email tweaks

2024-06-21 19:17:09 +02:00 · 2024-06-21 19:17:09 +02:00 · 617d239160
commit 617d239160
parent 976dd1d597
2 changed files with 18 additions and 6 deletions
--- a/pastila/imap.nix
+++ b/pastila/imap.nix
@ -35,6 +35,6 @@
      "imap.tremeg.net"
      "imap.gueneau.me"
    ];
-    # group = config.services.dovecot2.group;
+    group = config.services.dovecot2.group;
  };
 }
--- a/pastila/smtp.nix
+++ b/pastila/smtp.nix
@ -224,8 +224,8 @@ host_lookup = *
 # connection, leading to delays on starting up SMTP sessions. (The default was
 # reduced from 30s to 5s for release 4.61.)

-rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+rfc1413_hosts =
+# rfc1413_query_timeout = 5s


 # By default, Exim expects all envelope addresses to be fully qualified, that
@ -306,6 +306,9 @@ timeout_frozen_after = 7d

 # accept_8bitmime = false

+slow_lookup_log = 500
+log_selector = +ident_timeout
+
 ######################################################################
 #                       ACL CONFIGURATION                            #
 #         Specifies access control lists for incoming SMTP mail      #
@ -712,7 +715,7 @@ remote_smtp:
  driver = smtp
 #  hosts_require_tls = *
  dkim_domain = $sender_address_domain
-  dkim_selector = 27112015
+  dkim_selector = ${opendkim_selector}
  dkim_private_key = /var/lib/opendkim/keys/${opendkim_selector}.private
  dkim_canon = relaxed
  dkim_strict = 0
@ -916,10 +919,11 @@ dovecot_plain:
      "smtp.tremeg.net"
      "smtp.gueneau.me"
    ];
-    # group = config.services.exim.group;
+    group = config.services.exim.group;
  };

  # FIXME
+  environment.systemPackages = [ pkgs.acl ];
  system.activationScripts."secrets-permissions" = lib.mkForce ''
    # Default to restrictive permissions on secrets.
    # Root can alway read/write/traverse directories no matter the permissions
@ -938,12 +942,20 @@ dovecot_plain:

    mkdir -p /etc/secrets/exim/virtual
    mkdir -p /etc/secrets/exim/domains
+    chmod 700 /etc/secrets/exim
+    chmod 700 /etc/secrets/exim/virtual
+    chmod 700 /etc/secrets/exim/domains
    chown --recursive ${config.services.exim.user}:${config.services.exim.group} /etc/secrets/exim

    mkdir -p /etc/secrets/dovecot
+    chmod -R 700 /etc/secrets/dovecot
    chown --recursive ${config.services.dovecot2.user}:${config.services.dovecot2.group} /etc/secrets/dovecot

-    # XXX
+    # XXX clean this up
    chmod g+r /var/lib/opendkim/keys/${opendkim_selector}.private
+    chmod g+rx /var/lib/opendkim/
+    ${pkgs.acl}/bin/setfacl -m g:exim:x /var/lib/opendkim/
+    ${pkgs.acl}/bin/setfacl -m g:exim:x /var/lib/opendkim/keys/
+    ${pkgs.acl}/bin/setfacl -m g:exim:r /var/lib/opendkim/keys/21062024.private 
  '';
 }