From 37da36721325e8fa94c0efb668edc5d8f98ec538 Mon Sep 17 00:00:00 2001 From: Marek Paśnikowski Date: Wed, 11 Sep 2024 12:46:47 +0200 Subject: refactor(id1000): implement opensmtpd in user module --- systems/izumi/izumi.org | 97 +------------------------------ systems/izumi/system-configuration.scm | 97 +------------------------------ users/id1000.scm | 102 +++++++++++++++++++++++++++++++++ 3 files changed, 106 insertions(+), 190 deletions(-) diff --git a/systems/izumi/izumi.org b/systems/izumi/izumi.org index 5048634..602b621 100644 --- a/systems/izumi/izumi.org +++ b/systems/izumi/izumi.org @@ -11,7 +11,6 @@ (define-module (systems izumi system-configuration) #:use-module (suweren commons sudoers)) - (define smtpd-keys "/secrets/smtpd") (define radicale-keys "/secrets/radicale/keys") (define dovecot-keys "/secrets/dovecot") @@ -286,93 +285,6 @@ shepherd-root-service-type dkimproxy-out-shepherd-service ) ) ) ) ) - ( define aliases-file - ( mixed-text-file "aliases" "@ vmail\n" ) ) - - ( define relays-file - ( mixed-text-file - "other-relays" - "mx1.forwardemail.net\n" - "mx2.forwardemail.net\n" ) ) - - ( define blacklist-file - ( mixed-text-file - "blacklist" - "@yahoo.com.cn\n" - "@qq.com\n" - "@fnac.com\n" - "@just-aero.us\n" - "@elitetorrent1.com\n" ) ) - - ( define ( opensmtpd-conf interface domain ) - ( mixed-text-file - "smtpd.conf" - "# This is the smtpd server system-wide configuration file.\n" - "# See smtpd.conf(5) for more information.\n" - "\n" - "# My TLS certificate and key\n" - "pki marekpasnikowski.pl cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"\n" - "pki marekpasnikowski.pl key \"/etc/letsencrypt/live/" domain "/privkey.pem\"\n" - "\n" - "# Edit this file to add add more virtual users (passwords are read in that file\n" - "# instead of /etc/passwd\n" - "table passwd file:" smtpd-keys "\n" - "\n" - "table other-relays file:" relays-file "\n" - "table blacklist file:" blacklist-file "\n" - "\n" - "# A simple spam filter\n" - "# filter spam-filter phase mail-from match mail-from reject \"555\"\n" - "\n" - "# port 25 is used only for receiving from external servers, and they may start\n" - "# a TLS session if they want.\n" - "listen on " interface " port 25 # tls pki marekpasnikowski.pl filter spam-filter\n" - "\n" - "# For sending messages from outside of this server, you need to authenticate and\n" - "# use TLS.\n" - "listen on " interface " port 465 smtps pki marekpasnikowski.pl mask-src auth \n" - "\n" - "# Localhost is used by the .onion, so we use the same configuration for \n" - "# local connections." - "listen on lo port 25 tls pki marekpasnikowski.pl filter spam-filter\n" - "# Since incoming connection uses tor, we don't need tls, but still require\n" - "# authentication; we're not a relay\n" - "# listen on lo port 587 tls pki marekpasnikowski.pl mask-src auth \n" - "\n" - "# DKIMproxy\n" - "listen on lo port 10028 tag DKIM_OUT\n" - "\n" - "# The socket is considered an internal connection\n" - "listen on socket mask-src\n" - "\n" - "# Maybe it'll work better if we connect to gmail only with v4?\n" - "# limit mta for domain gmail.com inet4\n" - "\n" - "# TODO: manage these files directly in the configuration?\n" - "# If you edit the file, you have to run \"smtpctl update table aliases\"\n" - "table aliases file:" aliases-file "\n" - "\n" - "# We define some actions\n" - "action receive lmtp \"/var/run/dovecot/lmtp\" rcpt-to virtual \n" - "action outbound relay helo \"" domain "\"\n" - "action godkim relay host smtp://127.0.0.1:10027\n" - "\n" - "# We accept to relay any mail from authenticated users\n" - "match for any from any auth action godkim\n" - "match tag DKIM_OUT for any action outbound\n" - "\n" - "# Then, we reject on some other conditions:\n" - "\n" - "# If the mail tries to impersonate us\n" - "# match !from src mail-from \"@marekpasnikowski.pl\" for any reject\n" - "\n" - "# If it comes from someone on the blacklist\n" - "match from any mail-from reject\n" - "\n" - "# Finally, if we accept incoming messages\n" - "match from any for domain \"marekpasnikowski.pl\" action receive\n" - "match for local action receive\n" ) ) - ( define ( wip-dkim-service domain ) ( service dkimproxy-out-service-type ( dkimproxy-out-configuration @@ -390,15 +302,9 @@ ( method "mofws" ) ( type 'domainkeys ) ) ) ) ) ) ) ) ) - ( define ( wip-smtp-service interface domain ) - ( service opensmtpd-service-type - ( opensmtpd-configuration - ( config-file ( opensmtpd-conf interface domain ) ) ) ) ) - ( define* ( wip-mail-services #:key interface domain ) ( list - ( wip-dkim-service domain ) - ( wip-smtp-service interface domain ) ) ) + ( wip-dkim-service domain ) ) ) ( operating-system ( bootloader @@ -483,6 +389,7 @@ #:domain "marekpasnikowski.pl" ) ( list (@ (users id1000) dovecot-service) + (@ (users id1000) smtp-service) (service (service-type (inherit certbot-service-type) (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) diff --git a/systems/izumi/system-configuration.scm b/systems/izumi/system-configuration.scm index 8388bf4..f8dfd8f 100644 --- a/systems/izumi/system-configuration.scm +++ b/systems/izumi/system-configuration.scm @@ -1,7 +1,6 @@ (define-module (systems izumi system-configuration) #:use-module (suweren commons sudoers)) -(define smtpd-keys "/secrets/smtpd") (define radicale-keys "/secrets/radicale/keys") (define dovecot-keys "/secrets/dovecot") @@ -276,93 +275,6 @@ shepherd-root-service-type dkimproxy-out-shepherd-service ) ) ) ) ) -( define aliases-file - ( mixed-text-file "aliases" "@ vmail\n" ) ) - -( define relays-file - ( mixed-text-file - "other-relays" - "mx1.forwardemail.net\n" - "mx2.forwardemail.net\n" ) ) - -( define blacklist-file - ( mixed-text-file - "blacklist" - "@yahoo.com.cn\n" - "@qq.com\n" - "@fnac.com\n" - "@just-aero.us\n" - "@elitetorrent1.com\n" ) ) - -( define ( opensmtpd-conf interface domain ) - ( mixed-text-file - "smtpd.conf" - "# This is the smtpd server system-wide configuration file.\n" - "# See smtpd.conf(5) for more information.\n" - "\n" - "# My TLS certificate and key\n" - "pki marekpasnikowski.pl cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"\n" - "pki marekpasnikowski.pl key \"/etc/letsencrypt/live/" domain "/privkey.pem\"\n" - "\n" - "# Edit this file to add add more virtual users (passwords are read in that file\n" - "# instead of /etc/passwd\n" - "table passwd file:" smtpd-keys "\n" - "\n" - "table other-relays file:" relays-file "\n" - "table blacklist file:" blacklist-file "\n" - "\n" - "# A simple spam filter\n" - "# filter spam-filter phase mail-from match mail-from reject \"555\"\n" - "\n" - "# port 25 is used only for receiving from external servers, and they may start\n" - "# a TLS session if they want.\n" - "listen on " interface " port 25 # tls pki marekpasnikowski.pl filter spam-filter\n" - "\n" - "# For sending messages from outside of this server, you need to authenticate and\n" - "# use TLS.\n" - "listen on " interface " port 465 smtps pki marekpasnikowski.pl mask-src auth \n" - "\n" - "# Localhost is used by the .onion, so we use the same configuration for \n" - "# local connections." - "listen on lo port 25 tls pki marekpasnikowski.pl filter spam-filter\n" - "# Since incoming connection uses tor, we don't need tls, but still require\n" - "# authentication; we're not a relay\n" - "# listen on lo port 587 tls pki marekpasnikowski.pl mask-src auth \n" - "\n" - "# DKIMproxy\n" - "listen on lo port 10028 tag DKIM_OUT\n" - "\n" - "# The socket is considered an internal connection\n" - "listen on socket mask-src\n" - "\n" - "# Maybe it'll work better if we connect to gmail only with v4?\n" - "# limit mta for domain gmail.com inet4\n" - "\n" - "# TODO: manage these files directly in the configuration?\n" - "# If you edit the file, you have to run \"smtpctl update table aliases\"\n" - "table aliases file:" aliases-file "\n" - "\n" - "# We define some actions\n" - "action receive lmtp \"/var/run/dovecot/lmtp\" rcpt-to virtual \n" - "action outbound relay helo \"" domain "\"\n" - "action godkim relay host smtp://127.0.0.1:10027\n" - "\n" - "# We accept to relay any mail from authenticated users\n" - "match for any from any auth action godkim\n" - "match tag DKIM_OUT for any action outbound\n" - "\n" - "# Then, we reject on some other conditions:\n" - "\n" - "# If the mail tries to impersonate us\n" - "# match !from src mail-from \"@marekpasnikowski.pl\" for any reject\n" - "\n" - "# If it comes from someone on the blacklist\n" - "match from any mail-from reject\n" - "\n" - "# Finally, if we accept incoming messages\n" - "match from any for domain \"marekpasnikowski.pl\" action receive\n" - "match for local action receive\n" ) ) - ( define ( wip-dkim-service domain ) ( service dkimproxy-out-service-type ( dkimproxy-out-configuration @@ -380,15 +292,9 @@ ( method "mofws" ) ( type 'domainkeys ) ) ) ) ) ) ) ) ) -( define ( wip-smtp-service interface domain ) - ( service opensmtpd-service-type - ( opensmtpd-configuration - ( config-file ( opensmtpd-conf interface domain ) ) ) ) ) - ( define* ( wip-mail-services #:key interface domain ) ( list - ( wip-dkim-service domain ) - ( wip-smtp-service interface domain ) ) ) + ( wip-dkim-service domain ) ) ) ( operating-system ( bootloader @@ -473,6 +379,7 @@ #:domain "marekpasnikowski.pl" ) ( list (@ (users id1000) dovecot-service) + (@ (users id1000) smtp-service) (service (service-type (inherit certbot-service-type) (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) diff --git a/users/id1000.scm b/users/id1000.scm index 3bc7d00..0253061 100644 --- a/users/id1000.scm +++ b/users/id1000.scm @@ -31,6 +31,20 @@ ;; %suweren-home-services #:use-module (suweren home)) +(define aliases-file + ((@ (guix gexp) mixed-text-file) + "aliases" + "@ vmail\n")) + +(define blacklist-file + ((@ (guix gexp) mixed-text-file) + "blacklist" + "@yahoo.com.cn\n" + "@qq.com\n" + "@fnac.com\n" + "@just-aero.us\n" + "@elitetorrent1.com\n")) + (define dovecot-imap-login-inet-configuration ((@ (gnu services mail) inet-listener-configuration) (address "192.168.10.2") @@ -80,6 +94,15 @@ (auto "subscribe") (special-use (list "\\Trash")))) +(define relays-file + ((@ (guix gexp) mixed-text-file) + "other-relays" + "mx1.forwardemail.net\n" + "mx2.forwardemail.net\n")) + +(define smtpd-keys + "/secrets/smtpd") + ;;; (define dovecot-imap @@ -124,6 +147,76 @@ "uid=vmail")) (driver "static"))) +(define (opensmtpd-config interface + domain) + ((@ (guix gexp) mixed-text-file) + "smtpd.conf" + "# This is the smtpd server system-wide configuration file.\n" + "# See smtpd.conf(5) for more information.\n" + "\n" + "# My TLS certificate and key\n" + "pki marekpasnikowski.pl cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"\n" + "pki marekpasnikowski.pl key \"/etc/letsencrypt/live/" domain "/privkey.pem\"\n" + "\n" + "# Edit this file to add add more virtual users (passwords are read in that file\n" + "# instead of /etc/passwd\n" + "table passwd file:" smtpd-keys "\n" + "\n" + "table other-relays file:" relays-file "\n" + "table blacklist file:" blacklist-file "\n" + "\n" + "# A simple spam filter\n" + "# filter spam-filter phase mail-from match mail-from reject \"555\"\n" + "\n" + "# port 25 is used only for receiving from external servers, and they may start\n" + "# a TLS session if they want.\n" + "listen on " interface " port 25 # tls pki marekpasnikowski.pl filter spam-filter\n" + "\n" + "# For sending messages from outside of this server, you need to authenticate and\n" + "# use TLS.\n" + "listen on " interface " port 465 smtps pki marekpasnikowski.pl mask-src auth \n" + "\n" + "# Localhost is used by the .onion, so we use the same configuration for \n" + "# local connections." + "listen on lo port 25 tls pki marekpasnikowski.pl filter spam-filter\n" + "# Since incoming connection uses tor, we don't need tls, but still require\n" + "# authentication; we're not a relay\n" + "# listen on lo port 587 tls pki marekpasnikowski.pl mask-src auth \n" + "\n" + "# DKIMproxy\n" + "listen on lo port 10028 tag DKIM_OUT\n" + "\n" + "# The socket is considered an internal connection\n" + "listen on socket mask-src\n" + "\n" + "# Maybe it'll work better if we connect to gmail only with v4?\n" + "# limit mta for domain gmail.com inet4\n" + "\n" + "# TODO: manage these files directly in the configuration?\n" + "# If you edit the file, you have to run \"smtpctl update table aliases\"\n" + "table aliases file:" aliases-file "\n" + "\n" + "# We define some actions\n" + "action receive lmtp \"/var/run/dovecot/lmtp\" rcpt-to virtual \n" + "action outbound relay helo \"" domain "\"\n" + "action godkim relay host smtp://127.0.0.1:10027\n" + "\n" + "# We accept to relay any mail from authenticated users\n" + "match for any from any auth action godkim\n" + "match tag DKIM_OUT for any action outbound\n" + "\n" + "# Then, we reject on some other conditions:\n" + "\n" + "# If the mail tries to impersonate us\n" + "# match !from src mail-from \"@marekpasnikowski.pl\" for any reject\n" + "\n" + "# If it comes from someone on the blacklist\n" + "match from any mail-from reject\n" + "\n" + "# Finally, if we accept incoming messages\n" + "match from any for domain \"marekpasnikowski.pl\" action receive\n" + "match for local action receive\n" )) + (define ssl-cert-path (string-append "