diff options
| author | Marek Paśnikowski <marek@marekpasnikowski.pl> | 2026-05-08 09:30:20 +0200 |
|---|---|---|
| committer | Marek Paśnikowski <marek@marekpasnikowski.pl> | 2026-05-08 10:15:27 +0200 |
| commit | d3fa00c3b5e763aafd287c881cf7d73bcc21705f (patch) | |
| tree | 8a982631c618620cb24c216cfe1794f5350e4937 /deployment | |
| parent | a6a711061730bdb0bbe3c8e92f7a07595e8f792e (diff) | |
Diffstat (limited to 'deployment')
| -rw-r--r-- | deployment/services/mail.scm | 110 | ||||
| -rw-r--r-- | deployment/system.scm | 8 |
2 files changed, 115 insertions, 3 deletions
diff --git a/deployment/services/mail.scm b/deployment/services/mail.scm new file mode 100644 index 0000000..b6d5982 --- /dev/null +++ b/deployment/services/mail.scm @@ -0,0 +1,110 @@ +(define-module (deployment services mail) + #:export (smtp-service-aisaka) + #:use-module (gnu services) + #:use-module (gnu services mail) + #:use-module (guix gexp) + #:use-module ((gnu packages mail) + #:prefix gnu:packages:mail:)) + +(define aliases-file + (mixed-text-file "aliases" + "@ vmail\n")) + +(define blacklist-file + (mixed-text-file "blacklist" + "@yahoo.com.cn\n" + "@qq.com\n" + "@fnac.com\n" + "@just-aero.us\n" + "@elitetorrent1.com\n")) + +(define relays-file + (mixed-text-file "other-relays" + "mx1.forwardemail.net\n" + "mx2.forwardemail.net\n")) + +(define smtpd-keys "/secrets/smtpd") + +(define (smtpd-conf interface domain) + (mixed-text-file "smtpd.conf" + "# This is the smtpd server system-wide configuration file.\n" + "# See smtpd.conf(5) for more information.\n" + "\n" + "# My TLS certificate and key\n" + "pki marekpasnikowski.pl cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"\n" + "pki marekpasnikowski.pl key \"/etc/letsencrypt/live/" domain "/privkey.pem\"\n" + "\n" + "# Edit this file to add add more virtual users (passwords are read in that file\n" + "# instead of /etc/passwd\n" + "table passwd file:" smtpd-keys "\n" + "\n" + "# table other-relays file:" relays-file "\n" + "table blacklist file:" blacklist-file "\n" + "\n" + "# A simple spam filter\n" + "# filter spam-filter phase mail-from match mail-from <blacklist> reject \"555\"\n" + "\n" + "# port 25 is used only for receiving from external servers, and they may start\n" + "# a TLS session if they want.\n" + "listen on " interface " port 25 # tls pki marekpasnikowski.pl filter spam-filter\n" + "\n" + "# For sending messages from outside of this server, you need to authenticate and\n" + "# use TLS.\n" + "listen on " interface " port 465 smtps pki marekpasnikowski.pl mask-src auth <passwd>\n" + "\n" + "# Localhost is used by the .onion, so we use the same configuration for \n" + "# local connections." + "listen on lo port 25 tls pki marekpasnikowski.pl filter spam-filter\n" + "# Since incoming connection uses tor, we don't need tls, but still require\n" + "# authentication; we're not a relay\n" + "# listen on lo port 587 tls pki marekpasnikowski.pl mask-src auth <passwd>\n" + "\n" + "# DKIMproxy\n" + "listen on lo port 10028 tag DKIM_OUT\n" + "\n" + "# The socket is considered an internal connection\n" + "listen on socket mask-src\n" + "\n" + "# Maybe it'll work better if we connect to gmail only with v4?\n" + "# limit mta for domain gmail.com inet4\n" + "\n" + "# TODO: manage these files directly in the configuration?\n" + "# If you edit the file, you have to run \"smtpctl update table aliases\"\n" + "table aliases file:" aliases-file "\n" + "\n" + "# We define some actions\n" + "action receive lmtp \"/var/run/dovecot/lmtp\" rcpt-to virtual <aliases>\n" + "action godkim relay host smtp://localhost:10027\n" + "action outbound relay src \"192.168.1.2\" helo " domain "\n" + "\n" + "# We accept to relay any mail from authenticated users\n" + "match for any from any auth action godkim\n" + "match tag DKIM_OUT for any action outbound\n" + "\n" + "# Then, we reject on some other conditions:\n" + "\n" + "# If the mail tries to impersonate us\n" + "# match !from src <other-relays> mail-from \"@marekpasnikowski.pl\" for any reject\n" + "\n" + "# If it comes from someone on the blacklist\n" + "match from any mail-from <blacklist> reject\n" + "\n" + "# Finally, if we accept incoming messages\n" + "match from any for domain \"marekpasnikowski.pl\" action receive\n" + "match for local action receive\n" )) + +(define opensmtpd-configuration-aisaka + (opensmtpd-configuration + (package gnu:packages:mail:opensmtpd) + (shepherd-requirement (list 'dkimproxy-out + 'networking)) + (config-file (smtpd-conf "enp2s0" + "marekpasnikowski.pl")) + (log-file "/val/log/mail.log") + (setgid-commands? #t))) + +(define smtp-service-aisaka + (service opensmtpd-service-type + opensmtpd-configuration-aisaka)) + +;;; EOF diff --git a/deployment/system.scm b/deployment/system.scm index 2ed8d4f..686b0c2 100644 --- a/deployment/system.scm +++ b/deployment/system.scm @@ -7,10 +7,12 @@ #:prefix deployment:services:databases:) #:use-module ((deployment services dns) #:prefix deployment:services:dns:) - #:use-module ((deployment services web) - #:prefix deployment:services:web:) + #:use-module ((deployment services mail) + #:prefix deployment:services:mail:) #:use-module ((deployment services matrix) #:prefix deployment:services:matrix:) + #:use-module ((deployment services web) + #:prefix deployment:services:web:) #:use-module ((deployment system aisaka) #:prefix deployment:system:aisaka:) #:use-module ((deployment system akashi) @@ -111,7 +113,7 @@ deployment:system:aisaka:offload-rakan deployment:services:databases:matrix-postgresql-service deployment:system:aisaka:radicale - users:id1000:smtp-service + deployment:services:mail:smtp-service-aisaka deployment:system:aisaka:static-networking deployment:system:aisaka:%sovereign-services*)) (pam-services (gnu:system:pam:base-pam-services)) |