#:use-module (ice-9 textual-ports)

(define public-dkim

  (apply

    string-append

    (string-split

      (call-with-input-file "/etc/mail/dkim/public.key" get-string-all)

      #\newline)))

  ("@"          ""  "IN"  "SPF"   "v=spf1 mx a ~all")

  ("dkim._domainkey" "" "IN" "TXT" (string-append "v=DKIM1; p=" public-dkim "; s=email; t=s")))

            (serial 2019072401)))))

  #:use-module (services mail)

listen on " interface " port 587 tls-require pki lepiller.eu mask-source auth <passwd>

listen on lo port 25 tls pki lepiller.eu mask-source auth <passwd>

listen on lo port 587 tls pki lepiller.eu mask-source auth <passwd>

listen on lo port 10028 tag DKIM_OUT # DKIMproxy

# Maybe it'll work better if we connect to gmail only with v4?

limit mta for domain gmail.com inet4

accept for any authenticated relay via smtp://127.0.0.1:10027

accept tagged DKIM_OUT for any relay

(define (dkimproxy-conf domain)

  (mixed-text-file "dkimproxy.out.conf" "

# specify what address/port DKIMproxy should listen on

listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to

relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)

domain    " domain "

# specify what signatures to add

signature dkim(c=relaxed)

signature domainkeys(c=nofws)

# specify location of the private key

keyfile   /etc/mail/dkim/private.key

# specify the selector (i.e. the name of the key record put in DNS)

selector  dkim

"))

             (mail-location "maildir:~/Maildir")

             (ssl-cert (string-append

                         "</etc/letsencrypt/live/" domain "/fullchain.pem"))

             (ssl-key  (string-append

                         "</etc/letsencrypt/live/" domain "/privkey.pem")))))

           (opensmtpd-configuration

             (config-file (opensmtpd-conf interface domain)))))

(define (lepiller-dkim-service domain)

  (service dkimproxy-out-service-type

           (dkimproxy-out-configuration

             (config-file (dkimproxy-conf domain)))))

    (lepiller-imap-service domain)

    (lepiller-dkim-service domain)))

;;; GNU Guix --- Functional package management for GNU

;;; Copyright ?? 2019 Julien Lepiller <julien@lepiller.eu>

;;;

;;; This file is part of GNU Guix.

;;;

;;; GNU Guix is free software; you can redistribute it and/or modify it

;;; under the terms of the GNU General Public License as published by

;;; the Free Software Foundation; either version 3 of the License, or (at

;;; your option) any later version.

;;;

;;; GNU Guix is distributed in the hope that it will be useful, but

;;; WITHOUT ANY WARRANTY; without even the implied warranty of

;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

;;; GNU General Public License for more details.

;;;

;;; You should have received a copy of the GNU General Public License

;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (packages perl)

  #:use-module ((guix licenses) #:prefix license:)

  #:use-module (gnu packages)

  #:use-module (guix packages)

  #:use-module (guix download)

  #:use-module (guix utils)

  #:use-module (guix build-system gnu)

  #:use-module (guix build-system perl)

  #:use-module (gnu packages networking)

  #:use-module (gnu packages perl)

  #:use-module (gnu packages perl-check)

  #:use-module (gnu packages tls)

  #:use-module (gnu packages web))

(define-public perl-mail-authenticationresults

  (package

    (name "perl-mail-authenticationresults")

    (version "1.20180923")

    (source (origin

              (method url-fetch)

              (uri (string-append

                     "mirror://cpan/authors/id/M/MB/MBRADSHAW/"

                     "Mail-AuthenticationResults-" version ".tar.gz"))

              (sha256

               (base32

                "1g1wym9vcbhldwvi4w5pl0fhd4jh2icj975awf4wr5xmkli9mxbz"))))

    (build-system perl-build-system)

    (native-inputs

     `(("perl-test-exception" ,perl-test-exception)))

    (home-page "https://metacpan.org/release/Mail-AuthenticationResults")

    (synopsis "Object Oriented Authentication-Results Headers")

    (description "Mail::AuthenticationResults parses the message header field

that indicates the message authentication status as per RFC7601.  This module

is not fully compliant with the RFC but it tries to implement most styles of

Authentication-Results header seen in the wild.")

