3Gqu1Z28SrzIS
- is+SHZcZhv4dx9Cs6sX6me3WzQ3wgoI9DNW5v8XGitaGQFjIRI33Y8MeGjEBMip3
- ZnT6Cl8WJgd0JBXsPQnKw1EO1sh2S5cU5drvHkuCPMA/PaBb8XrNpobSlwARAQAB
- tDNKb3NodWEgQWxsZW4gQnJhbnNvbiAoZ251Y29kZSkgPGpicmFuc29AZGlzbWFp
- bC5kZT6JAk4EEwEIADgWIQRnpCo8wj+XmIb5aGx1C8/vOleVcgUCY5JTuwIbAwUL
- CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB1C8/vOleVcgwwEACp4ZwBIM/4Udc9
- ndZvUJeegSP0W7o86v+9ELXfXdX99ZO0iErr6/XTWxov0mw7AaoDJRdETBTkYeU0
- /CDrLcjklW8b7RZe98+Cr0+IB9XSozpqNVhiP7/TogL80lkbu2+Khtk29E/UYupt
- 8rihR+2tkDKPaWOufGgi+6ftw8A9P9jlFsV1N1Oxo4rA+gbcXHtxbDiZ1dR2UOAS
- Ge7TJPpIjgSiG+nm6b9BIoAxLpjf5JrwpNm5wvDXic1YP27GC2Il9Ny7TdGyKpn9
- RCZXR1yEMQTVNn4iEiMK6XIcoAFUS1oWAP2JKQ4bCfcxM/VGx31rsGgNL36iW6yj
- zLD9yJYhbvm536CiRb2cTco+lAmwS9/iM4Bdpp/H9fZFPp2CxeB02mOd/P0HkC+2
- Po2KXpEj6Ettjp0xJcAQye75vRvjDMkHvTvugfY4FQg6V6a6N3jxSbfwuFUp426F
- fgfki4Y7OWm47mYa7goI4oDOG2qUdN5YkbhpVA+j2tGGHbbXmUtvj4MES4fnaSkF
- vc6+xMZpFTWcFRt8rVTqS1Vu1w8zfT/VUV+FC/J6hdSxIQJ4dg4WsaD2kzGflZzO
- miTyxMYPvdQ6I7Nshp/bEyfd9F40sXm/kzL6r+qm9+ly2uR5V+bIo9gu6CfkM0ZJ
- DDiIf9wkk+xSb/AGj1YVazQKpKS0wLkCDQRjklO7ARAAzrtyGaOFTtCHlItxxb51
- s0Qt5LZwG3sNUjI9P7n3oZrzI35sbPrWxWCX2MMW0gUIx79dlMzQBt1RXQEKiipr
- RdSrtuclTytxaMtLRP+VtmcRQkGgKb20ipCvFHX4oA7L+3Y8s2RQBsz+wo9h55Dt
- iQRxoONm9biHXBUZ4EJnR4B8z0dp9j+fctTR4ds6OI3jIeKHcd4AALYIpyBnh5ue
- 5Iictiv0evBjcogfCttHlg/NK3TVZpq8YYOG8x+8XVrvvJ5WKtmXduZuFIL3+Wmv
- jBv807a4zGLPLpB6OcD7fj/12Eo9n7d9gHZOV200rPguzt9YMIoRGgtSEEpMsvrJ
- 5upiFLPULj/14arXePdqZshlU01U0uE6glGJRUt7IVyU+1LbziQ8JqBlVTnRRYrb
- uKDFqzmtd3zhLDPAPLkv7xLtEjYUPcFDmrf33dz22FHUGeOB0G5Ur+e9qTedfmj0
- r5sHaoCspZzDcVR8sKyuUdAnRAGxJs9eIFUq2GkyxZGgfJoU2A9RMxg+YTfFfdQV
- guvvPj6udOF4ugmIW1EnDXza08UyDqOITLIadNu4GqZL407JRIRtYfw48qQgL3Zo
- 6lqxC/3n7orkuRU/cKvHArqQt1sP7ZYzAy5N/yoY0/m3o2RV9Li7SkF2m5By8EjH
- RNvQMPsipdvjWf4I+jLaAM0AEQEAAYkCNgQYAQgAIBYhBGekKjzCP5eYhvlobHUL
- z+86V5VyBQJjklO7AhsMAAoJEHULz+86V5Vy6U0QAJtjybCfDAqE5DIcKkiBDbIN
- erk+MTU+uOROuVigDCyvqJUuxtGaJPIRWdBQuHcQxnf6Bv1xoAeDk/7hyL7i5+rz
- 9vWZnSZRr4DB6pY8G5jz/HGdML4luEtuOrE5UMN8Bf5PM/9sj/c1QSuMhpAMw5TL
- GoAu+MY/uDCHLb2nzwLIaCPFDTX0q5HgFQA7Do78fdxxPLqPlbg9xeTsAP5P6Egb
- /8NUUa1SM4mfygriyL82nLH9SvwtnEbItovAWE+GH4XkE8xSjvWl6MpCk0+H0Xtr
- WdbxtKqE7BPzs0lN3NOi+mOJABDt5ozPGfVcUsB/nqz00YiF33CQWu0ote1Q1TKn
- NPOCLqFM3F1rG2z7Bf/LP9p6CpmfQGr54XmKpGinYNr8dqRtLEMVERCxGI+BuNhZ
- ppQLuqOlHinKPaBO58LCwLA0uMScbmjgTQrJiXolCGHYXorCx3rcqitvMzbAcswr
