mailserver: Add DKIM

This commit is contained in:
Simon Bruder 2023-04-30 12:14:35 +02:00
parent a3030f5dbd
commit 0d3ec89038
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC

View file

@ -87,6 +87,14 @@ in
spam = {
enable = (lib.mkEnableOption "spam filtering") // { default = true; };
};
dkim = {
enable = (lib.mkEnableOption "DKIM signing") // { default = true; };
selector = lib.mkOption {
type = str;
description = "DKIM Selector to use";
default = "mail";
};
};
};
config = lib.mkIf cfg.enable {
@ -244,6 +252,9 @@ in
tls_preempt_cipherlist = "no";
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
};
submissionOptions = {
@ -410,5 +421,37 @@ in
port = 6379;
};
};
# DKIM
services.opendkim = lib.mkIf cfg.dkim.enable {
enable = true;
selector = cfg.dkim.selector;
domains = "csl:${lib.concatStringsSep "," cfg.domains}";
configFile = pkgs.writeText "opendkim.conf" ''
UMask 0002
'';
};
systemd.services.opendkim = lib.mkIf cfg.dkim.enable {
# changed to use larger key size
preStart =
let
inherit (config.services.opendkim) keyPath selector;
in
lib.mkForce ''
cd "${keyPath}"
if ! test -f ${selector}.private; then
${pkgs.opendkim}/bin/opendkim-genkey \
-s ${selector} \
-d all-domains-generic-key \
-b 4096
echo "Generated OpenDKIM key! Please update your DNS settings:\n"
echo "-------------------------------------------------------------"
cat ${selector}.txt
echo "-------------------------------------------------------------"
fi
'';
};
users.users.postfix.extraGroups = lib.mkIf cfg.dkim.enable (lib.singleton config.users.users.opendkim.group);
};
}