    (license license:perl-license)))

(define-public perl-net-dns-resolver-mock

  (package

    (name "perl-net-dns-resolver-mock")

    (version "1.20171219")

    (source (origin

              (method url-fetch)

              (uri (string-append

                     "mirror://cpan/authors/id/M/MB/MBRADSHAW/"

                     "Net-DNS-Resolver-Mock-" version ".tar.gz"))

              (sha256

               (base32

                "0m3rxpkv1b9121srvbqkrgzg4m8mnydiydqv34in1i1ixwrl6jn9"))))

    (build-system perl-build-system)

    (propagated-inputs

     `(("perl-net-dns" ,perl-net-dns)))

    (home-page "https://metacpan.org/release/Net-DNS-Resolver-Mock")

    (synopsis "Mock a DNS Resolver object for testing")

    (description "Net::DNS::Resolver::Mock is a a subclass of

@code{Net::DNS::Resolver} which parses a zonefile for it's data source.  It is

primarily for use in testing.")

    (license license:perl-license)))

(define-public perl-mail-dkim

  (package

    (name "perl-mail-dkim")

    (version "0.55")

    (source (origin

              (method url-fetch)

              (uri (string-append

                     "mirror://cpan/authors/id/M/MB/MBRADSHAW/Mail-DKIM-"

                     version

                     ".tar.gz"))

              (sha256

               (base32

                "18nsh1ff6fkns4xk3y2ixmzmadgggydj11qkzj6nlnq2hzqxsafz"))))

    (build-system perl-build-system)

    (propagated-inputs

     `(("perl-crypt-openssl-rsa" ,perl-crypt-openssl-rsa)

       ("perl-mail-authenticationresults" ,perl-mail-authenticationresults)

       ("perl-mailtools" ,perl-mailtools)

       ("perl-net-dns" ,perl-net-dns)

       ("perl-net-dns-resolver-mock" ,perl-net-dns-resolver-mock)

       ("perl-test-requiresinternet" ,perl-test-requiresinternet)

       ("perl-yaml-libyaml" ,perl-yaml-libyaml)))

    (home-page "https://metacpan.org/release/Mail-DKIM")

    (synopsis "Signs/verifies Internet mail with DKIM/DomainKey signatures")

    (description "Mail::DKIM is a Perl module that implements the new Domain

Keys Identified Mail (DKIM) standard, and the older Yahoo! DomainKeys standard,

both of which sign and verify emails using digital signatures and DNS records.

Mail-DKIM can be used by any Perl program that wants to provide support for

DKIM and/or DomainKeys.")

    (license license:gpl3+)))

(define-public dkimproxy

  (package

    (name "dkimproxy")

    (version "1.4.1")

    (source (origin

              (method url-fetch)

              (uri (string-append

                     "mirror://sourceforge/dkimproxy/dkimproxy/"

                     version "/dkimproxy-" version ".tar.gz"))

              (sha256

               (base32

                "1gc5c7lg2qrlck7b0lvjfqr824ch6jkrzkpsn0gjvlzg7hfmld75"))))

    (build-system gnu-build-system)

    (arguments

     `(#:phases

       (modify-phases %standard-phases

         (add-after 'install 'make-wrapper

           (lambda* (#:key inputs outputs #:allow-other-keys)

             (let ((out (assoc-ref outputs "out")))

               (for-each

                 (lambda (prog)

                   (wrap-program (string-append out "/bin/" prog)

                     `("PERL5LIB" ":" prefix

                       (,(string-append (assoc-ref inputs "perl-mail-dkim")

                                        "/lib/perl5/site_perl")

                        ,(string-append (assoc-ref inputs "perl-mailtools")

                                        "/lib/perl5/site_perl")

                        ,(string-append (assoc-ref inputs "perl-crypt-openssl-rsa")

                                        "/lib/perl5/site_perl")

                        ,(string-append (assoc-ref inputs "perl-net-dns")

                                        "/lib/perl5/site_perl")

                        ,(string-append (assoc-ref inputs "perl-net-server")

                                        "/lib/perl5/site_perl")))))

                 '("dkimproxy.in" "dkimproxy.out")))

             #t)))))

    (inputs

     `(("perl" ,perl)

       ("perl-crypt-openssl-rsa" ,perl-crypt-openssl-rsa)

       ("perl-mailtools" ,perl-mailtools)

       ("perl-mail-dkim" ,perl-mail-dkim)

       ("perl-net-dns" ,perl-net-dns)

       ("perl-net-server" ,perl-net-server)))

    (home-page "http://dkimproxy.sourceforge.net/")

    (synopsis "SMTP-proxy for DKIM signing and verifying")

    (description "DKIMproxy is an SMTP-proxy that signs and/or verifies emails,

using the @code{Mail::DKIM} module.  It is designed for Postfix, but should

work with any mail server.  It comprises two separate proxies, an outbound

proxy for signing outgoing email, and an inbound proxy for verifying signatures

of incoming email.  With Postfix, the proxies can operate as either

@code{Before-Queue} or @code{After-Queue} content filters.")

