mail: use rspamd for dkim

2025-04-29 18:08:29 +02:00 · 2023-11-16 01:27:01 +01:00 · 2023-11-16 01:27:01 +01:00 · 719ef1ba91
commit 719ef1ba91
parent 52788f10ea
12 changed files with 145 additions and 102 deletions
--- a/hosts/falkenstein-1/modules/mail/default.nix
+++ b/hosts/falkenstein-1/modules/mail/default.nix
@ -21,7 +21,6 @@ in
    993 # IMAP
    4190 # sieve
  ];
-  users.users.postfix.extraGroups = [ "opendkim" ];
  users.users.rouven = {
    description = "Rouven Seifert";
    isNormalUser = true;
@ -98,8 +97,6 @@ in
        smtp_header_checks = "pcre:${header_cleanup}";

        alias_maps = [ "hash:/etc/aliases" ];
-        smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
-        non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
        smtpd_sasl_auth_enable = true;
        smtpd_sasl_path = "/var/lib/postfix/auth";
        smtpd_sasl_type = "dovecot";
@ -201,14 +198,6 @@ in
      '';
    };

-    opendkim = {
-      enable = true;
-      domains = "csl:${domain}";
-      selector = "falkenstein";
-      configFile = pkgs.writeText "opendkim-config" ''
-        UMask                   0117
-      '';
-    };
    rspamd = {
      enable = true;
      postfix.enable = true;
@ -220,6 +209,9 @@ in
          read_servers = "127.0.0.1";
          write_servers = "127.0.0.1";
        '';
+        "milter_headers.conf".text = ''
+          use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
+        '';
        "dmarc.conf".text = ''
          reporting {
            # Required attributes
@ -230,6 +222,16 @@ in
            from_name = 'DMARC Aggregate Report';
          }
        '';
+        "dkim_signing.conf".text = ''
+          selector = "rspamd";
+          allow_username_mismatch = true;
+          domain {
+            rfive.de {
+              path = /var/lib/rspamd/dkim/rfive.key;
+              selector = "rspamd";
+            }
+          }
+        '';
      };
    };
    redis = {
--- a/hosts/falkenstein-1/modules/nginx/default.nix
+++ b/hosts/falkenstein-1/modules/nginx/default.nix
@ -1,46 +1,63 @@
-{ config, ... }:
-# matrix homeserver discovery
-let
-  matrix_domain = "matrix.${config.networking.domain}";
-  serverConfig = {
-    "m.server" = "${matrix_domain}:443";
-  };
-  clientConfig = {
-    "m.homeserver" = {
-      base_url = "https://${matrix_domain}";
-      # server_name = config.networking.domain;
-    };
-    "org.matrix.msc3575.proxy" = {
-      url = "https://${matrix_domain}";
-    };
-  };
-  mkWellKnown = data: ''
-    add_header Content-Type application/json;
-    add_header Access-Control-Allow-Origin *;
-    return 200 '${builtins.toJSON data}';
-  '';
-in
+{ config, lib, ... }:
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
+  # set default options for virtualHosts
+  options = with lib; {
+    services.nginx.virtualHosts = mkOption {
+      type = types.attrsOf (types.submodule
+        ({ name, ... }: {
+          # split up nginx access logs per vhost
+          extraConfig = ''
+            access_log /var/log/nginx/${name}_access.log;
+            error_log /var/log/nginx/${name}_error.log;
+          '';
+        })
+      );
+    };
+  };
+  config =
+    let
+      # matrix homeserver discovery
+      matrix_domain = "matrix.${config.networking.domain}";
+      serverConfig = {
+        "m.server" = "${matrix_domain}:443";
+      };
+      clientConfig = {
+        "m.homeserver" = {
+          base_url = "https://${matrix_domain}";
+          # server_name = config.networking.domain;
+        };
+        "org.matrix.msc3575.proxy" = {
+          url = "https://${matrix_domain}";
+        };
+      };
+      mkWellKnown = data: ''
+        add_header Content-Type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '${builtins.toJSON data}';
+      '';
+    in
+    {
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+      services.nginx = {
+        enable = true;
+        recommendedTlsSettings = true;
+        recommendedProxySettings = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;

-    virtualHosts."${config.networking.domain}" = {
-      enableACME = true;
-      forceSSL = true;
-      root = "/srv/web/${config.networking.domain}";
-      locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
-      locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        virtualHosts."${config.networking.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          root = "/srv/web/${config.networking.domain}";
+          locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        };
+      };
+      security.acme = {
+        acceptTerms = true;
+        defaults = {
+          email = "rouven@${config.networking.domain}";
+        };
+      };
    };
-  };
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "rouven@${config.networking.domain}";
-    };
-  };
 }