mailserver: Add DKIM

2023-04-30 12:14:35 +02:00 · 2023-04-30 12:14:35 +02:00 · 0d3ec89038
parent a3030f5dbd
commit 0d3ec89038
1 changed files with 43 additions and 0 deletions
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@ -87,6 +87,14 @@ in
    spam = {
      enable = (lib.mkEnableOption "spam filtering") // { default = true; };
    };
+    dkim = {
+      enable = (lib.mkEnableOption "DKIM signing") // { default = true; };
+      selector = lib.mkOption {
+        type = str;
+        description = "DKIM Selector to use";
+        default = "mail";
+      };
+    };
  };

  config = lib.mkIf cfg.enable {
@ -244,6 +252,9 @@ in
          tls_preempt_cipherlist = "no";

          smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
+
+          smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
+          non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
        };

        submissionOptions = {
@ -410,5 +421,37 @@ in
        port = 6379;
      };
    };
+
+    # DKIM
+    services.opendkim = lib.mkIf cfg.dkim.enable {
+      enable = true;
+      selector = cfg.dkim.selector;
+      domains = "csl:${lib.concatStringsSep "," cfg.domains}";
+      configFile = pkgs.writeText "opendkim.conf" ''
+        UMask 0002
+      '';
+    };
+    systemd.services.opendkim = lib.mkIf cfg.dkim.enable {
+      # changed to use larger key size
+      preStart =
+        let
+          inherit (config.services.opendkim) keyPath selector;
+        in
+        lib.mkForce ''
+          cd "${keyPath}"
+          if ! test -f ${selector}.private; then
+            ${pkgs.opendkim}/bin/opendkim-genkey \
+              -s ${selector} \
+              -d all-domains-generic-key \
+              -b 4096
+            echo "Generated OpenDKIM key! Please update your DNS settings:\n"
+            echo "-------------------------------------------------------------"
+            cat ${selector}.txt
+            echo "-------------------------------------------------------------"
+          fi
+        '';
+    };
+
+    users.users.postfix.extraGroups = lib.mkIf cfg.dkim.enable (lib.singleton config.users.users.opendkim.group);
  };
 }