system-configuration

system-configuration/modules/config/mail.scm

mail.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;
;; Email configuration
;;

(define-module (config mail)
  #:use-module (data dns)
  #:use-module (gnu services)
  #:use-module (gnu services mail)
  #:use-module (guix gexp)
  #:use-module (services mail)
  #:export (lepiller-mail-services))

(define aliases-file
  (plain-file "aliases" "postmaster root

@ tyreunom
"))

(define relays-file
  (plain-file "other-relays"
    (string-append ene-ip4 "\n" hermes-ip4 "\n" hermes-ip6 "\n" )))

(define blacklist-file
  (plain-file "blacklist" "
@yahoo.com.cn
@qq.com
@fnac.com"))

(define (opensmtpd-conf interface domain)
  (mixed-text-file "smtpd.conf" "
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# My TLS certificate and key
pki lepiller.eu certificate \"/etc/letsencrypt/live/" domain "/fullchain.pem\"
pki lepiller.eu key \"/etc/letsencrypt/live/" domain "/privkey.pem\"

# Edit this file to add more virtual users (passwords are read in that file
# instead of /etc/passwd.
table passwd file:/etc/mail/passwd

# port 25 is used only for receiving from external servers, and they may start a
# TLS session if the want.
listen on " interface " port 25 tls pki lepiller.eu
# For sending messages from outside of this server, you need to authenticate and
# use TLS.
listen on " interface " port 587 tls-require pki lepiller.eu mask-source auth <passwd>
# On this server, you only need to authenticate on one of the available ports,
# and you may use TLS.
listen on lo port 25 tls pki lepiller.eu mask-source auth <passwd>
listen on lo port 587 tls pki lepiller.eu mask-source auth <passwd>
listen on lo port 10028 tag DKIM_OUT # DKIMproxy

# Maybe it'll work better if we connect to gmail only with v4?
limit mta for domain gmail.com inet4

# TODO: manage these files directly in the configuration?
# If you edit the file, you have to run \"smtpctl update table aliases\"
table aliases file:" aliases-file "

table other-relays file:" relays-file "
table blacklist file:" blacklist-file "

# We accept to relay any mail from authenticated users
accept for any authenticated relay via smtp://127.0.0.1:10027
accept tagged DKIM_OUT for any relay

# Then, we reject on some other conditions:

# If the mail tries to impersonate us
reject from ! source <other-relays> sender \"@lepiller.eu\" for any
# If it comes from someone on the blacklist
reject from any sender <blacklist> for any

# Finaly, if we accept incoming messages
accept from any for domain \"lepiller.eu\" virtual <aliases> deliver to maildir
accept for local alias <aliases> deliver to maildir
"))

(define (lepiller-imap-service domain)
  (service dovecot-service-type
           (dovecot-configuration
             (mail-location "maildir:~/Maildir")
             (ssl-cert (string-append
                         "</etc/letsencrypt/live/" domain "/fullchain.pem"))
             (ssl-key  (string-append
                         "</etc/letsencrypt/live/" domain "/privkey.pem")))))

(define (lepiller-smtp-service interface domain)
  (service opensmtpd-service-type
           (opensmtpd-configuration
             (config-file (opensmtpd-conf interface domain)))))

(define (lepiller-dkim-service domain)
  (service dkimproxy-out-service-type
           (dkimproxy-out-configuration
             (listen "127.0.0.1:10027")
             (relay "127.0.0.1:10028")
             (sender-map
               `((,domain
                  (,(dkimproxy-out-signature-configuration
                      (type 'dkim)
                      (key "/etc/mail/dkim/private.key")
                      (method "relaxed")
                      (selector "dkim"))
                   ,(dkimproxy-out-signature-configuration
                      (type 'domainkeys)
                      (method "nofws")))))))))

(define* (lepiller-mail-services #:key interface domain)
  (list
    (lepiller-smtp-service interface domain)
    (lepiller-imap-service domain)
    (lepiller-dkim-service domain)))