- wMeAXMREYKGM84Pf8fGxv+GZZwfQJHQNbOFrOTpnRITDAZvzKBD97yWkXcLGt6B7
- A5iRXOI8sv9CGM3kI78b+MCcgbz8HNGF2RQipGNQZhEgL4ixbhpMaMVUuTo7BrKr
- M3IeyVwUMpUBFbk5OqLsMqPbL2VvL6x1zgg4P0LmGQYoikKiwmPl/OyRQW6btWCG
- 1f7+w1RrcKjUANLQNjXm
- =Vl9S
- -----END PGP PUBLIC KEY BLOCK-----
- gpg -a --export gnucode > gnucode.pub
- sudo cp gnucode.pub /mnt/</code></pre><p>Now let’s backup the gpg key.</p><pre><code> gpg --export-secret-keys --armor gnucode > secret-key-backup.asc
- sudo mv secret-key-backup.asc /mnt/</code></pre><p>If I ever need to move that gpg key to another computer, all I have to do is:</p><pre><code>gpg --import /path/to/secret-key-backup.asc</code></pre><p>Let’s try testing a signed commit.</p><pre><code>git config --global commit.gpgsign true</code></pre><p><a href="https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key">https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key</a></p><pre><code>gpg --list-secret-keys --keyid-format=long
- # git config --global user.signingkey MYSIGNINGKEY
- git config --global alias.logs "log --show-signature"
- git commit -m "mail.scm: minor sanitization improvements."</code></pre><p>Ok well let’s try this to see what the error was:</p><pre><code>GIT_TRACE=1 git commit -m "blah" -S
- 23:07:37.656401 git.c:460 trace: built-in: git commit -m blah -S
- 23:07:37.678825 run-command.c:655 trace: run_command: gpg --status-fd=2 -bsau 750BCFEF3A579572
- error: gpg failed to sign the data
- fatal: failed to write commit object
- gpg --status-fd=2 -bsau 750BCFEF3A579572</code></pre><p>As I was running through the above command, I realized that, it is possible that
- I did not have pinentry installed:</p><pre><code>guix install pinentry
- git logs</code></pre><p>Now I think I will try rebooting and check to see if I can still sign git
- commits.</p><p>And after I rebooted, I cannot sign commits with emacs…</p><p>Emacs says “hint: Waiting for your editor to close the file…”
- “Waiting for Emacs”</p><p>Well online, I see this as a possible solution</p><pre><code>git config --global core.editor emacs</code></pre><p>Well that didn’t quite work. I was able to squash two commits, via emacs, but
- only after I had the gpg agent had cached my private key password. That makes
- me think that magit is having a hard time querying my for my password.</p><p>Well let me try updating doom emacs. I doubt that will work, but I’ll try it.
