From e068e8d629fe7cf55425117d7f627f9f89d5949d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 24 Jun 2016 20:14:18 +0200 Subject: dkim on ymir --- ymir.nix | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/ymir.nix b/ymir.nix index faed3c30..4f7dbb5c 100644 --- a/ymir.nix +++ b/ymir.nix @@ -13,6 +13,12 @@ let cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; }; }; + myDomains = ["dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" + "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" + "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" + "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" + "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org" + ]; in rec { imports = [ @@ -406,7 +412,7 @@ in rec { reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/srv/mail/recipient_access, - check_policy_service unix:policy, + check_policy_service unix:private/policy-quota, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, @@ -421,6 +427,11 @@ in rec { policy-spf_time_limit = 3600s propagate_unmatched_extensions = virtual + milter_default_action = accept + milter_protocol = 2 + smtpd_milters = local:private/dkim + non_smtpd_milters = local:private/dkim + alias_maps = hash:/etc/postfix/aliases texthash:/srv/mail/spm ''; extraMasterConf = '' @@ -451,6 +462,19 @@ in rec { }; }; + services.opendkim = { + enable = true; + user = "postfix"; group = "postfix"; + socket = "local:/var/lib/postfix/queue/private/dkim"; + domains = ''csl:${pkgs.lib.concatStringsSep "," myDomains}''; + keyFile = /var/lib/dkim/ymir.private; + selector = "ymir"; + configFile = builtins.toFile "opendkim.conf" '' + Syslog true + MTACommand /var/setuid-wrappers/sendmail + ''; + }; + services.dovecot2 = { enable = true; enableImap = true; @@ -489,7 +513,7 @@ in rec { service quota-status { executable = quota-status -p postfix - unix_listener /var/lib/postfix/queue/policy { + unix_listener /var/lib/postfix/queue/private/policy-quota { mode = 0660 user = postfix group = postfix @@ -522,8 +546,7 @@ in rec { group = "ssl"; webroot = "/srv/www/acme/yggdrasil.li"; email = "phikeebaogobaegh@141.li"; - extraDomains = builtins.listToAttrs (builtins.map (name: { inherit name; value = "/srv/www/acme/${name}"; }) - ["dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org"]); + extraDomains = builtins.listToAttrs (builtins.map (name: { inherit name; value = "/srv/www/acme/${name}"; }) myDomains); postRun = '' systemctl reload nginx.service prosodyctl reload -- cgit v1.2.3