;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;
;; Email configuration
;;

(define-module (config mail)
  #:use-module (data dns)
  #:use-module (gnu services)
  #:use-module (gnu services mail)
  #:use-module (guix gexp)
  #:use-module (services mail)
  #:export (lepiller-mail-services))

(define aliases-file
  (plain-file "aliases" "postmaster root

@ tyreunom
"))

(define relays-file
  (plain-file "other-relays"
    (string-append ene-ip4 "\n" hermes-ip4 "\n" hermes-ip6 "\n" )))

(define blacklist-file
  (plain-file "blacklist" "
@yahoo.com.cn
@qq.com
@fnac.com"))

(define (opensmtpd-conf interface domain)
  (mixed-text-file "smtpd.conf" "
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# My TLS certificate and key
pki lepiller.eu certificate \"/etc/letsencrypt/live/" domain "/fullchain.pem\"
pki lepiller.eu key \"/etc/letsencrypt/live/" domain "/privkey.pem\"

# Edit this file to add more virtual users (passwords are read in that file
# instead of /etc/passwd.
table passwd file:/etc/mail/passwd

# port 25 is used only for receiving from external servers, and they may start a
# TLS session if the want.
listen on " interface " port 25 tls pki lepiller.eu
# For sending messages from outside of this server, you need to authenticate and
# use TLS.
listen on " interface " port 587 tls-require pki lepiller.eu mask-source auth <passwd>
# On this server, you only need to authenticate on one of the available ports,
# and you may use TLS.
listen on lo port 25 tls pki lepiller.eu mask-source auth <passwd>
listen on lo port 587 tls pki lepiller.eu mask-source auth <passwd>
listen on lo port 10028 tag DKIM_OUT # DKIMproxy

# Maybe it'll work better if we connect to gmail only with v4?
limit mta for domain gmail.com inet4

# TODO: manage these files directly in the configuration?
# If you edit the file, you have to run \"smtpctl update table aliases\"
table aliases file:" aliases-file "

table other-relays file:" relays-file "
table blacklist file:" blacklist-file "

# We accept to relay any mail from authenticated users
accept for any authenticated relay via smtp://127.0.0.1:10027
accept tagged DKIM_OUT for any relay

# Then, we reject on some other conditions:

# If the mail tries to impersonate us
reject from ! source <other-relays> sender \"@lepiller.eu\" for any
# If it comes from someone on the blacklist
reject from any sender <blacklist> for any

# Finaly, if we accept incoming messages
accept from any for domain \"lepiller.eu\" virtual <aliases> deliver to maildir
accept for local alias <aliases> deliver to maildir
"))

(define (lepiller-imap-service domain)
  (service dovecot-service-type
           (dovecot-configuration
             (mail-location "maildir:~/Maildir")
             (ssl-cert (string-append
                         "</etc/letsencrypt/live/" domain "/fullchain.pem"))
             (ssl-key  (string-append
                         "</etc/letsencrypt/live/" domain "/privkey.pem")))))

(define (lepiller-smtp-service interface domain)
  (service opensmtpd-service-type
           (opensmtpd-configuration
             (config-file (opensmtpd-conf interface domain)))))

(define (lepiller-dkim-service domain)
  (service dkimproxy-out-service-type
           (dkimproxy-out-configuration
             (listen "127.0.0.1:10027")
             (relay "127.0.0.1:10028")
             (sender-map
               `((,domain
                  (,(dkimproxy-out-signature-configuration
                      (type 'dkim)
                      (key "/etc/mail/dkim/private.key")
                      (method "relaxed")
                      (selector "dkim"))
                   ,(dkimproxy-out-signature-configuration
                      (type 'domainkeys)
                      (method "nofws")))))))))

(define* (lepiller-mail-services #:key interface domain)
  (list
    (lepiller-smtp-service interface domain)
    (lepiller-imap-service domain)
    (lepiller-dkim-service domain)))