enable dkim signing

This commit is contained in:
Robin Raymond 2017-08-23 17:22:44 +02:00
parent 7d4809038f
commit 8551dcffff
4 changed files with 45 additions and 17 deletions

View file

@ -105,7 +105,7 @@ let
# This is the folder where the certificate will be created. The name is # This is the folder where the certificate will be created. The name is
# hardcoded to "cert-${domain}.pem" and "key-${domain}.pem" and the # hardcoded to "cert-${domain}.pem" and "key-${domain}.pem" and the
# certificate is valid for 10 years. # certificate is valid for 10 years.
cert_dir = "/root/certs"; cert_dir = "/var/certs";
# #
# Whether to enable imap / pop3. Both variants are only supported in the # Whether to enable imap / pop3. Both variants are only supported in the
@ -124,7 +124,7 @@ let
# Whether to activate virus scanning. Note that virus scanning is _very_ # Whether to activate virus scanning. Note that virus scanning is _very_
# expensive memory wise. # expensive memory wise.
# #
virus_scanning = true; virus_scanning = false;
# #
# Whether to activate dkim signing. # Whether to activate dkim signing.
@ -132,12 +132,14 @@ let
# TODO: Implement # TODO: Implement
# #
dkim_signing = true; dkim_signing = true;
dkim_selector = "mail";
dkim_dir = "/var/dkim";
in in
{ {
services = import ./mail-server/services.nix { services = import ./mail-server/services.nix {
inherit mail_dir vmail_user_name vmail_group_name valiases domain inherit mail_dir vmail_user_name vmail_group_name valiases domain
enable_imap enable_pop3 virus_scanning dkim_signing enable_imap enable_pop3 virus_scanning dkim_signing dkim_selector
certificate_scheme cert_file key_file cert_dir; dkim_dir certificate_scheme cert_file key_file cert_dir;
}; };
environment = import ./mail-server/environment.nix { environment = import ./mail-server/environment.nix {
@ -150,7 +152,7 @@ in
systemd = import ./mail-server/systemd.nix { systemd = import ./mail-server/systemd.nix {
inherit mail_dir vmail_group_name certificate_scheme cert_dir host_prefix inherit mail_dir vmail_group_name certificate_scheme cert_dir host_prefix
domain pkgs; domain pkgs dkim_selector dkim_dir;
}; };
users = import ./mail-server/users.nix { users = import ./mail-server/users.nix {

View file

@ -14,7 +14,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{ domain, virus_scanning, dkim_signing }: { domain, virus_scanning, dkim_signing, dkim_dir, dkim_selector }:
let let
clamav = if virus_scanning clamav = if virus_scanning
@ -30,9 +30,9 @@ let
'' ''
dkim { dkim {
domain { domain {
key = /etc/nixos/dkim/${domain}.pem; key = "${dkim_dir}";
domain = "${domain}"; domain = "*";
selector = "dkim"; selector = "${dkim_selector}";
}; };
sign_alg = sha256; sign_alg = sha256;
auth_only = yes; auth_only = yes;

View file

@ -15,8 +15,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{ mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap, { mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap,
enable_pop3, virus_scanning, dkim_signing, certificate_scheme, cert_file, enable_pop3, virus_scanning, dkim_signing, dkim_selector, dkim_dir,
key_file, cert_dir }: certificate_scheme, cert_file, key_file, cert_dir }:
let let
# cert :: PATH # cert :: PATH
@ -39,8 +39,12 @@ in
enable = true; enable = true;
}; };
opendkim = import ./opendkim.nix {
inherit dkim_signing dkim_dir dkim_selector domain;
};
rmilter = import ./rmilter.nix { rmilter = import ./rmilter.nix {
inherit domain virus_scanning dkim_signing; inherit domain virus_scanning dkim_signing dkim_selector dkim_dir;
}; };
postfix = import ./postfix.nix { postfix = import ./postfix.nix {

View file

@ -15,7 +15,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{ pkgs, mail_dir, vmail_group_name, certificate_scheme, cert_dir, host_prefix, { pkgs, mail_dir, vmail_group_name, certificate_scheme, cert_dir, host_prefix,
domain }: domain, dkim_selector, dkim_dir}:
let let
create_certificate = if certificate_scheme == 2 then create_certificate = if certificate_scheme == 2 then
@ -36,6 +36,24 @@ let
fi fi
'' ''
else ""; else "";
dkim_key = "${dkim_dir}/${dkim_selector}.private";
dkim_txt = "${dkim_dir}/${dkim_selector}.txt";
create_dkim_cert =
''
# Create dkim dir
mkdir -p "${dkim_dir}"
chown opendkim:rmilter "${dkim_dir}"
if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
then
${pkgs.opendkim}/bin/opendkim-genkey -s "${dkim_selector}" \
-d ${domain} \
--directory="${dkim_dir}"
chown opendkim:rmilter "${dkim_key}"
fi
'';
in in
{ {
# Set the correct permissions for dovecot vmail folder. See # Set the correct permissions for dovecot vmail folder. See
@ -54,8 +72,12 @@ in
# Check for certificate before both postfix and dovecot to make sure it # Check for certificate before both postfix and dovecot to make sure it
# exists. # exists.
services.postfix.preStart = services.postfix.after = ["dovecot2.service"];
'' services.opendkim = {
${create_certificate} after = ["dovecot2.service"];
''; preStart =
''
${create_dkim_cert}
'';
};
} }