;;; SPDX-License-Identifier: GPL-3.0-or-later ;;; SPDX-FileCopyrightText: 2026 Marek Paśnikowski ;;; COPYRIGHT NOTICE ;;; ;;; Copyright 2026, Marek Paśnikowski ;;; LICENSE NOTICE ;;; ;;; This library is free software: you can redistribute it and/or modify it under the terms of ;;; the GNU General Public License as published by the Free Software Foundation, ;;; either version 3 of the License, or (at your option) any later version. ;;; ;;; This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; ;;; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ;;; See the GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License along with this library. ;;; If not, see . (define-module (deployment services mail) #:export (dkimproxy-out-service smtp-service-aisaka) #:use-module (gnu services) #:use-module (gnu services mail) #:use-module (guix gexp) #:use-module (sovereign services mail) #:use-module ((gnu packages mail) #:prefix gnu:packages:mail:)) (define dkimproxy-out-signature-configuration-marekpasnikowski.pl-dkim (dkimproxy-out-signature-configuration (algorithm "rsa-sha256") (key "/etc/mail/dkim/marekpasnikowski.pl.key") (method "relaxed") (selector "dkim") (type 'dkim))) (define dkimproxy-out-signature-configuration-marekpasnikowski.pl-domainkeys (dkimproxy-out-signature-configuration (method "mofws") (type 'domainkeys))) (define dkimproxy-out-signature-configurations-marekpasnikowski.pl (list dkimproxy-out-signature-configuration-marekpasnikowski.pl-dkim dkimproxy-out-signature-configuration-marekpasnikowski.pl-domainkeys)) (define dkimproxy-out-configuration-sender-map-marekpasnikowski.pl (list "marekpasnikowski.pl" dkimproxy-out-signature-configurations-marekpasnikowski.pl)) (define dkimproxy-out-configuration-marekpasnikowski.pl (dkimproxy-out-configuration (listen "127.0.0.1:10027") (relay "127.0.0.1:10028") (sender-map (list dkimproxy-out-configuration-sender-map-marekpasnikowski.pl)))) (define dkimproxy-out-service (service dkimproxy-out-service-type dkimproxy-out-configuration-marekpasnikowski.pl)) (define aliases-file (mixed-text-file "aliases" "@ vmail\n")) (define blacklist-file (mixed-text-file "blacklist" "@yahoo.com.cn\n" "@qq.com\n" "@fnac.com\n" "@just-aero.us\n" "@elitetorrent1.com\n")) (define relays-file (mixed-text-file "other-relays" "mx1.forwardemail.net\n" "mx2.forwardemail.net\n")) (define smtpd-keys "/secrets/smtpd") (define (smtpd-conf interface domain) (mixed-text-file "smtpd.conf" "# This is the smtpd server system-wide configuration file.\n" "# See smtpd.conf(5) for more information.\n" "\n" "# My TLS certificate and key\n" "pki marekpasnikowski.pl cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"\n" "pki marekpasnikowski.pl key \"/etc/letsencrypt/live/" domain "/privkey.pem\"\n" "\n" "# Edit this file to add add more virtual users (passwords are read in that file\n" "# instead of /etc/passwd\n" "table passwd file:" smtpd-keys "\n" "\n" "# table other-relays file:" relays-file "\n" "table blacklist file:" blacklist-file "\n" "\n" "# A simple spam filter\n" "# filter spam-filter phase mail-from match mail-from reject \"555\"\n" "\n" "# port 25 is used only for receiving from external servers, and they may start\n" "# a TLS session if they want.\n" "listen on " interface " port 25 # tls pki marekpasnikowski.pl filter spam-filter\n" "\n" "# For sending messages from outside of this server, you need to authenticate and\n" "# use TLS.\n" "listen on " interface " port 465 smtps pki marekpasnikowski.pl mask-src auth \n" "\n" "# Localhost is used by the .onion, so we use the same configuration for \n" "# local connections." "listen on lo port 25 tls pki marekpasnikowski.pl filter spam-filter\n" "# Since incoming connection uses tor, we don't need tls, but still require\n" "# authentication; we're not a relay\n" "# listen on lo port 587 tls pki marekpasnikowski.pl mask-src auth \n" "\n" "# DKIMproxy\n" "listen on lo port 10028 tag DKIM_OUT\n" "\n" "# The socket is considered an internal connection\n" "listen on socket mask-src\n" "\n" "# Maybe it'll work better if we connect to gmail only with v4?\n" "# limit mta for domain gmail.com inet4\n" "\n" "# TODO: manage these files directly in the configuration?\n" "# If you edit the file, you have to run \"smtpctl update table aliases\"\n" "table aliases file:" aliases-file "\n" "\n" "# We define some actions\n" "action receive lmtp \"/var/run/dovecot/lmtp\" rcpt-to virtual \n" "action godkim relay host smtp://localhost:10027\n" "action outbound relay src \"192.168.1.2\" helo " domain "\n" "\n" "# We accept to relay any mail from authenticated users\n" "match for any from any auth action godkim\n" "match tag DKIM_OUT for any action outbound\n" "\n" "# Then, we reject on some other conditions:\n" "\n" "# If the mail tries to impersonate us\n" "# match !from src mail-from \"@marekpasnikowski.pl\" for any reject\n" "\n" "# If it comes from someone on the blacklist\n" "match from any mail-from reject\n" "\n" "# Finally, if we accept incoming messages\n" "match from any for domain \"marekpasnikowski.pl\" action receive\n" "match for local action receive\n" )) (define opensmtpd-configuration-aisaka (opensmtpd-configuration (package gnu:packages:mail:opensmtpd) (shepherd-requirement (list 'dkimproxy-out 'networking)) (config-file (smtpd-conf "enp2s0" "marekpasnikowski.pl")) (log-file "/val/log/mail.log") (setgid-commands? #t))) (define smtp-service-aisaka (service opensmtpd-service-type opensmtpd-configuration-aisaka)) ;;; EOF