by Joshua Branson — December 22, 2022
EDIT 02-24-2023: Through this whole process, I have used this guide to set up email. If you are going to try to set up your own email service, do check it out: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
I was recently encouraged by the delightfully friendly raghavgururajan to try to merge my opensmtpd service project into guixrus, which is a small community actively working to upstream packages and services into guix proper. I figured, why not? Sounds like fun. The following post will describe my developmental workflow, which is probably pretty poor…
tl;dr
Soonish, I will clean up the code for a proper ~opensmtpd-service-type~ with ~opensmtpd-records~ for guix system. It may take 6 months to get it in a clean state. Until it is merged, you may find it here:
https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046
The current documentation is here:
My server's config is here:
The current task list is here:
https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org
Added, the guixrus channel to my ~/.config/guix/channels.scm
cat ~/.config/guix/channels.scm
(cons* (channel ;; for firefox-wayland
(name 'nonguix)
(url "https://gitlab.com/nonguix/nonguix")
;; Enable signature verification:
(introduction
(make-channel-introduction
"897c1a470da759236cc11798f4e0a5f7d4d59fbc"
(openpgp-fingerprint
"2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5"))))
(channel ;; for sway-latest
(name 'guixrus)
(url "https://git.sr.ht/~whereiseveryone/guixrus")
(introduction
(make-channel-introduction
"7c67c3a9f299517bfc4ce8235628657898dd26b2"
(openpgp-fingerprint
"CD2D 5EAA A98C CB37 DA91 D6B0 5F58 1664 7F8B E551"))))
%default-channels)Before I submit the patch, I should make sure that the code actually works. To do that, I logged into my gnucode.me server tried to set up the opensmtpd server.
guix pull --url=https://notabug.org/jbranso/guix/src/newOpensmtpdBranch \
--branch=newOpensmtpdBranch
Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'
guix pull --url=https://notabug.org/jbranso/guix \
--commit=8abbb6c442d135ae8e7c1cb0e17525478fafe8f0
Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'Hmm, well my opensmtpd service is NOT using signed commits. That’s probably the problem. Hmmm… Well I guess I need to start signing my commits. Generate an gpg key. grrr….
These three pages are seem promising:
https://moser-isi.ethz.ch/gpg.html
https://wiki.debian.org/Keysigning
https://risanb.com/code/backup-restore-gpg-key/
gpg --full-generate-key
gpg: directory '/home/joshua/.gnupg/openpgp-revocs.d' created
h.lgpg: revocation certificate stored as '/home/joshua/.gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev'I copied my Revocation-Certificate into my spare usb:
sudo cp .gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev /mnt/gnucode.gpg.revLet’s export my gpg key to the server.