    (license license:gpl3+)))

;;; GNU Guix --- Functional package management for GNU

;;; Copyright ?? 2019 Julien Lepiller <julien@lepiller.eu>

;;;

;;; This file is part of GNU Guix.

;;;

;;; GNU Guix is free software; you can redistribute it and/or modify it

;;; under the terms of the GNU General Public License as published by

;;; the Free Software Foundation; either version 3 of the License, or (at

;;; your option) any later version.

;;;

;;; GNU Guix is distributed in the hope that it will be useful, but

;;; WITHOUT ANY WARRANTY; without even the implied warranty of

;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

;;; GNU General Public License for more details.

;;;

;;; You should have received a copy of the GNU General Public License

;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;;;

;;; Some of the help text was taken from the default dovecot.conf files.

(define-module (services mail)

  #:use-module (gnu services)

  #:use-module (gnu services base)

  #:use-module (gnu services configuration)

  #:use-module (gnu services shepherd)

  #:use-module (gnu system pam)

  #:use-module (gnu system shadow)

  #:use-module (gnu packages admin)

  #:use-module (guix gexp)

  #:use-module (guix records)

  #:use-module (ice-9 match)

  #:use-module (packages perl)

  #:export (dkimproxy-out-service-type

            dkimproxy-out-configuration

            dkimproxy-out-configuration-package

            dkimproxy-out-configuration-config-file))

(define-record-type* <dkimproxy-out-configuration>

  dkimproxy-out-configuration make-dkimproxy-out-configuration

  dkimproxy-out-configuration?

  (package     dkimproxy-out-configuration-package

               (default dkimproxy))

  (config-file dkimproxy-out-configuration-config-file

               (default %default-dkimproxy-out-configuration-config-file)))

(define %default-dkimproxy-out-configuration-config-file

  (plain-file "dkimproxy_out.conf" "

# specify what address/port DKIMproxy should listen on

listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to

relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)

domain    mail.example.com 

# specify what signatures to add

signature dkim(c=relaxed)

signature domainkeys(c=nofws)

# specify location of the private key

# It can be generated with for instance:

# mkdir /etc/mail/dkim

# openssl genrsa -out /etc/mail/dkim/private.key 1024

# openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key

keyfile   /etc/mail/dkim/private.key

# specify the selector (i.e. the name of the key record put in DNS)

selector  selector1

"))

(define dkimproxy-out-shepherd-service

  (match-lambda

    (($ <dkimproxy-out-configuration> package config-file)

     (list (shepherd-service

             (provision '(dkimproxy-out))

             (requirement '(loopback))

             (documentation "Outbound DKIM proxy.")

             (start (let ((proxy (file-append package "/bin/dkimproxy.out")))

                      #~(make-forkexec-constructor

                          (list #$proxy (string-append "--conf_file=" #$config-file)

                                "--pidfile=/var/run/dkimproxy.out.pid"

                                "--user=dkimproxy" "--group=dkimproxy")

                          #:pid-file "/var/run/dkimproxy.out.pid")))

             (stop #~(make-kill-destructor)))))))

(define %dkimproxy-accounts

  (list (user-group

          (name "dkimproxy")

          (system? #t))

        (user-account

          (name "dkimproxy")

          (group "dkimproxy")

          (system? #t)

          (comment "Dkimproxy user")

          (home-directory "/var/empty")

          (shell (file-append shadow "/sbin/nologin")))))

(define dkimproxy-out-service-type

  (service-type

    (name 'dkimproxy-out)

    (extensions

      (list (service-extension account-service-type

                               (const %dkimproxy-accounts))

            (service-extension shepherd-root-service-type

                               dkimproxy-out-shepherd-service)))))

;; NOTE: this config contains out-of band files.

;; To (re-)generate /etc/mail/dkim/private.key, run:

;; openssl genrsa -out /etc/mail/dkim/private.key 2048

;; openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key

;; chmod 440 /etc/mail/dkim/private.key

;;

;; To (re-)generate /etc/knot/secrets.conf, run:

;; keymgt -t lepiller-key > /etc/knot/secrets.conf