1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	;;
19	;; Email configuration
20	;;
21
22	(define-module (config mail)
23	#:use-module (data dns)
24	#:use-module (gnu services)
25	#:use-module (gnu services mail)
26	#:use-module (guix gexp)
27	#:use-module (services mail)
28	#:export (lepiller-mail-services))
29
30	(define aliases-file
31	(plain-file "aliases" "postmaster root
32
33	@ tyreunom
34	"))
35
36	(define relays-file
37	(plain-file "other-relays"
38	(string-append ene-ip4 "\n" hermes-ip4 "\n" hermes-ip6 "\n" )))
39
40	(define blacklist-file
41	(plain-file "blacklist" "
42	@yahoo.com.cn
43	@qq.com
44	@fnac.com"))
45
46	(define (opensmtpd-conf interface domain)
47	(mixed-text-file "smtpd.conf" "
48	# This is the smtpd server system-wide configuration file.
49	# See smtpd.conf(5) for more information.
50
51	# My TLS certificate and key
52	pki lepiller.eu certificate \"/etc/letsencrypt/live/" domain "/fullchain.pem\"
53	pki lepiller.eu key \"/etc/letsencrypt/live/" domain "/privkey.pem\"
54
55	# Edit this file to add more virtual users (passwords are read in that file
56	# instead of /etc/passwd.
57	table passwd file:/etc/mail/passwd
58
59	# port 25 is used only for receiving from external servers, and they may start a
60	# TLS session if the want.
61	listen on " interface " port 25 tls pki lepiller.eu
62	# For sending messages from outside of this server, you need to authenticate and
63	# use TLS.
64	listen on " interface " port 587 tls-require pki lepiller.eu mask-source auth <passwd>
65	# On this server, you only need to authenticate on one of the available ports,
66	# and you may use TLS.
67	listen on lo port 25 tls pki lepiller.eu mask-source auth <passwd>
68	listen on lo port 587 tls pki lepiller.eu mask-source auth <passwd>
69	listen on lo port 10028 tag DKIM_OUT # DKIMproxy
70
71	# Maybe it'll work better if we connect to gmail only with v4?
72	limit mta for domain gmail.com inet4
73
74	# TODO: manage these files directly in the configuration?
75	# If you edit the file, you have to run \"smtpctl update table aliases\"
76	table aliases file:" aliases-file "
77
78	table other-relays file:" relays-file "
79	table blacklist file:" blacklist-file "
80
81	# We accept to relay any mail from authenticated users
82	accept for any authenticated relay via smtp://127.0.0.1:10027
83	accept tagged DKIM_OUT for any relay
84
85	# Then, we reject on some other conditions:
86
87	# If the mail tries to impersonate us
88	reject from ! source <other-relays> sender \"@lepiller.eu\" for any
89	# If it comes from someone on the blacklist
90	reject from any sender <blacklist> for any
91
92	# Finaly, if we accept incoming messages
93	accept from any for domain \"lepiller.eu\" virtual <aliases> deliver to maildir
94	accept for local alias <aliases> deliver to maildir
95	"))
96
97	(define (lepiller-imap-service domain)
98	(service dovecot-service-type
99	(dovecot-configuration
100	(mail-location "maildir:~/Maildir")
101	(ssl-cert (string-append
102	"</etc/letsencrypt/live/" domain "/fullchain.pem"))
103	(ssl-key (string-append
104	"</etc/letsencrypt/live/" domain "/privkey.pem")))))
105
106	(define (lepiller-smtp-service interface domain)
107	(service opensmtpd-service-type
108	(opensmtpd-configuration
109	(config-file (opensmtpd-conf interface domain)))))
110
111	(define (lepiller-dkim-service domain)
112	(service dkimproxy-out-service-type
113	(dkimproxy-out-configuration
114	(listen "127.0.0.1:10027")
115	(relay "127.0.0.1:10028")
116	(sender-map
117	`((,domain
118	(,(dkimproxy-out-signature-configuration
119	(type 'dkim)
120	(key "/etc/mail/dkim/private.key")
121	(method "relaxed")
122	(selector "dkim"))
123	,(dkimproxy-out-signature-configuration
124	(type 'domainkeys)
125	(method "nofws")))))))))
126
127	(define* (lepiller-mail-services #:key interface domain)
128	(list
129	(lepiller-smtp-service interface domain)
130	(lepiller-imap-service domain)
131	(lepiller-dkim-service domain)))
132
133