enable dkim signing
This commit is contained in:
parent
7d4809038f
commit
8551dcffff
4 changed files with 45 additions and 17 deletions
|
@ -105,7 +105,7 @@ let
|
||||||
# This is the folder where the certificate will be created. The name is
|
# This is the folder where the certificate will be created. The name is
|
||||||
# hardcoded to "cert-${domain}.pem" and "key-${domain}.pem" and the
|
# hardcoded to "cert-${domain}.pem" and "key-${domain}.pem" and the
|
||||||
# certificate is valid for 10 years.
|
# certificate is valid for 10 years.
|
||||||
cert_dir = "/root/certs";
|
cert_dir = "/var/certs";
|
||||||
|
|
||||||
#
|
#
|
||||||
# Whether to enable imap / pop3. Both variants are only supported in the
|
# Whether to enable imap / pop3. Both variants are only supported in the
|
||||||
|
@ -124,7 +124,7 @@ let
|
||||||
# Whether to activate virus scanning. Note that virus scanning is _very_
|
# Whether to activate virus scanning. Note that virus scanning is _very_
|
||||||
# expensive memory wise.
|
# expensive memory wise.
|
||||||
#
|
#
|
||||||
virus_scanning = true;
|
virus_scanning = false;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Whether to activate dkim signing.
|
# Whether to activate dkim signing.
|
||||||
|
@ -132,12 +132,14 @@ let
|
||||||
# TODO: Implement
|
# TODO: Implement
|
||||||
#
|
#
|
||||||
dkim_signing = true;
|
dkim_signing = true;
|
||||||
|
dkim_selector = "mail";
|
||||||
|
dkim_dir = "/var/dkim";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = import ./mail-server/services.nix {
|
services = import ./mail-server/services.nix {
|
||||||
inherit mail_dir vmail_user_name vmail_group_name valiases domain
|
inherit mail_dir vmail_user_name vmail_group_name valiases domain
|
||||||
enable_imap enable_pop3 virus_scanning dkim_signing
|
enable_imap enable_pop3 virus_scanning dkim_signing dkim_selector
|
||||||
certificate_scheme cert_file key_file cert_dir;
|
dkim_dir certificate_scheme cert_file key_file cert_dir;
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = import ./mail-server/environment.nix {
|
environment = import ./mail-server/environment.nix {
|
||||||
|
@ -150,7 +152,7 @@ in
|
||||||
|
|
||||||
systemd = import ./mail-server/systemd.nix {
|
systemd = import ./mail-server/systemd.nix {
|
||||||
inherit mail_dir vmail_group_name certificate_scheme cert_dir host_prefix
|
inherit mail_dir vmail_group_name certificate_scheme cert_dir host_prefix
|
||||||
domain pkgs;
|
domain pkgs dkim_selector dkim_dir;
|
||||||
};
|
};
|
||||||
|
|
||||||
users = import ./mail-server/users.nix {
|
users = import ./mail-server/users.nix {
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||||
|
|
||||||
{ domain, virus_scanning, dkim_signing }:
|
{ domain, virus_scanning, dkim_signing, dkim_dir, dkim_selector }:
|
||||||
|
|
||||||
let
|
let
|
||||||
clamav = if virus_scanning
|
clamav = if virus_scanning
|
||||||
|
@ -30,9 +30,9 @@ let
|
||||||
''
|
''
|
||||||
dkim {
|
dkim {
|
||||||
domain {
|
domain {
|
||||||
key = /etc/nixos/dkim/${domain}.pem;
|
key = "${dkim_dir}";
|
||||||
domain = "${domain}";
|
domain = "*";
|
||||||
selector = "dkim";
|
selector = "${dkim_selector}";
|
||||||
};
|
};
|
||||||
sign_alg = sha256;
|
sign_alg = sha256;
|
||||||
auth_only = yes;
|
auth_only = yes;
|
||||||
|
|
|
@ -15,8 +15,8 @@
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||||
|
|
||||||
{ mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap,
|
{ mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap,
|
||||||
enable_pop3, virus_scanning, dkim_signing, certificate_scheme, cert_file,
|
enable_pop3, virus_scanning, dkim_signing, dkim_selector, dkim_dir,
|
||||||
key_file, cert_dir }:
|
certificate_scheme, cert_file, key_file, cert_dir }:
|
||||||
|
|
||||||
let
|
let
|
||||||
# cert :: PATH
|
# cert :: PATH
|
||||||
|
@ -39,8 +39,12 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
opendkim = import ./opendkim.nix {
|
||||||
|
inherit dkim_signing dkim_dir dkim_selector domain;
|
||||||
|
};
|
||||||
|
|
||||||
rmilter = import ./rmilter.nix {
|
rmilter = import ./rmilter.nix {
|
||||||
inherit domain virus_scanning dkim_signing;
|
inherit domain virus_scanning dkim_signing dkim_selector dkim_dir;
|
||||||
};
|
};
|
||||||
|
|
||||||
postfix = import ./postfix.nix {
|
postfix = import ./postfix.nix {
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||||
|
|
||||||
{ pkgs, mail_dir, vmail_group_name, certificate_scheme, cert_dir, host_prefix,
|
{ pkgs, mail_dir, vmail_group_name, certificate_scheme, cert_dir, host_prefix,
|
||||||
domain }:
|
domain, dkim_selector, dkim_dir}:
|
||||||
|
|
||||||
let
|
let
|
||||||
create_certificate = if certificate_scheme == 2 then
|
create_certificate = if certificate_scheme == 2 then
|
||||||
|
@ -36,6 +36,24 @@ let
|
||||||
fi
|
fi
|
||||||
''
|
''
|
||||||
else "";
|
else "";
|
||||||
|
|
||||||
|
dkim_key = "${dkim_dir}/${dkim_selector}.private";
|
||||||
|
dkim_txt = "${dkim_dir}/${dkim_selector}.txt";
|
||||||
|
create_dkim_cert =
|
||||||
|
''
|
||||||
|
# Create dkim dir
|
||||||
|
mkdir -p "${dkim_dir}"
|
||||||
|
chown opendkim:rmilter "${dkim_dir}"
|
||||||
|
|
||||||
|
if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
|
||||||
|
then
|
||||||
|
|
||||||
|
${pkgs.opendkim}/bin/opendkim-genkey -s "${dkim_selector}" \
|
||||||
|
-d ${domain} \
|
||||||
|
--directory="${dkim_dir}"
|
||||||
|
chown opendkim:rmilter "${dkim_key}"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# Set the correct permissions for dovecot vmail folder. See
|
# Set the correct permissions for dovecot vmail folder. See
|
||||||
|
@ -54,8 +72,12 @@ in
|
||||||
|
|
||||||
# Check for certificate before both postfix and dovecot to make sure it
|
# Check for certificate before both postfix and dovecot to make sure it
|
||||||
# exists.
|
# exists.
|
||||||
services.postfix.preStart =
|
services.postfix.after = ["dovecot2.service"];
|
||||||
|
services.opendkim = {
|
||||||
|
after = ["dovecot2.service"];
|
||||||
|
preStart =
|
||||||
''
|
''
|
||||||
${create_certificate}
|
${create_dkim_cert}
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue