From 617d239160c7708bb4f727e5f7f0448708bee1b5 Mon Sep 17 00:00:00 2001
From: root <root@pastila>
Date: Fri, 21 Jun 2024 19:17:09 +0200
Subject: [PATCH] email tweaks

---
 pastila/imap.nix |  2 +-
 pastila/smtp.nix | 22 +++++++++++++++++-----
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/pastila/imap.nix b/pastila/imap.nix
index 44bb85b..8449dbf 100644
--- a/pastila/imap.nix
+++ b/pastila/imap.nix
@@ -35,6 +35,6 @@
       "imap.tremeg.net"
       "imap.gueneau.me"
     ];
-    # group = config.services.dovecot2.group;
+    group = config.services.dovecot2.group;
   };
 }
\ No newline at end of file
diff --git a/pastila/smtp.nix b/pastila/smtp.nix
index 67af28a..8ab9ab2 100644
--- a/pastila/smtp.nix
+++ b/pastila/smtp.nix
@@ -224,8 +224,8 @@ host_lookup = *
 # connection, leading to delays on starting up SMTP sessions. (The default was
 # reduced from 30s to 5s for release 4.61.)
 
-rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+rfc1413_hosts =
+# rfc1413_query_timeout = 5s
 
 
 # By default, Exim expects all envelope addresses to be fully qualified, that
@@ -306,6 +306,9 @@ timeout_frozen_after = 7d
 
 # accept_8bitmime = false
 
+slow_lookup_log = 500
+log_selector = +ident_timeout
+
 ######################################################################
 #                       ACL CONFIGURATION                            #
 #         Specifies access control lists for incoming SMTP mail      #
@@ -712,7 +715,7 @@ remote_smtp:
   driver = smtp
 #  hosts_require_tls = *
   dkim_domain = $sender_address_domain
-  dkim_selector = 27112015
+  dkim_selector = ${opendkim_selector}
   dkim_private_key = /var/lib/opendkim/keys/${opendkim_selector}.private
   dkim_canon = relaxed
   dkim_strict = 0
@@ -916,10 +919,11 @@ dovecot_plain:
       "smtp.tremeg.net"
       "smtp.gueneau.me"
     ];
-    # group = config.services.exim.group;
+    group = config.services.exim.group;
   };
 
   # FIXME
+  environment.systemPackages = [ pkgs.acl ];
   system.activationScripts."secrets-permissions" = lib.mkForce ''
     # Default to restrictive permissions on secrets.
     # Root can alway read/write/traverse directories no matter the permissions
@@ -938,12 +942,20 @@ dovecot_plain:
 
     mkdir -p /etc/secrets/exim/virtual
     mkdir -p /etc/secrets/exim/domains
+    chmod 700 /etc/secrets/exim
+    chmod 700 /etc/secrets/exim/virtual
+    chmod 700 /etc/secrets/exim/domains
     chown --recursive ${config.services.exim.user}:${config.services.exim.group} /etc/secrets/exim
 
     mkdir -p /etc/secrets/dovecot
+    chmod -R 700 /etc/secrets/dovecot
     chown --recursive ${config.services.dovecot2.user}:${config.services.dovecot2.group} /etc/secrets/dovecot
 
-    # XXX
+    # XXX clean this up
     chmod g+r /var/lib/opendkim/keys/${opendkim_selector}.private
+    chmod g+rx /var/lib/opendkim/
+    ${pkgs.acl}/bin/setfacl -m g:exim:x /var/lib/opendkim/
+    ${pkgs.acl}/bin/setfacl -m g:exim:x /var/lib/opendkim/keys/
+    ${pkgs.acl}/bin/setfacl -m g:exim:r /var/lib/opendkim/keys/21062024.private 
   '';
 }
\ No newline at end of file