- That didn’t work. :(</p><p>Well I found a possible error here:</p><p><a href="https://github.com/magit/with-editor/issues/69">https://github.com/magit/with-editor/issues/69</a></p><p><a href="https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os">https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os</a></p><p><a href="https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html">https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html</a></p><p>Then I thought, how about I disable the with-editor elisp package that doom
- emacs ships and instead <code>guix install emacs-with-editor</code>. Let’s try that.</p><pre><code>cat .doom.d/packages.el | grep with-editor
- (package! with-editor :disable t)
- doom upgrade
- doom sync
- guix install emacs-with-editor</code></pre><p>Nope. That didn’t work either. Hmmm. I can get emacs to commit the message,
- after the gpg agent caches my key’s password.</p><p>Well let’s try running emacs without any configuration: <code>emacs -q</code>. Nope. That
- also didn’t work. :(</p><p>My current theory is that my wayland only session is prohibiting the pinentry
- from displaying, which is NOT allowing me to enter in my gpg password. I shall
- try temporarily enabling Xwayland and see if that fixed it.</p><pre><code>cat config | grep xwayland
- # disable xwayland. Just trying it out
- xwayland enable</code></pre><p>Yup! That fixed it. With the above, I can now sign my commits with emacs! But
- I would rather keep my wayland only session. Let’s try pinetry-bemenu:</p><pre><code>guix package -i pinentry-bemenu -r pinentry
- cat config | grep xwayland
- # disable xwayland.
- xwayland disable</code></pre><p>Well that didn’t work. Let’s try pinetry-gnome3.</p><pre><code>guix package -r pinentry-bemenu -i pinentry-gnome3</code></pre><p>Nope. It’s X only. Let’s try qt:</p><pre><code>guix package -r pinentry-gnome3 -i pinentry-qt</code></pre><p>Nope. That also seems to be X only. grr. Maybe this bemenu thing works, but I
- need to configure it properly.</p><p>Well let’s install pinentry, and temporarily enable xwayland.</p><pre><code>guix package -r pinentry-tty -i pinentry
- cat config | grep xwayland
- # enable xwayland.
- xwayland enable</code></pre><p>Well I should probably try eventually to edit <code>.config/gpg.conf</code> and tell it to
- use pinentry-bemu as the pinentry program.</p><p>I think that spending all that time working on getting gpg key signing to work
- was probably a big waste of time. :( I think instead of keeping my opensmtpd
- code in guix-src/gnu/services/mail.scm, I will move it to
- guixrus/services/opensmtpd.scm. Then I can just copy opensmtpd.scm file to my
- linode server, and manually load in that code to start my opensmtpd service.</p><p>First I will delete the opensmtpd record stuff in gnu/services/mail.scm. I
- don’t want myself getting confused where I am storing my developmental code.</p><p>Now I will cp my opensmtpd.scm code into my linode service git repo.</p><pre><code>cp opensmtpd.scm ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/
- ls ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
- cat ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm | tail
- /home/joshua/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
- (service-extension pam-root-service-type
- (const %opensmtpd-pam-services))
- (service-extension profile-service-type
- (compose list opensmtpd-configuration-package))
- (service-extension shepherd-root-service-type
- opensmtpd-shepherd-service)
- (service-extension setuid-program-service-type
- opensmtpd-set-gids)))
- (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
- Transfer Protocol} server.")))</code></pre><p>Now I will commit the changes to my linode git repo and push them.</p><pre><code>git add opensmtpd.scm
- git commit -m "copying opensmtpd.scm from guixrus."
- [master 7399550] copying opensmtpd.scm from guixrus.
- 1 file changed, 7 insertions(+)
- rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)</code></pre><p>Hmmm, was that commit signed? No idea.</p><p>Now let’s push that commit.</p><pre><code>git push</code></pre><p>Now let's log into the gnucode service and pull that commit.</p><pre><code>git pull
- cat opensmtpd.scm | tail
- Updating a8d88b9..7399550
- Fast-forward
- opensmtpd.scm => guixrus/services/opensmtpd.scm | 7 +++++++
- 1 file changed, 7 insertions(+)
- rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)</code></pre><p>I am realizing that it will probably be easiest to reconfigure my server with my
- opensmtpd records, if my server has the same directory structure as my local
- machine. Namely my git repos are in the same directories. So I did some changes
- on my server to make sure that my server's directory structure matches my local
- one. Now my server’s <code>config.scm</code> is no longer at
- ~/linode-guix-system-configuration/linode-locke-lamora-current-config.scm. Now
- it is at:</p><pre><code>find . -name '*current-config.scm'
- ./prog/gnu/guix/guix-config/linode-guix-system-configuration/linode-locke-lamora-current-config.scm</code></pre><p>I want to make sure that my remote server has a copy of the guixrus source code
- with my newest commit committing <code>services/opensmtpd.scm</code>.</p><p>So, I made a guixrus repo on <a href="https://notabug.org/jbranso/guixrus">notabug.org</a>, then I pulled that repo on my server:</p><pre><code>git clone https://notabug.org/jbranso/guixrus
- git show HEAD | head
- commit 147a9ce316be2f9f7c9ed25b3e097fd84b8b01eb
- Author: Joshua Branson <jbranso@dismail.de>
- Date: Thu Dec 22 09:21:19 2022 -0500
- services (opensmtpd): add opensmtpd records to enhance opensmtpd-configuration.
