opensmtpd.scm 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
  1. (define-module (opensmtpd)
  2. #:use-module (guix gexp)
  3. #:use-module (guix records)
  4. #:use-module (gnu packages mail) ;;for finding location of filter-dkimsign
  5. #:export (
  6. %smtpd.conf
  7. ))
  8. ;; to create credentials for now, I need to do the following:
  9. ;; find /gnu/store -name '*encrypt*' | grep opensmtpd
  10. ;; /gnu/store/blah/opensmtpd/encrypt
  11. (define creds
  12. (plain-file "creds"
  13. ;; this is my joshua's password for server. This can be found on dobby's /home/joshua/.authinfo/
  14. "joshua $6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))
  15. (define vdoms
  16. (plain-file
  17. "vdoms"
  18. "gnucode.me
  19. gnu-hurd.com"))
  20. (define vusers
  21. (plain-file
  22. "vusers"
  23. "joshua@gnucode.me joshua
  24. jbranso@gnucode.me joshua
  25. postmaster@gnucode.me joshua"))
  26. (define path-to-filter-dkimsign
  27. (file-append opensmtpd-filter-dkimsign "/libexec/opensmtpd/filter-dkimsign"))
  28. (define path-to-dkimsign-key (string-append (getcwd) "/email-dkim-ssh-keys/2021-09-22-rsa1024-gnucode.me.key"))
  29. (define etc-dkimsign-key-file "/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key")
  30. ;; FIXME: This should become a derivation. Currently it just runs when I evaluate
  31. ;; %smtpd.conf. For example it should look like this?
  32. ;; (define build-exp
  33. ;; #~(begin
  34. ;; (mkdir #$output)
  35. ;; (chdir #$output)
  36. ;; (symlink (string-append #$coreutils "/bin/ls")
  37. ;; "list-files")))
  38. ;; I will need to extend the opensmtpd service, to create a directory
  39. ;; in etc. This line needs to be added to etc-service.
  40. ;; (service-extension etc-service-type opensmtpd-etc-service)
  41. ;; I'll then need to create a opensmtpd-etc-service procedure. ganeti has
  42. ;; a good example.
  43. ;; It should also use the /etc service, which is a service for creating
  44. ;; directories and files in /etc ?
  45. (define (create-etc-dkimsign-key-file)
  46. #~(let ([UID-nobody (passwd:uid (getpw "nobody"))]
  47. [GID-root (group:gid (getgr "root"))]
  48. [GID-nogroup (group:gid (getgr "nogroup"))])
  49. ;; #o550 user root can read/open the directory
  50. ;; and the group "root" can read/open the directory.
  51. ;; change these two lines to (mkdir-p) ?
  52. (unless (file-exists? "/etc/opensmtpd")
  53. (mkdir "/etc/opensmtpd" #o550))
  54. ;; root can read/write/execute on directory dkimsign
  55. ;; group "root" can read and execute
  56. (unless (file-exists? "/etc/opensmtpd/dkimsign")
  57. (mkdir "/etc/opensmtpd/dkimsign" #o750))
  58. (copy-file path-to-dkimsign-key etc-dkimsign-key-file)
  59. ;; ;; ;; make the etc-dkimsign-key-file to owned by nobody and group nogroup.
  60. (chown "/etc/opensmtpd" UID-nobody GID-root)
  61. (chown "/etc/opensmtpd/dkimsign" UID-nobody GID-root)
  62. (chown etc-dkimsign-key-file UID-nobody GID-nogroup)
  63. etc-dkimsign-key-file))
  64. (define %smtpd.conf
  65. (mixed-text-file "smtpd.conf"
  66. "
  67. # This is the smtpd server system-wide configuration file.
  68. # See smtpd.conf(5) for more information.
  69. # borrowed from the archlinux guix
  70. # https://wiki.archlinux.org/index.php/OpenSMTPD#Simple_OpenSMTPD/mbox_configuration
  71. # My TLS certificate and key
  72. table aliases file:/etc/aliases
  73. pki smtp.gnucode.me cert \"/etc/letsencrypt/live/gnucode.me/fullchain.pem\"
  74. pki smtp.gnucode.me key \"/etc/letsencrypt/live/gnucode.me/privkey.pem\"
  75. # for now I am NOT using the virtual credentials
  76. # table creds { joshua = $6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86. }
  77. table creds \"" creds "\"
  78. table vdoms \"" vdoms "\"
  79. # table vdoms { gnucode.me, gnu-hurd.com }
  80. # table vusers { joshua@gnucode.me = joshua, jbranso@gnucode.me = joshua, postmaster@gnucode.me = joshua }
  81. table vusers \"" vusers "\"
  82. # this totally works! run this as user nobody!
  83. # info about dkimsign ...ing
  84. # https://openports.pl/path/mail/opensmtpd-filters/dkimsign
  85. # sudo -u nobody /gnu/store/g17vdv4l03bacn7qbdpb5v8l8vgdxcld-opensmtpd-filter-dkimsign-0.5/libexec/opensmtpd/filter-dkimsign -d gnucode.me -s 2020 -c relaxed/relaxed -k etc-dkimsign-key-file /home/joshua/linode-guix-system-configuration/email-dkim-ssh-keys/20201004-gnucode.me.key user nobody group nogroup
  86. filter \"dkimsign\" \
  87. proc-exec \"" path-to-filter-dkimsign " -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k " etc-dkimsign-key-file ;;(create-etc-dkimsign-key-file)
  88. " \" \
  89. user nobody group nogroup
  90. # port 25 is used only for receiving from external servers, and they may start a
  91. # TLS session if the want.
  92. listen on eth0 port 25 tls pki smtp.gnucode.me
  93. # For sending messages from outside of this server, you need to authenticate and use
  94. # TLS
  95. listen on eth0 port 465 smtps pki smtp.gnucode.me auth <creds> filter \"dkimsign\"
  96. listen on eth0 port 587 tls-require pki smtp.gnucode.me auth <creds> filter \"dkimsign\"
  97. # users logged-in/ssh-ed into the system can send email
  98. listen on lo port 25 tls pki smtp.gnucode.me
  99. # receive email action
  100. action \"receive\" maildir \"/home/%{rcpt.user}/Maildir\" junk virtual <vusers>
  101. # action send the email to the world
  102. action \"send\" relay
  103. # We accept to send email from any mail from authenticated users
  104. match for any from any auth action \"send\"
  105. #finally we receive any incoming email
  106. # maybe the next \"from any\" should be changed to \"for rdns\".
  107. match from any for domain <vdoms> action \"receive\"
  108. match for local action \"receive\""))