enable dkim signing
This commit is contained in:
parent
7d4809038f
commit
8551dcffff
4 changed files with 45 additions and 17 deletions
|
@ -105,7 +105,7 @@ let
|
|||
# This is the folder where the certificate will be created. The name is
|
||||
# hardcoded to "cert-${domain}.pem" and "key-${domain}.pem" and the
|
||||
# certificate is valid for 10 years.
|
||||
cert_dir = "/root/certs";
|
||||
cert_dir = "/var/certs";
|
||||
|
||||
#
|
||||
# Whether to enable imap / pop3. Both variants are only supported in the
|
||||
|
@ -124,7 +124,7 @@ let
|
|||
# Whether to activate virus scanning. Note that virus scanning is _very_
|
||||
# expensive memory wise.
|
||||
#
|
||||
virus_scanning = true;
|
||||
virus_scanning = false;
|
||||
|
||||
#
|
||||
# Whether to activate dkim signing.
|
||||
|
@ -132,12 +132,14 @@ let
|
|||
# TODO: Implement
|
||||
#
|
||||
dkim_signing = true;
|
||||
dkim_selector = "mail";
|
||||
dkim_dir = "/var/dkim";
|
||||
in
|
||||
{
|
||||
services = import ./mail-server/services.nix {
|
||||
inherit mail_dir vmail_user_name vmail_group_name valiases domain
|
||||
enable_imap enable_pop3 virus_scanning dkim_signing
|
||||
certificate_scheme cert_file key_file cert_dir;
|
||||
enable_imap enable_pop3 virus_scanning dkim_signing dkim_selector
|
||||
dkim_dir certificate_scheme cert_file key_file cert_dir;
|
||||
};
|
||||
|
||||
environment = import ./mail-server/environment.nix {
|
||||
|
@ -150,7 +152,7 @@ in
|
|||
|
||||
systemd = import ./mail-server/systemd.nix {
|
||||
inherit mail_dir vmail_group_name certificate_scheme cert_dir host_prefix
|
||||
domain pkgs;
|
||||
domain pkgs dkim_selector dkim_dir;
|
||||
};
|
||||
|
||||
users = import ./mail-server/users.nix {
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ domain, virus_scanning, dkim_signing }:
|
||||
{ domain, virus_scanning, dkim_signing, dkim_dir, dkim_selector }:
|
||||
|
||||
let
|
||||
clamav = if virus_scanning
|
||||
|
@ -30,9 +30,9 @@ let
|
|||
''
|
||||
dkim {
|
||||
domain {
|
||||
key = /etc/nixos/dkim/${domain}.pem;
|
||||
domain = "${domain}";
|
||||
selector = "dkim";
|
||||
key = "${dkim_dir}";
|
||||
domain = "*";
|
||||
selector = "${dkim_selector}";
|
||||
};
|
||||
sign_alg = sha256;
|
||||
auth_only = yes;
|
||||
|
|
|
@ -15,8 +15,8 @@
|
|||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap,
|
||||
enable_pop3, virus_scanning, dkim_signing, certificate_scheme, cert_file,
|
||||
key_file, cert_dir }:
|
||||
enable_pop3, virus_scanning, dkim_signing, dkim_selector, dkim_dir,
|
||||
certificate_scheme, cert_file, key_file, cert_dir }:
|
||||
|
||||
let
|
||||
# cert :: PATH
|
||||
|
@ -39,8 +39,12 @@ in
|
|||
enable = true;
|
||||
};
|
||||
|
||||
opendkim = import ./opendkim.nix {
|
||||
inherit dkim_signing dkim_dir dkim_selector domain;
|
||||
};
|
||||
|
||||
rmilter = import ./rmilter.nix {
|
||||
inherit domain virus_scanning dkim_signing;
|
||||
inherit domain virus_scanning dkim_signing dkim_selector dkim_dir;
|
||||
};
|
||||
|
||||
postfix = import ./postfix.nix {
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
|
||||
{ pkgs, mail_dir, vmail_group_name, certificate_scheme, cert_dir, host_prefix,
|
||||
domain }:
|
||||
domain, dkim_selector, dkim_dir}:
|
||||
|
||||
let
|
||||
create_certificate = if certificate_scheme == 2 then
|
||||
|
@ -36,6 +36,24 @@ let
|
|||
fi
|
||||
''
|
||||
else "";
|
||||
|
||||
dkim_key = "${dkim_dir}/${dkim_selector}.private";
|
||||
dkim_txt = "${dkim_dir}/${dkim_selector}.txt";
|
||||
create_dkim_cert =
|
||||
''
|
||||
# Create dkim dir
|
||||
mkdir -p "${dkim_dir}"
|
||||
chown opendkim:rmilter "${dkim_dir}"
|
||||
|
||||
if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
|
||||
then
|
||||
|
||||
${pkgs.opendkim}/bin/opendkim-genkey -s "${dkim_selector}" \
|
||||
-d ${domain} \
|
||||
--directory="${dkim_dir}"
|
||||
chown opendkim:rmilter "${dkim_key}"
|
||||
fi
|
||||
'';
|
||||
in
|
||||
{
|
||||
# Set the correct permissions for dovecot vmail folder. See
|
||||
|
@ -54,8 +72,12 @@ in
|
|||
|
||||
# Check for certificate before both postfix and dovecot to make sure it
|
||||
# exists.
|
||||
services.postfix.preStart =
|
||||
''
|
||||
${create_certificate}
|
||||
'';
|
||||
services.postfix.after = ["dovecot2.service"];
|
||||
services.opendkim = {
|
||||
after = ["dovecot2.service"];
|
||||
preStart =
|
||||
''
|
||||
${create_dkim_cert}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue