rnhmjoj/maxwell
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

email: set up for DANE

Browse Source
This commit is contained in:
Michele Guerini Rocco 2023-03-05 21:05:44 +01:00
parent c6d85f51dc
commit 35b1cfca26
Signed by: rnhmjoj
GPG Key ID: BFBAF4C975F76450
1 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
email.nix
View File

@ -1,4 +1,4 @@
{ config, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
@ -55,4 +55,42 @@
smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1 smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1
''; '';
# Keep the key stable across renewals (for DANE)
security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];
# Utilities
environment.systemPackages = [
# computes the DANE records
(pkgs.writers.writeDashBin "mailserver-dane" ''
set -e
export PATH=${with pkgs; lib.makeBinPath [ coreutils openssl gawk ]}:$PATH
pubkey_hash() {
openssl x509 -noout -pubkey | \
openssl pkey -pubin -outform DER | \
sha256sum | cut -f1 -d' '
}
fqdn=${config.mailserver.fqdn}
cert="/var/lib/acme/$fqdn/cert.pem"
self=$(awk '{print $0} /END CERT/{exit}' "$cert" | pubkey_hash)
ca=$(awk '{if(keep) print $0} /END CERT/{keep=1}' "$cert" | pubkey_hash)
# main: DANE-EE(3) SPKI(1) SHA2-256(1)
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' "$fqdn" "$self"
# fallback: DANE-TA(2) SPKI(1) SHA2-256(1)
printf '_25._tcp.%s. IN TLSA 2 1 1 %s\n' "$fqdn" "$ca"
'')
# computes the DKIM record
(pkgs.writers.writeDashBin "mailserver-dkim" ''
set -e
export PATH=${with pkgs; lib.makeBinPath [ coreutils gawk ]}:$PATH
domain=${builtins.elemAt config.mailserver.domains 0}
raw=$(cat ${config.mailserver.dkimKeyDirectory}/*.txt | tr -d '\n\t' | awk -F'"' '{print $2$4}')
printf 'mail._domainkey.%s IN TXT %s' "$domain" "$raw"
'')
];
} }