;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;
;; Email configuration
;;

(define-module (config mail)
  #:use-module (data dns)
  #:use-module (gnu packages mail)
  #:use-module (gnu services)
  #:use-module (gnu services mail)
  #:use-module (guix gexp)
  #:use-module (services mail)
  #:export (lepiller-mail-services))

(define aliases-file
  (plain-file "aliases" "postmaster root

@ tyreunom
"))

(define relays-file
  (plain-file "other-relays"
    (string-append ene-rennes-ip4 "\n" ene-toulouse-ip4 "\n" ene-toulouse-ip6 "\n"
                   hermes-ip4 "\n" hermes-ip6 "\n" )))

(define blacklist-file
  (plain-file "blacklist" "
@yahoo.com.cn
@qq.com
@just-aero.us
@elitetorrent1.com
@officedepot.com
@isaemailmarketing.co
@email.etsy.com
@online-discounter.net
@turing.com
@napptive.com
opendmarc@box.euandre.org
opendmark@mail.arctype.co"))

(define (opensmtpd-conf interface domain)
  (mixed-text-file "smtpd.conf" "
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# My TLS certificate and key
pki lepiller.eu cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"
pki lepiller.eu key \"/etc/letsencrypt/live/" domain "/privkey.pem\"

# Edit this file to add more virtual users (passwords are read in that file
# instead of /etc/passwd.
table passwd file:/etc/mail/passwd

table other-relays file:" relays-file "
table blacklist file:" blacklist-file "

# A simple spam filter
filter spam-filter phase mail-from match mail-from <blacklist> reject \"555 Your spam level is over NINE THOUSAND!\"

# port 25 is used only for receiving from external servers, and they may start a
# TLS session if the want.
listen on " interface " port 25 tls pki lepiller.eu filter spam-filter
# For sending messages from outside of this server, you need to authenticate and
# use TLS.
listen on " interface " port 587 tls-require pki lepiller.eu mask-src auth <passwd>
# Localhost is used by the .onion, so we use the same configuration for
# local connections.
listen on lo port 25 tls pki lepiller.eu filter spam-filter
# Since incoming connection uses tor, we don't need tls, but still require
# authentication; we're not a relay
listen on lo port 587 tls pki lepiller.eu mask-src auth <passwd>

# DKIMproxy
listen on lo port 10028 tag DKIM_OUT

# The socket is considered an internal connection
listen on socket mask-src

# Maybe it'll work better if we connect to gmail only with v4?
#limit mta for domain gmail.com inet4

# TODO: manage these files directly in the configuration?
# If you edit the file, you have to run \"smtpctl update table aliases\"
table aliases file:" aliases-file "

# We define some actions
action receive maildir virtual <aliases>
action outbound relay
action godkim relay host smtp://127.0.0.1:10027

# We accept to relay any mail from authenticated users
match for any from any auth action godkim
match tag DKIM_OUT for any action outbound

# Then, we reject on some other conditions:

# If the mail tries to impersonate us
match !from src <other-relays> mail-from \"@lepiller.eu\" for any reject
# If it comes from someone on the blacklist
match from any mail-from <blacklist> reject

# Finaly, if we accept incoming messages
match from any for domain \"lepiller.eu\" action receive
match for local action receive
"))

(define (lepiller-imap-service domain)
  (service dovecot-service-type
           (dovecot-configuration
             (mail-location "maildir:~/Maildir")
             (ssl-cert (string-append
                         "</etc/letsencrypt/live/" domain "/fullchain.pem"))
             (ssl-key  (string-append
                         "</etc/letsencrypt/live/" domain "/privkey.pem")))))

(define (lepiller-smtp-service interface domain)
  (service opensmtpd-service-type
           (opensmtpd-configuration
             (config-file (opensmtpd-conf interface domain)))))

(define (lepiller-dkim-service domain)
  (service dkimproxy-out-service-type
           (dkimproxy-out-configuration
             (listen "127.0.0.1:10027")
             (relay "127.0.0.1:10028")
             (sender-map
               `((,domain
                  (,(dkimproxy-out-signature-configuration
                      (type 'dkim)
                      (key "/etc/mail/dkim/private.key")
                      (algorithm "rsa-sha256")
                      (method "relaxed")
                      (selector "dkim"))
                   ,(dkimproxy-out-signature-configuration
                      (type 'domainkeys)
                      (method "nofws")))))))))

(define* (lepiller-mail-services #:key interface domain)
  (list
    (lepiller-smtp-service interface domain)
    (lepiller-imap-service domain)
    (lepiller-dkim-service domain)))