- Openmstpd-configuration may only be configured by a config-file that
- uses the smtpd.conf syntax. This patch, enables one to configure
- opensmtpd by using record types.</code></pre><p>It would be nice to test the configuration locally, to see if it will work
- before I push it to the server.</p><pre><code>guix system vm linode-locke-lamora-current-config.scm
- guix system: error: (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem") is invalid.
- hint: Try a file.</code></pre><p>The above is actually a good sign. I do not have that certificate locally, but
- it is available on the server. If that is the only error, then let’s go ahead
- and try to reconfigure the server.</p><p>The relevant opensmtpd-service looks like:</p><pre><code>(service opensmtpd-service-type
- (let ([action-receive (opensmtpd-local-delivery
- (name "receive")
- (method (opensmtpd-maildir
- (pathname "/home/%{rcpt.user}/Maildir")
- (junk #t)))
- (virtual (opensmtpd-table
- (name "vusers")
- (data '(("joshua@gnucode.me" . "joshua")
- ("jbranso@gnucode.me" . "joshua")
- ("postmaster@gnucode.me" . "joshua"))))))]
- [pki-gnucode (opensmtpd-pki
- (domain "smtp.gnucode.me")
- (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
- (key "/etc/letsencrypt/live/gnucode.me/privkey.pem"))]
- [filter-dkimsign (opensmtpd-filter
- (name "dkimsign")
- (exec #t)
- (proc (list (file-append opensmtpd-filter-dkimsign "/libexec/opensmtpd/filter-dkimsign")
- " -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k "
- "/etc/dkim/private.key "
- "user nobody group nogroup")))]
- [table-creds (opensmtpd-table
- (name "creds")
- (data
- (list
- (cons "joshua"
- "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))])
- (opensmtpd-configuration
- (interfaces
- (list
- ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
- ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
- ;; this listens for email from the outside world
- (opensmtpd-interface
- (interface "eth0")
- (port 25)
- (secure-connection "tls")
- (pki pki-gnucode))
- ;; this lets local users logged into the system via ssh send email
- (opensmtpd-interface
- (interface "lo")
- (port 25)
- (secure-connection "tls")
- (pki pki-gnucode))
- (opensmtpd-interface
- (interface "eth0")
- (port 465)
- (secure-connection "smtps")
- (pki pki-gnucode)
- (auth table-creds)
- (filters (list filter-dkimsign)))
- (opensmtpd-interface
- (interface "eth0")
- (port 587)
- (secure-connection "tls-require")
- (pki pki-gnucode)
- (auth table-creds)
- (filters (list filter-dkimsign)))))
- (matches (list
- (opensmtpd-match
- (action (opensmtpd-relay
- (name "relay")))
- (options
- (list
- (opensmtpd-option
- (option "for any"))
- (opensmtpd-option
- (option "from any"))
- (opensmtpd-option
- (option "auth")))))
- (opensmtpd-match
- (action action-receive)
- (options
- (list
- (opensmtpd-option
- (option "from any"))
- (opensmtpd-option
- (option "for domain")
- (data (opensmtpd-table
- (name "vdoms")
- (data (list "gnucode.me"
- "gnu-hurd.com"))))))))
- (opensmtpd-match
- (action action-receive)
- (options
- (list
- (opensmtpd-option
- (option "for local"))))))))))</code></pre><p>I was curious to see how outdated my server is. It’s dated apparently.</p><pre><code>guix system describe
- [1mGeneration 118 Aug 14 2022 02:45:18[0m (current)
- file name: /var/guix/profiles/system-118-link
- canonical file name: /gnu/store/7jkrafkf61bw3fdxlrlzvkrl98ys1icj-system
- label: GNU with Linux-Libre 5.18.16
- bootloader: grub
- root device: /dev/sda
- kernel: /gnu/store/iz6xn1b1dyk6pwaf6dym3jm3vwnh4gz9-linux-libre-5.18.16/bzImage
- channels:
- guix:
- repository URL: https://git.savannah.gnu.org/git/guix.git
- branch: master
- commit: 43decd1f7ea4ebd911199ad10c0ca555d0dffbd6
- configuration file: /gnu/store/rv7rhwn5kd9yxv8kayqlsgxwyhcz55ca-configuration.scm</code></pre><p>Let's try reconfiguring my server with the opensmtpd configuration.</p><pre><code>guix pull
- sudo guix system reconfigure linode-locke-lamora-current-config.scm
- In srfi/srfi-1.scm:
- 586:29 19 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
- 586:29 18 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
- 586:29 17 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
- 586:29 16 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
- 586:29 15 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
- 586:29 14 (map1 (#<<service> type: #<service-type agetty 7f8c1…> …))
- 586:29 13 (map1 (#<<service> type: #<service-type syslog 7f8c1…> …))
- 586:29 12 (map1 (#<<service> type: #<service-type console-font…> …))
- 586:29 11 (map1 (#<<service> type: #<service-type virtual-term…> …))
- 586:17 10 (map1 (#<<service> type: #<service-type opensmtpd 7f…> …))
- In guixrus/services/opensmtpd.scm:
- 2567:27 9 (opensmtpd-shepherd-service #<<opensmtpd-configuration>…>)
- 2541:19 8 (opensmtpd-configuration->mixed-text-file #<<opensmtpd-…>)
- 2496:3 7 (opensmtpd-configuration->string #<<opensmtpd-configura…>)
- 2421:9 6 (opensmtpd-configuration-fieldname->string #<<opensmtp…> …)
- 2430:10 5 (list-of-records->string (#<<opensmtpd-interface> i…> …) …)
- 2434:17 4 (loop (#<<opensmtpd-interface> interface: "eth0" fam…> …))
- 1848:5 3 (opensmtpd-interface->string #<<opensmtpd-interface> in…>)
- In unknown file:
- 2 (string-append "" "" "" "" "" "tls " #<unspecified> "p…" …)
- In ice-9/boot-9.scm:
- 1685:16 1 (raise-exception _ #:continuable? _)
- 1685:16 0 (raise-exception _ #:continuable? _)
- ice-9/boot-9.scm:1685:16: In procedure raise-exception:
- In procedure string-append: Wrong type (expecting string): #<unspecified></code></pre><p>Ahh, I know what that problem is! Let’s fix that. So now I have make a local
- commit. Push it to my notabug.org/guixrus, ssh into lamora, run <code>git pull</code> on
- the guixrus repo, then try to reconfigure. This seems like a very odd/poor way
- to test changes. By making a commit locally, pushing it, pulling it, and then
- wondering if the reconfigure will work. I should really set up guix deploy.</p><pre><code>sudo guix system reconfigure linode-locke-lamora-current-config.scm
- module-import-compiled 1.0MiB 1.6MiB/s 00:01 [##################] 100.0%
- building /gnu/store/mw8x4pbl11a5pdgxqcw2vvczdccpmicf-switch-to-system.scm.drv...
- making '/gnu/store/0v5sbvlx9r151gjlc906lxyhps7xx1h8-system' the current system...
- setting up setuid programs in '/run/setuid-programs'...
- populating /etc from /gnu/store/1n0l349b03h7dclwai9l0kxglb8kwyv0-etc...