gpg --auto-key-locate keyserver -a --send-keys 67A42A3CC23F979886F9686C750BCFEF3A579572
gpg -a --export gnucode
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGOSU7sBEAC/8renj2OgTHKJfbqz7CRplPQ0su8aasJXTkunx70IhVpTFBS+
9Bwvjbo7HM2aBYD/NYa6n24J3OXla17uDxFt2i63ojhbl5AVntac3ZOeyn661Y2U
r9szIRM+edTieWZZvY5G49ZFTH5VJ+jZS2leRLpIqsYCst+Ru61MdUUggBNvPgBm
q97HAylBqQs0kf7XfctyqKbkChLsvkuD5cR1X8BQL8KAn/KDXrDSwj4hIO+tSdv5
VmaTC+6/xbdqfq6gpywJMEPkLNUjCArlF+Oz5UqQvLh1lRXWPejzFa0LmXsviqb3
RmQh+9cNvDVge+kYIRWHhCXY5dTau7ABnYsgxnW3zlBkFNbc+I5Sqiz6LDcuInlA
QznFw90GL3l0+1WGzeAD5DhNx6hgpOYvFZV7S3OgbOGeOHvF7bFBixB6Pa3oByMn
euKqol+rOZiUkjcaxo5XUKsglFLgOaxfmZujO7lwoipYXxiyD7jf1+ou1WZ5C3l+
YCOnia2qWE5DRpR/WDBRLQl3ZrCUtDQW7dKNAuweEgDT5T53k2m3Gqu1Z28SrzIS
is+SHZcZhv4dx9Cs6sX6me3WzQ3wgoI9DNW5v8XGitaGQFjIRI33Y8MeGjEBMip3
ZnT6Cl8WJgd0JBXsPQnKw1EO1sh2S5cU5drvHkuCPMA/PaBb8XrNpobSlwARAQAB
tDNKb3NodWEgQWxsZW4gQnJhbnNvbiAoZ251Y29kZSkgPGpicmFuc29AZGlzbWFp
bC5kZT6JAk4EEwEIADgWIQRnpCo8wj+XmIb5aGx1C8/vOleVcgUCY5JTuwIbAwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB1C8/vOleVcgwwEACp4ZwBIM/4Udc9
ndZvUJeegSP0W7o86v+9ELXfXdX99ZO0iErr6/XTWxov0mw7AaoDJRdETBTkYeU0
/CDrLcjklW8b7RZe98+Cr0+IB9XSozpqNVhiP7/TogL80lkbu2+Khtk29E/UYupt
8rihR+2tkDKPaWOufGgi+6ftw8A9P9jlFsV1N1Oxo4rA+gbcXHtxbDiZ1dR2UOAS
Ge7TJPpIjgSiG+nm6b9BIoAxLpjf5JrwpNm5wvDXic1YP27GC2Il9Ny7TdGyKpn9
RCZXR1yEMQTVNn4iEiMK6XIcoAFUS1oWAP2JKQ4bCfcxM/VGx31rsGgNL36iW6yj
zLD9yJYhbvm536CiRb2cTco+lAmwS9/iM4Bdpp/H9fZFPp2CxeB02mOd/P0HkC+2
Po2KXpEj6Ettjp0xJcAQye75vRvjDMkHvTvugfY4FQg6V6a6N3jxSbfwuFUp426F
fgfki4Y7OWm47mYa7goI4oDOG2qUdN5YkbhpVA+j2tGGHbbXmUtvj4MES4fnaSkF
vc6+xMZpFTWcFRt8rVTqS1Vu1w8zfT/VUV+FC/J6hdSxIQJ4dg4WsaD2kzGflZzO
miTyxMYPvdQ6I7Nshp/bEyfd9F40sXm/kzL6r+qm9+ly2uR5V+bIo9gu6CfkM0ZJ
DDiIf9wkk+xSb/AGj1YVazQKpKS0wLkCDQRjklO7ARAAzrtyGaOFTtCHlItxxb51
s0Qt5LZwG3sNUjI9P7n3oZrzI35sbPrWxWCX2MMW0gUIx79dlMzQBt1RXQEKiipr
RdSrtuclTytxaMtLRP+VtmcRQkGgKb20ipCvFHX4oA7L+3Y8s2RQBsz+wo9h55Dt
iQRxoONm9biHXBUZ4EJnR4B8z0dp9j+fctTR4ds6OI3jIeKHcd4AALYIpyBnh5ue
5Iictiv0evBjcogfCttHlg/NK3TVZpq8YYOG8x+8XVrvvJ5WKtmXduZuFIL3+Wmv
jBv807a4zGLPLpB6OcD7fj/12Eo9n7d9gHZOV200rPguzt9YMIoRGgtSEEpMsvrJ
5upiFLPULj/14arXePdqZshlU01U0uE6glGJRUt7IVyU+1LbziQ8JqBlVTnRRYrb
uKDFqzmtd3zhLDPAPLkv7xLtEjYUPcFDmrf33dz22FHUGeOB0G5Ur+e9qTedfmj0
r5sHaoCspZzDcVR8sKyuUdAnRAGxJs9eIFUq2GkyxZGgfJoU2A9RMxg+YTfFfdQV
guvvPj6udOF4ugmIW1EnDXza08UyDqOITLIadNu4GqZL407JRIRtYfw48qQgL3Zo
6lqxC/3n7orkuRU/cKvHArqQt1sP7ZYzAy5N/yoY0/m3o2RV9Li7SkF2m5By8EjH
RNvQMPsipdvjWf4I+jLaAM0AEQEAAYkCNgQYAQgAIBYhBGekKjzCP5eYhvlobHUL
z+86V5VyBQJjklO7AhsMAAoJEHULz+86V5Vy6U0QAJtjybCfDAqE5DIcKkiBDbIN
erk+MTU+uOROuVigDCyvqJUuxtGaJPIRWdBQuHcQxnf6Bv1xoAeDk/7hyL7i5+rz
9vWZnSZRr4DB6pY8G5jz/HGdML4luEtuOrE5UMN8Bf5PM/9sj/c1QSuMhpAMw5TL
GoAu+MY/uDCHLb2nzwLIaCPFDTX0q5HgFQA7Do78fdxxPLqPlbg9xeTsAP5P6Egb
