email tweaks

This commit is contained in:
root 2024-06-21 19:17:09 +02:00
parent 976dd1d597
commit 617d239160
2 changed files with 18 additions and 6 deletions

View file

@ -35,6 +35,6 @@
"imap.tremeg.net" "imap.tremeg.net"
"imap.gueneau.me" "imap.gueneau.me"
]; ];
# group = config.services.dovecot2.group; group = config.services.dovecot2.group;
}; };
} }

View file

@ -224,8 +224,8 @@ host_lookup = *
# connection, leading to delays on starting up SMTP sessions. (The default was # connection, leading to delays on starting up SMTP sessions. (The default was
# reduced from 30s to 5s for release 4.61.) # reduced from 30s to 5s for release 4.61.)
rfc1413_hosts = * rfc1413_hosts =
rfc1413_query_timeout = 5s # rfc1413_query_timeout = 5s
# By default, Exim expects all envelope addresses to be fully qualified, that # By default, Exim expects all envelope addresses to be fully qualified, that
@ -306,6 +306,9 @@ timeout_frozen_after = 7d
# accept_8bitmime = false # accept_8bitmime = false
slow_lookup_log = 500
log_selector = +ident_timeout
###################################################################### ######################################################################
# ACL CONFIGURATION # # ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail # # Specifies access control lists for incoming SMTP mail #
@ -712,7 +715,7 @@ remote_smtp:
driver = smtp driver = smtp
# hosts_require_tls = * # hosts_require_tls = *
dkim_domain = $sender_address_domain dkim_domain = $sender_address_domain
dkim_selector = 27112015 dkim_selector = ${opendkim_selector}
dkim_private_key = /var/lib/opendkim/keys/${opendkim_selector}.private dkim_private_key = /var/lib/opendkim/keys/${opendkim_selector}.private
dkim_canon = relaxed dkim_canon = relaxed
dkim_strict = 0 dkim_strict = 0
@ -916,10 +919,11 @@ dovecot_plain:
"smtp.tremeg.net" "smtp.tremeg.net"
"smtp.gueneau.me" "smtp.gueneau.me"
]; ];
# group = config.services.exim.group; group = config.services.exim.group;
}; };
# FIXME # FIXME
environment.systemPackages = [ pkgs.acl ];
system.activationScripts."secrets-permissions" = lib.mkForce '' system.activationScripts."secrets-permissions" = lib.mkForce ''
# Default to restrictive permissions on secrets. # Default to restrictive permissions on secrets.
# Root can alway read/write/traverse directories no matter the permissions # Root can alway read/write/traverse directories no matter the permissions
@ -938,12 +942,20 @@ dovecot_plain:
mkdir -p /etc/secrets/exim/virtual mkdir -p /etc/secrets/exim/virtual
mkdir -p /etc/secrets/exim/domains mkdir -p /etc/secrets/exim/domains
chmod 700 /etc/secrets/exim
chmod 700 /etc/secrets/exim/virtual
chmod 700 /etc/secrets/exim/domains
chown --recursive ${config.services.exim.user}:${config.services.exim.group} /etc/secrets/exim chown --recursive ${config.services.exim.user}:${config.services.exim.group} /etc/secrets/exim
mkdir -p /etc/secrets/dovecot mkdir -p /etc/secrets/dovecot
chmod -R 700 /etc/secrets/dovecot
chown --recursive ${config.services.dovecot2.user}:${config.services.dovecot2.group} /etc/secrets/dovecot chown --recursive ${config.services.dovecot2.user}:${config.services.dovecot2.group} /etc/secrets/dovecot
# XXX # XXX clean this up
chmod g+r /var/lib/opendkim/keys/${opendkim_selector}.private chmod g+r /var/lib/opendkim/keys/${opendkim_selector}.private
chmod g+rx /var/lib/opendkim/
${pkgs.acl}/bin/setfacl -m g:exim:x /var/lib/opendkim/
${pkgs.acl}/bin/setfacl -m g:exim:x /var/lib/opendkim/keys/
${pkgs.acl}/bin/setfacl -m g:exim:r /var/lib/opendkim/keys/21062024.private
''; '';
} }