postfix: fix DKIM signing

although gmail doesn't seem to be accepting my messages yet :'(
2022-05-06 11:43:17 +00:00 · 2022-05-06 11:43:17 +00:00 · 07c8ff12a6
commit 07c8ff12a6
parent fec0f3757a
2 changed files with 34 additions and 15 deletions
--- a/config/net.nix
+++ b/config/net.nix
@ -3,10 +3,11 @@
 {
  networking.domain = "uninsane.org";

-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 25 80 443 ];
-  # DLNA ports: https://jellyfin.org/docs/general/networking/index.html
-  networking.firewall.allowedUDPPorts = [ 1900 7359 ];
+  networking.firewall.enable = false;
+  # networking.firewall.enable = true;
+  # networking.firewall.allowedTCPPorts = [ 25 80 443 ];
+  # # DLNA ports: https://jellyfin.org/docs/general/networking/index.html
+  # networking.firewall.allowedUDPPorts = [ 1900 7359 ];

  # we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.
  networking.nameservers = [
--- a/config/services/postfix.nix
+++ b/config/services/postfix.nix
@ -12,24 +12,42 @@

  services.postfix.extraConfig = ''
    # smtpd_milters = local:/run/opendkim/opendkim.sock
-    smtpd_milters = inet:localhost:8891
+    # milter docs: http://www.postfix.org/MILTER_README.html
+    # mail filters for receiving email and authorized SMTP clients
+    # smtpd_milters = inet:185.157.162.190:8891
+    smtpd_milters = unix:/run/opendkim/opendkim.sock
+    # mail filters for sendmail
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept
+    inet_protocols = ipv4
  '';

-  services.opendkim.enable = true;
-  services.opendkim.domains = "csl:uninsane.org";
-
-  # we use a custom (inet) socket, because the default perms
-  # of the unix socket don't allow postfix to connect
-  services.opendkim.socket = "inet:8891@localhost";
-  # selectors can be used to disambiguate sender machines.
-  # keeping this the same as the hostname seems simplest
-  services.opendkim.selector = "mx";
-
  systemd.services.postfix.after = ["wg0veth.service"];
  systemd.services.postfix.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
  };
+
+
+  services.opendkim.enable = true;
+  # services.opendkim.domains = "csl:uninsane.org";
+  services.opendkim.domains = "uninsane.org";
+
+  # we use a custom (inet) socket, because the default perms
+  # of the unix socket don't allow postfix to connect.
+  # this sits on the machine-local 10.0.1 interface because it's the closest
+  # thing to a loopback interface shared by postfix and opendkim netns.
+  # services.opendkim.socket = "inet:8891@185.157.162.190";
+  # services.opendkim.socket = "local:/run/opendkim.sock";
+  # selectors can be used to disambiguate sender machines.
+  # keeping this the same as the hostname seems simplest
+  services.opendkim.selector = "mx";
+
+  systemd.services.opendkim.after = ["wg0veth.service"];
+  systemd.services.opendkim.serviceConfig = {
+    # run this behind the OVPN static VPN
+    NetworkNamespacePath = "/run/netns/ovpns";
+    # /run/opendkim/opendkim.sock needs to be rw by postfix
+    UMask = lib.mkForce "0011";
+  };
 }