X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fmilters.nix;h=5de03cf12dcb04152579f01ffa5e7a4c7823fbe5;hp=123af4ab650b554730fa2fe5b0cc6c0e8aea7a29;hb=45730653020eb8b23090a731fc9e687efab850a5;hpb=8415083eb6acc343dfa404dbbc12fa0171a48a20 diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 123af4a..5de03cf 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { options.myServices.mail.milters.sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; @@ -12,14 +12,14 @@ milters sockets ''; }; - config = lib.mkIf config.myServices.mail.enable { + config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { secrets.keys = [ { dest = "opendkim/eldiron.private"; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0400"; - text = myconfig.env.mail.dkim.eldiron.private; + text = config.myEnv.mail.dkim.eldiron.private; } { dest = "opendkim/eldiron.txt"; @@ -27,14 +27,21 @@ group = config.services.opendkim.group; permissions = "0444"; text = '' - eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; + eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; } { dest = "opendmarc/ignore.hosts"; user = config.services.opendmarc.user; group = config.services.opendmarc.group; permissions = "0400"; - text = myconfig.env.mail.dmarc.ignore_hosts; + text = let + mxes = lib.attrsets.filterAttrs + (n: v: v.mx.enable) + config.myEnv.servers; + in + builtins.concatStringsSep "\n" ([ + config.myEnv.mail.dmarc.ignore_hosts + ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); } ]; users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; @@ -46,13 +53,14 @@ (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") (zone.withEmail or []) ) - myconfig.env.dns.masterZones + config.myEnv.dns.masterZones )); keyPath = "${config.secrets.location}/opendkim"; selector = "eldiron"; configFile = pkgs.writeText "opendkim.conf" '' - SubDomains yes - UMask 002 + SubDomains yes + UMask 002 + AlwaysAddARHeader yes ''; group = config.services.postfix.group; }; @@ -74,14 +82,14 @@ configFile = pkgs.writeText "opendmarc.conf" '' AuthservID HOSTNAME FailureReports false - FailureReportsBcc postmaster@localhost.immae.eu + FailureReportsBcc postmaster@immae.eu FailureReportsOnNone true FailureReportsSentBy postmaster@immae.eu IgnoreAuthenticatedClients true IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} SoftwareHeader true + SPFIgnoreResults true SPFSelfValidate true - TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr UMask 002 ''; group = config.services.postfix.group; @@ -121,5 +129,19 @@ config.secrets.fullPaths."opendkim/eldiron.private" ]; }; + + systemd.services.milter_verify_from = { + description = "Verify from milter"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "postfix"; + Group = "postfix"; + ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); + in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock"; + RuntimeDirectory = "milter_verify_from"; + }; + }; }; }