deployment/services/mail.scm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

;;; SPDX-License-Identifier: GPL-3.0-or-later
;;; SPDX-FileCopyrightText: 2026 Marek Paśnikowski <marek@marekpasnikowski.pl>

;;; COPYRIGHT NOTICE
;;;
;;; Copyright 2026, Marek Paśnikowski <marek@marekpasnikowski.pl>

;;; LICENSE NOTICE
;;;
;;; This library is free software: you can redistribute it and/or modify it under the terms of
;;; the GNU General Public License as published by the Free Software Foundation,
;;; either version 3 of the License, or (at your option) any later version.
;;;
;;; This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
;;; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
;;; See the GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License along with this library.
;;; If not, see <https://www.gnu.org/licenses/>.

(define-module (deployment services mail)
  #:export     (dkimproxy-out-service
                smtp-service-aisaka)
  #:use-module (gnu services)
  #:use-module (gnu services mail)
  #:use-module (guix gexp)
  #:use-module (sovereign services mail)
  #:use-module ((gnu packages mail)
                #:prefix gnu:packages:mail:))

(define dkimproxy-out-signature-configuration-marekpasnikowski.pl-dkim
  (dkimproxy-out-signature-configuration
   (algorithm "rsa-sha256")
   (key       "/etc/mail/dkim/marekpasnikowski.pl.key")
   (method    "relaxed")
   (selector  "dkim")
   (type      'dkim)))

(define dkimproxy-out-signature-configuration-marekpasnikowski.pl-domainkeys
  (dkimproxy-out-signature-configuration
   (method "mofws")
   (type   'domainkeys)))

(define dkimproxy-out-signature-configurations-marekpasnikowski.pl
  (list dkimproxy-out-signature-configuration-marekpasnikowski.pl-dkim
        dkimproxy-out-signature-configuration-marekpasnikowski.pl-domainkeys))

(define dkimproxy-out-configuration-sender-map-marekpasnikowski.pl
  (list "marekpasnikowski.pl"
        dkimproxy-out-signature-configurations-marekpasnikowski.pl))

(define dkimproxy-out-configuration-marekpasnikowski.pl
  (dkimproxy-out-configuration
   (listen     "127.0.0.1:10027")
   (relay      "127.0.0.1:10028")
   (sender-map (list dkimproxy-out-configuration-sender-map-marekpasnikowski.pl))))

(define dkimproxy-out-service
  (service dkimproxy-out-service-type
           dkimproxy-out-configuration-marekpasnikowski.pl))

(define aliases-file
  (mixed-text-file "aliases"
                   "@ vmail\n"))

(define blacklist-file
  (mixed-text-file "blacklist"
                   "@yahoo.com.cn\n"
                   "@qq.com\n"
                   "@fnac.com\n"
                   "@just-aero.us\n"
                   "@elitetorrent1.com\n"))

(define relays-file
  (mixed-text-file "other-relays"
                   "mx1.forwardemail.net\n"
                   "mx2.forwardemail.net\n"))

(define smtpd-keys "/secrets/smtpd")

(define (smtpd-conf interface domain)
  (mixed-text-file "smtpd.conf"
                   "# This is the smtpd server system-wide configuration file.\n"
                   "# See smtpd.conf(5) for more information.\n"
                   "\n"
                   "# My TLS certificate and key\n"
                   "pki marekpasnikowski.pl cert \"/etc/letsencrypt/live/" domain "/fullchain.pem\"\n"
                   "pki marekpasnikowski.pl key \"/etc/letsencrypt/live/" domain "/privkey.pem\"\n"
                   "\n"
                   "# Edit this file to add add more virtual users (passwords are read in that file\n"
                   "# instead of /etc/passwd\n"
                   "table passwd file:" smtpd-keys "\n"
                   "\n"
                   "# table other-relays file:" relays-file "\n"
                   "table blacklist file:" blacklist-file "\n"
                   "\n"
                   "# A simple spam filter\n"
                   "# filter spam-filter phase mail-from match mail-from <blacklist> reject \"555\"\n"
                   "\n"
                   "# port 25 is used only for receiving from external servers, and they may start\n"
                   "# a TLS session if they want.\n"
                   "listen on " interface " port 25 # tls pki marekpasnikowski.pl filter spam-filter\n"
                   "\n"
                   "# For sending messages from outside of this server, you need to authenticate and\n"
                   "# use TLS.\n"
                   "listen on " interface " port 465 smtps pki marekpasnikowski.pl mask-src auth <passwd>\n"
                   "\n"
                   "# Localhost is used by the .onion, so we use the same configuration for \n"
                   "# local connections."
                   "listen on lo port 25 tls pki marekpasnikowski.pl filter spam-filter\n"
                   "# Since incoming connection uses tor, we don't need tls, but still require\n"
                   "# authentication; we're not a relay\n"
                   "# listen on lo port 587 tls pki marekpasnikowski.pl mask-src auth <passwd>\n"
                   "\n"
                   "# DKIMproxy\n"
                   "listen on lo port 10028 tag DKIM_OUT\n"
                   "\n"
                   "# The socket is considered an internal connection\n"
                   "listen on socket mask-src\n"
                   "\n"
                   "# Maybe it'll work better if we connect to gmail only with v4?\n"
                   "# limit mta for domain gmail.com inet4\n"
                   "\n"
                   "# TODO: manage these files directly in the configuration?\n"
                   "# If you edit the file, you have to run \"smtpctl update table aliases\"\n"
                   "table aliases file:" aliases-file "\n"
                   "\n"
                   "# We define some actions\n"
                   "action receive lmtp \"/var/run/dovecot/lmtp\" rcpt-to virtual <aliases>\n"
                   "action godkim relay host smtp://localhost:10027\n"
                   "action outbound relay src \"192.168.1.2\" helo " domain "\n"
                   "\n"
                   "# We accept to relay any mail from authenticated users\n"
                   "match for any from any auth action godkim\n"
                   "match tag DKIM_OUT for any action outbound\n"
                   "\n"
                   "# Then, we reject on some other conditions:\n"
                   "\n"
                   "# If the mail tries to impersonate us\n"
                   "# match !from src <other-relays> mail-from \"@marekpasnikowski.pl\" for any reject\n"
                   "\n"
                   "# If it comes from someone on the blacklist\n"
                   "match from any mail-from <blacklist> reject\n"
                   "\n"
                   "# Finally, if we accept incoming messages\n"
                   "match from any for domain \"marekpasnikowski.pl\" action receive\n"
                   "match for local action receive\n" ))

(define opensmtpd-configuration-aisaka
  (opensmtpd-configuration
   (package              gnu:packages:mail:opensmtpd)
   (shepherd-requirement (list 'dkimproxy-out
                               'networking))
   (config-file          (smtpd-conf "enp2s0"
				                             "marekpasnikowski.pl"))
   (log-file             "/val/log/mail.log")
   (setgid-commands?     #t)))

(define smtp-service-aisaka
  (service opensmtpd-service-type
	         opensmtpd-configuration-aisaka))

;;; EOF