diff --git a/modules/mailserver.nix b/modules/mailserver.nix index 395d9ed..159efcd 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -87,6 +87,14 @@ in spam = { enable = (lib.mkEnableOption "spam filtering") // { default = true; }; }; + dkim = { + enable = (lib.mkEnableOption "DKIM signing") // { default = true; }; + selector = lib.mkOption { + type = str; + description = "DKIM Selector to use"; + default = "mail"; + }; + }; }; config = lib.mkIf cfg.enable { @@ -244,6 +252,9 @@ in tls_preempt_cipherlist = "no"; smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path; + + smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock"); + non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock"); }; submissionOptions = { @@ -410,5 +421,37 @@ in port = 6379; }; }; + + # DKIM + services.opendkim = lib.mkIf cfg.dkim.enable { + enable = true; + selector = cfg.dkim.selector; + domains = "csl:${lib.concatStringsSep "," cfg.domains}"; + configFile = pkgs.writeText "opendkim.conf" '' + UMask 0002 + ''; + }; + systemd.services.opendkim = lib.mkIf cfg.dkim.enable { + # changed to use larger key size + preStart = + let + inherit (config.services.opendkim) keyPath selector; + in + lib.mkForce '' + cd "${keyPath}" + if ! test -f ${selector}.private; then + ${pkgs.opendkim}/bin/opendkim-genkey \ + -s ${selector} \ + -d all-domains-generic-key \ + -b 4096 + echo "Generated OpenDKIM key! Please update your DNS settings:\n" + echo "-------------------------------------------------------------" + cat ${selector}.txt + echo "-------------------------------------------------------------" + fi + ''; + }; + + users.users.postfix.extraGroups = lib.mkIf cfg.dkim.enable (lib.singleton config.users.users.opendkim.group); }; }