/8NUUa1SM4mfygriyL82nLH9SvwtnEbItovAWE+GH4XkE8xSjvWl6MpCk0+H0Xtr
WdbxtKqE7BPzs0lN3NOi+mOJABDt5ozPGfVcUsB/nqz00YiF33CQWu0ote1Q1TKn
NPOCLqFM3F1rG2z7Bf/LP9p6CpmfQGr54XmKpGinYNr8dqRtLEMVERCxGI+BuNhZ
ppQLuqOlHinKPaBO58LCwLA0uMScbmjgTQrJiXolCGHYXorCx3rcqitvMzbAcswr
wMeAXMREYKGM84Pf8fGxv+GZZwfQJHQNbOFrOTpnRITDAZvzKBD97yWkXcLGt6B7
A5iRXOI8sv9CGM3kI78b+MCcgbz8HNGF2RQipGNQZhEgL4ixbhpMaMVUuTo7BrKr
M3IeyVwUMpUBFbk5OqLsMqPbL2VvL6x1zgg4P0LmGQYoikKiwmPl/OyRQW6btWCG
1f7+w1RrcKjUANLQNjXm
=Vl9S
-----END PGP PUBLIC KEY BLOCK-----
gpg -a --export gnucode > gnucode.pub
sudo cp gnucode.pub /mnt/Now let’s backup the gpg key.
gpg --export-secret-keys --armor gnucode > secret-key-backup.asc
sudo mv secret-key-backup.asc /mnt/If I ever need to move that gpg key to another computer, all I have to do is:
gpg --import /path/to/secret-key-backup.ascLet’s try testing a signed commit.
git config --global commit.gpgsign truegpg --list-secret-keys --keyid-format=long
# git config --global user.signingkey MYSIGNINGKEY
git config --global alias.logs "log --show-signature"
git commit -m "mail.scm: minor sanitization improvements."Ok well let’s try this to see what the error was:
GIT_TRACE=1 git commit -m "blah" -S
23:07:37.656401 git.c:460 trace: built-in: git commit -m blah -S
23:07:37.678825 run-command.c:655 trace: run_command: gpg --status-fd=2 -bsau 750BCFEF3A579572
error: gpg failed to sign the data
fatal: failed to write commit object
gpg --status-fd=2 -bsau 750BCFEF3A579572As I was running through the above command, I realized that, it is possible that I did not have pinentry installed:
guix install pinentry
git logsNow I think I will try rebooting and check to see if I can still sign git commits.
And after I rebooted, I cannot sign commits with emacs…
Emacs says “hint: Waiting for your editor to close the file…” “Waiting for Emacs”
Well online, I see this as a possible solution
git config --global core.editor emacsWell that didn’t quite work. I was able to squash two commits, via emacs, but only after I had the gpg agent had cached my private key password. That makes me think that magit is having a hard time querying my for my password.
Well let me try updating doom emacs. I doubt that will work, but I’ll try it. That didn’t work. :(
Well I found a possible error here:
https://github.com/magit/with-editor/issues/69
https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os
https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html
Then I thought, how about I disable the with-editor elisp package that doom
emacs ships and instead guix install emacs-with-editor. Let’s try that.
cat .doom.d/packages.el | grep with-editor
(package! with-editor :disable t)
doom upgrade
doom sync
guix install emacs-with-editorNope. That didn’t work either. Hmmm. I can get emacs to commit the message, after the gpg agent caches my key’s password.