- checking syntax of /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf
- /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:14: syntax error
- /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:21: no such dispatcher: relay</code></pre><p>Ok, so I have a configuration error. Let’s take a look at the generated
- configuration file:</p><ul><li><p>The first error is this:</p><pre><code>cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep '<"<"'
- listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"<"creds">">
- listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"<"creds">"></code></pre><p>It should be <“creds”>.</p></li><li><p>Another error is this:</p><pre><code>cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep match
- match !for any !from any !auth action "relay"
- match !from any !for domain <"vdoms"> action "receive"
- match !for local action "receive"</code></pre></li></ul><p>These match options should NOT be false. Let's quickly fix those issues
- reconfigure again:</p><pre><code>sudo guix system reconfigure linode-locke-lamora-current-config.scm
- checking syntax of /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
- configuration OK</code></pre><p>That’s a good sign!</p><p>Let’s reboot and see what happens!</p><p>Well when I reboot, smtpd refused to start. Let’s look at the config file.</p><pre><code>cat /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
- filter "dkimsign" proc-exec "/gnu/store/n2f5waxzdzcsdvh0xydhnc174n3kingw-opensmtpd-filter-dkimsign-0.6/libexec/opensmtpd/filter-dkimsign -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k /etc/dkim/private.key user nobody group nogroup"
- mta max-deferred 100
- table "creds" { "joshua" = "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86." }
- table "vusers" { "joshua@gnucode.me" = "joshua", "jbranso@gnucode.me" = "joshua", "postmaster@gnucode.me" = "joshua" }
- table "vdoms" { "gnucode.me", "gnu-hurd.com" }
- pki smtp.gnucode.me cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem"
- pki smtp.gnucode.me key "/etc/letsencrypt/live/gnucode.me/privkey.pem"
- listen on eth0 tls port 25 pki smtp.gnucode.me
- listen on lo tls port 25 pki smtp.gnucode.me
- listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"creds">
- listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"creds">
- action "relay" relay
- action "receive" maildir "/home/%{rcpt.user}/Maildir" junk virtual <"vusers">
- match for any from any auth action "relay"
- match from any for domain <"vdoms"> action "receive"
- match for local action "receive"</code></pre><p>It seems to be just fine...hmmm. What does the error log say?</p><pre><code>cat /var/log/maillog | tail
- Dec 22 10:05:41 localhost smtpd[19325]: warn: lost processor: dkimsign exited abnormally
- Dec 22 10:05:41 localhost smtpd[19328]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
- Dec 22 10:05:41 localhost smtpd[19330]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
- Dec 22 10:05:41 localhost smtpd[19325]: Exiting
- Dec 22 11:22:18 localhost smtpd[268]: info: OpenSMTPD 6.8.0p2 starting
- Dec 22 11:22:18 localhost smtpd[269]: warn: lost processor: dkimsign exited abnormally
- Dec 22 11:22:18 localhost smtpd[272]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
- Dec 22 11:22:18 localhost smtpd[274]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
- Dec 22 11:22:18 localhost smtpd[269]: Exiting</code></pre><p>Ok, well I think I found the problem. haha. Let’s see, ah, looks like that key
- is here:</p><pre><code>find . -name '*key'
- /etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key</code></pre><p>Let’s commit my current-config locally, push it upstream, pull it from my server
- and reconfigure.</p><pre><code>sudo guix system reconfigure linode-locke-lamora-current-config.scm
- checking syntax of /gnu/store/42q90z8n03zi9rx29gwdnms4sdr2g2p9-smtpd.conf
- configuration OK</code></pre><p>After I rebooted, smtpd still was not starting. Let’s try to find out why:</p><pre><code>cat /var/log/maillog | tail
- Dec 22 11:38:03 localhost smtpd[498]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
- Dec 22 11:38:03 localhost smtpd[493]: warn: lost processor: dkimsign exited abnormally
- Dec 22 11:38:03 localhost smtpd[496]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
- Dec 22 11:38:03 localhost smtpd[493]: Exiting
- Dec 22 11:40:02 localhost dovecot: master: Dovecot v2.3.19.1 (9b53102964) starting up for imap (core dumps disabled)
- Dec 22 11:42:41 localhost smtpd[258]: info: OpenSMTPD 6.8.0p2 starting
- Dec 22 11:42:41 localhost smtpd[259]: warn: lost processor: dkimsign exited abnormally
- Dec 22 11:42:41 localhost smtpd[262]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
- Dec 22 11:42:41 localhost smtpd[264]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
- Dec 22 11:42:41 localhost smtpd[259]: Exiting</code></pre><p>Ok, this is just a permissions error. That’s an easy fix! I changed a
- <code>sudo chown -R smtpd /etc/opensmtpd</code>. Then I got this beauty:</p><pre><code>sudo herd start smtpd
- Service smtpd has been started.</code></pre><p>Woo hoo! Now let’s try to send an email and see if it works!</p><p>I sent an email to gmail, and if you select an email in gmail, you can click on
- view original. It showed me that I did pass dkimsigning! That’s awesome! And
- my email was in my gmail inbox. That’s a really good sign! Now I am off to
- submit a patch to guixrus!</p><p>I did get a tip from someone on irc that mentioned that I should verify my
- dkimsigning and SPF via https://dkimvalidator.com/ And when I used that tool, I
- discovered that my SPF was failing, so I will need to fix that.</p></div></article></section></main><footer><p>© 2020 Joshua Branson. The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme. Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>
|