;;; Tyreunom's system administration and configuration tools.

;;;

;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>

;;;

;;; This program is free software: you can redistribute it and/or modify

;;; it under the terms of the GNU General Public License as published by

;;; the Free Software Foundation, either version 3 of the License, or

;;; (at your option) any later version.

;;;

;;; This program is distributed in the hope that it will be useful,

;;; but WITHOUT ANY WARRANTY; without even the implied warranty of

;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

;;; GNU General Public License for more details.

;;;

;;; You should have received a copy of the GNU General Public License

;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;

;; Email configuration

;;

(define-module (config mail)

  #:use-module (data dns)

  #:use-module (gnu packages mail)

  #:use-module (gnu services)

  #:use-module (gnu services mail)

  #:use-module (guix gexp)

  #:use-module (services mail)

  #:export (lepiller-mail-services))

(define aliases-file

  (plain-file "aliases" "postmaster root

@ tyreunom

"))

(define relays-file

  (plain-file "other-relays"

    (string-append ene-rennes-ip4 "\n" ene-toulouse-ip4 "\n" ene-toulouse-ip6 "\n"

                   hermes-ip4 "\n" hermes-ip6 "\n" )))

(define blacklist-file

  (plain-file "blacklist" "

@yahoo.com.cn

@qq.com

@just-aero.us

@elitetorrent1.com

@officedepot.com

@isaemailmarketing.co

@email.etsy.com

@online-discounter.net

@turing.com

@napptive.com

opendmarc@box.euandre.org

opendmark@mail.arctype.co"))

(define (opensmtpd-conf interface domain)

  (mixed-text-file "smtpd.conf" "

# This is the smtpd server system-wide configuration file.

# See smtpd.conf(5) for more information.

# My TLS certificate and key

pki lepiller.eu cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"

pki lepiller.eu key \"/etc/letsencrypt/live/" domain "/privkey.pem\"

# Edit this file to add more virtual users (passwords are read in that file

# instead of /etc/passwd.

table passwd file:/etc/mail/passwd

table other-relays file:" relays-file "

table blacklist file:" blacklist-file "

# A simple spam filter

filter check-rdns phase connect match !rdns disconnect \"550 no rDNS\"

filter spam-filter phase mail-from match mail-from <blacklist> reject \"555 Your spam level is over NINE THOUSAND!\"

filter rspamd proc-exec \"" opensmtpd-filter-rspamd "/libexec/opensmtpd/filter-rspamd\"

# port 25 is used only for receiving from external servers, and they may start a

# TLS session if the want.

listen on " interface " port 25 tls pki lepiller.eu filter { check-rdns, spam-filter, rspamd }

# For sending messages from outside of this server, you need to authenticate and

# use TLS.

listen on " interface " port 587 tls-require pki lepiller.eu mask-src auth <passwd>

# Localhost is used by the .onion, so we use the same configuration for

# local connections.

listen on lo port 25 tls pki lepiller.eu filter { check-rdns, spam-filter, rspamd }

# Since incoming connection uses tor, we don't need tls, but still require

# authentication; we're not a relay

listen on lo port 587 tls pki lepiller.eu mask-src auth <passwd>

# DKIMproxy

listen on lo port 10028 tag DKIM_OUT

# The socket is considered an internal connection

listen on socket mask-src

# Maybe it'll work better if we connect to gmail only with v4?

#limit mta for domain gmail.com inet4

# TODO: manage these files directly in the configuration?

# If you edit the file, you have to run \"smtpctl update table aliases\"

table aliases file:" aliases-file "

# We define some actions

action receive maildir virtual <aliases>

action outbound relay

action godkim relay host smtp://127.0.0.1:10027

# We accept to relay any mail from authenticated users

match for any from any auth action godkim

match tag DKIM_OUT for any action outbound

# Then, we reject on some other conditions:

# If the mail tries to impersonate us

match !from src <other-relays> mail-from \"@lepiller.eu\" for any reject

# If it comes from someone on the blacklist

match from any mail-from <blacklist> reject

# Finaly, if we accept incoming messages

match from any for domain \"lepiller.eu\" action receive

match for local action receive

"))

(define (lepiller-imap-service domain)

  (service dovecot-service-type

           (dovecot-configuration

             (mail-location "maildir:~/Maildir")

             (ssl-cert (string-append

                         "</etc/letsencrypt/live/" domain "/fullchain.pem"))

             (ssl-key  (string-append

                         "</etc/letsencrypt/live/" domain "/privkey.pem")))))

(define (lepiller-smtp-service interface domain)

  (service opensmtpd-service-type

           (opensmtpd-configuration

             (config-file (opensmtpd-conf interface domain)))))

(define (lepiller-dkim-service domain)

  (service dkimproxy-out-service-type

           (dkimproxy-out-configuration

             (listen "127.0.0.1:10027")

             (relay "127.0.0.1:10028")

             (sender-map

               `((,domain

                  (,(dkimproxy-out-signature-configuration

                      (type 'dkim)

                      (key "/etc/mail/dkim/private.key")

                      (algorithm "rsa-sha256")

                      (method "relaxed")

                      (selector "dkim"))

                   ,(dkimproxy-out-signature-configuration

                      (type 'domainkeys)

                      (method "nofws")))))))))

(define (lepiller-rspamd-service)

  (service rspamd-service-type))

(define* (lepiller-mail-services #:key interface domain)

  (list

    (lepiller-smtp-service interface domain)

    (lepiller-imap-service domain)

    (lepiller-dkim-service domain)

    (lepiller-rspamd-service)))