Well let’s try running emacs without any configuration: emacs -q. Nope. That
also didn’t work. :(
My current theory is that my wayland only session is prohibiting the pinentry from displaying, which is NOT allowing me to enter in my gpg password. I shall try temporarily enabling Xwayland and see if that fixed it.
cat config | grep xwayland
# disable xwayland. Just trying it out
xwayland enableYup! That fixed it. With the above, I can now sign my commits with emacs! But I would rather keep my wayland only session. Let’s try pinetry-bemenu:
guix package -i pinentry-bemenu -r pinentry
cat config | grep xwayland
# disable xwayland.
xwayland disableWell that didn’t work. Let’s try pinetry-gnome3.
guix package -r pinentry-bemenu -i pinentry-gnome3Nope. It’s X only. Let’s try qt:
guix package -r pinentry-gnome3 -i pinentry-qtNope. That also seems to be X only. grr. Maybe this bemenu thing works, but I need to configure it properly.
Well let’s install pinentry, and temporarily enable xwayland.
guix package -r pinentry-tty -i pinentry
cat config | grep xwayland
# enable xwayland.
xwayland enableWell I should probably try eventually to edit .config/gpg.conf and tell it to
use pinentry-bemu as the pinentry program.
I think that spending all that time working on getting gpg key signing to work was probably a big waste of time. :( I think instead of keeping my opensmtpd code in guix-src/gnu/services/mail.scm, I will move it to guixrus/services/opensmtpd.scm. Then I can just copy opensmtpd.scm file to my linode server, and manually load in that code to start my opensmtpd service.
First I will delete the opensmtpd record stuff in gnu/services/mail.scm. I don’t want myself getting confused where I am storing my developmental code.
Now I will cp my opensmtpd.scm code into my linode service git repo.
cp opensmtpd.scm ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/
ls ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
cat ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm | tail
/home/joshua/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
(service-extension pam-root-service-type
(const %opensmtpd-pam-services))
(service-extension profile-service-type
(compose list opensmtpd-configuration-package))
(service-extension shepherd-root-service-type
opensmtpd-shepherd-service)
(service-extension setuid-program-service-type
opensmtpd-set-gids)))
(description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
Transfer Protocol} server.")))Now I will commit the changes to my linode git repo and push them.
git add opensmtpd.scm
git commit -m "copying opensmtpd.scm from guixrus."
[master 7399550] copying opensmtpd.scm from guixrus.
1 file changed, 7 insertions(+)
rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)Hmmm, was that commit signed? No idea.
Now let’s push that commit.
git pushNow let's log into the gnucode service and pull that commit.
git pull
cat opensmtpd.scm | tail
Updating a8d88b9..7399550
Fast-forward
opensmtpd.scm => guixrus/services/opensmtpd.scm | 7 +++++++
1 file changed, 7 insertions(+)
rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)I am realizing that it will probably be easiest to reconfigure my server with my
opensmtpd records, if my server has the same directory structure as my local
machine. Namely my git repos are in the same directories. So I did some changes
on my server to make sure that my server's directory structure matches my local
one. Now my server’s config.scm is no longer at
~/linode-guix-system-configuration/linode-locke-lamora-current-config.scm. Now
it is at:
find . -name '*current-config.scm'
./prog/gnu/guix/guix-config/linode-guix-system-configuration/linode-locke-lamora-current-config.scmI want to make sure that my remote server has a copy of the guixrus source code
with my newest commit committing services/opensmtpd.scm.
So, I made a guixrus repo on notabug.org, then I pulled that repo on my server:
git clone https://notabug.org/jbranso/guixrus
git show HEAD | head
commit 147a9ce316be2f9f7c9ed25b3e097fd84b8b01eb
Author: Joshua Branson <jbranso@dismail.de>
Date: Thu Dec 22 09:21:19 2022 -0500
services (opensmtpd): add opensmtpd records to enhance opensmtpd-configuration.
Openmstpd-configuration may only be configured by a config-file that
uses the smtpd.conf syntax. This patch, enables one to configure
opensmtpd by using record types.It would be nice to test the configuration locally, to see if it will work before I push it to the server.
guix system vm linode-locke-lamora-current-config.scm
guix system: error: (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem") is invalid.
hint: Try a file.The above is actually a good sign. I do not have that certificate locally, but it is available on the server. If that is the only error, then let’s go ahead and try to reconfigure the server.
The relevant opensmtpd-service looks like:
(service opensmtpd-service-type
(let ([action-receive (opensmtpd-local-delivery
(name "receive")
(method (opensmtpd-maildir
(pathname "/home/%{rcpt.user}/Maildir")
(junk #t)))
(virtual (opensmtpd-table
(name "vusers")
(data '(("joshua@gnucode.me" . "joshua")
("jbranso@gnucode.me" . "joshua")
("postmaster@gnucode.me" . "joshua"))))))]
[pki-gnucode (opensmtpd-pki
(domain "smtp.gnucode.me")
(cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
(key "/etc/letsencrypt/live/gnucode.me/privkey.pem"))]
[filter-dkimsign (opensmtpd-filter
(name "dkimsign")
(exec #t)
(proc (list (file-append opensmtpd-filter-dkimsign "/libexec/opensmtpd/filter-dkimsign")
" -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k "
"/etc/dkim/private.key "
"user nobody group nogroup")))]
[table-creds (opensmtpd-table
(name "creds")
(data
(list
(cons "joshua"
"$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))])
(opensmtpd-configuration
(interfaces
(list
;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
;; this listens for email from the outside world
(opensmtpd-interface
(interface "eth0")
(port 25)
(secure-connection "tls")
(pki pki-gnucode))
;; this lets local users logged into the system via ssh send email
(opensmtpd-interface
(interface "lo")
(port 25)
(secure-connection "tls")
(pki pki-gnucode))
(opensmtpd-interface
(interface "eth0")
(port 465)
(secure-connection "smtps")
(pki pki-gnucode)
(auth table-creds)
(filters (list filter-dkimsign)))
(opensmtpd-interface
(interface "eth0")
(port 587)
(secure-connection "tls-require")
(pki pki-gnucode)
(auth table-creds)
(filters (list filter-dkimsign)))))
(matches (list
(opensmtpd-match
(action (opensmtpd-relay
(name "relay")))
(options
(list
(opensmtpd-option
(option "for any"))
(opensmtpd-option
(option "from any"))
(opensmtpd-option
(option "auth")))))
(opensmtpd-match
(action action-receive)
(options
(list
(opensmtpd-option
(option "from any"))
(opensmtpd-option
(option "for domain")
(data (opensmtpd-table
(name "vdoms")
(data (list "gnucode.me"
"gnu-hurd.com"))))))))
(opensmtpd-match
(action action-receive)
(options
(list
(opensmtpd-option
(option "for local"))))))))))I was curious to see how outdated my server is. It’s dated apparently.
guix system describe
[1mGeneration 118 Aug 14 2022 02:45:18[0m (current)
file name: /var/guix/profiles/system-118-link
canonical file name: /gnu/store/7jkrafkf61bw3fdxlrlzvkrl98ys1icj-system
label: GNU with Linux-Libre 5.18.16
bootloader: grub
root device: /dev/sda
kernel: /gnu/store/iz6xn1b1dyk6pwaf6dym3jm3vwnh4gz9-linux-libre-5.18.16/bzImage
channels:
guix:
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 43decd1f7ea4ebd911199ad10c0ca555d0dffbd6
configuration file: /gnu/store/rv7rhwn5kd9yxv8kayqlsgxwyhcz55ca-configuration.scmLet's try reconfiguring my server with the opensmtpd configuration.
guix pull
sudo guix system reconfigure linode-locke-lamora-current-config.scm
In srfi/srfi-1.scm:
586:29 19 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
586:29 18 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
586:29 17 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
586:29 16 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
586:29 15 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
586:29 14 (map1 (#<<service> type: #<service-type agetty 7f8c1…> …))
586:29 13 (map1 (#<<service> type: #<service-type syslog 7f8c1…> …))
586:29 12 (map1 (#<<service> type: #<service-type console-font…> …))
586:29 11 (map1 (#<<service> type: #<service-type virtual-term…> …))
586:17 10 (map1 (#<<service> type: #<service-type opensmtpd 7f…> …))
In guixrus/services/opensmtpd.scm:
2567:27 9 (opensmtpd-shepherd-service #<<opensmtpd-configuration>…>)
2541:19 8 (opensmtpd-configuration->mixed-text-file #<<opensmtpd-…>)
2496:3 7 (opensmtpd-configuration->string #<<opensmtpd-configura…>)
2421:9 6 (opensmtpd-configuration-fieldname->string #<<opensmtp…> …)
2430:10 5 (list-of-records->string (#<<opensmtpd-interface> i…> …) …)
2434:17 4 (loop (#<<opensmtpd-interface> interface: "eth0" fam…> …))
1848:5 3 (opensmtpd-interface->string #<<opensmtpd-interface> in…>)
In unknown file:
2 (string-append "" "" "" "" "" "tls " #<unspecified> "p…" …)
In ice-9/boot-9.scm:
1685:16 1 (raise-exception _ #:continuable? _)
1685:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure string-append: Wrong type (expecting string): #<unspecified>Ahh, I know what that problem is! Let’s fix that. So now I have make a local
commit. Push it to my notabug.org/guixrus, ssh into lamora, run git pull on
the guixrus repo, then try to reconfigure. This seems like a very odd/poor way
to test changes. By making a commit locally, pushing it, pulling it, and then
wondering if the reconfigure will work. I should really set up guix deploy.
sudo guix system reconfigure linode-locke-lamora-current-config.scm
module-import-compiled 1.0MiB 1.6MiB/s 00:01 [##################] 100.0%
building /gnu/store/mw8x4pbl11a5pdgxqcw2vvczdccpmicf-switch-to-system.scm.drv...
making '/gnu/store/0v5sbvlx9r151gjlc906lxyhps7xx1h8-system' the current system...
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/1n0l349b03h7dclwai9l0kxglb8kwyv0-etc...
checking syntax of /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf
/gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:14: syntax error
/gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:21: no such dispatcher: relayOk, so I have a configuration error. Let’s take a look at the generated configuration file:
The first error is this:
cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep '<"<"' listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"<"creds">"> listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"<"creds">">It should be <“creds”>.
Another error is this:
cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep match match !for any !from any !auth action "relay" match !from any !for domain <"vdoms"> action "receive" match !for local action "receive"
These match options should NOT be false. Let's quickly fix those issues reconfigure again:
sudo guix system reconfigure linode-locke-lamora-current-config.scm
checking syntax of /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
configuration OKThat’s a good sign!
Let’s reboot and see what happens!
Well when I reboot, smtpd refused to start. Let’s look at the config file.
cat /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
filter "dkimsign" proc-exec "/gnu/store/n2f5waxzdzcsdvh0xydhnc174n3kingw-opensmtpd-filter-dkimsign-0.6/libexec/opensmtpd/filter-dkimsign -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k /etc/dkim/private.key user nobody group nogroup"
mta max-deferred 100
table "creds" { "joshua" = "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86." }
table "vusers" { "joshua@gnucode.me" = "joshua", "jbranso@gnucode.me" = "joshua", "postmaster@gnucode.me" = "joshua" }
table "vdoms" { "gnucode.me", "gnu-hurd.com" }
pki smtp.gnucode.me cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem"
pki smtp.gnucode.me key "/etc/letsencrypt/live/gnucode.me/privkey.pem"
listen on eth0 tls port 25 pki smtp.gnucode.me
listen on lo tls port 25 pki smtp.gnucode.me
listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"creds">
listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"creds">
action "relay" relay
action "receive" maildir "/home/%{rcpt.user}/Maildir" junk virtual <"vusers">
match for any from any auth action "relay"
match from any for domain <"vdoms"> action "receive"
match for local action "receive"It seems to be just fine...hmmm. What does the error log say?
cat /var/log/maillog | tail
Dec 22 10:05:41 localhost smtpd[19325]: warn: lost processor: dkimsign exited abnormally
Dec 22 10:05:41 localhost smtpd[19328]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
Dec 22 10:05:41 localhost smtpd[19330]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 10:05:41 localhost smtpd[19325]: Exiting
Dec 22 11:22:18 localhost smtpd[268]: info: OpenSMTPD 6.8.0p2 starting
Dec 22 11:22:18 localhost smtpd[269]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:22:18 localhost smtpd[272]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
Dec 22 11:22:18 localhost smtpd[274]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:22:18 localhost smtpd[269]: ExitingOk, well I think I found the problem. haha. Let’s see, ah, looks like that key is here:
find . -name '*key'
/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.keyLet’s commit my current-config locally, push it upstream, pull it from my server and reconfigure.
sudo guix system reconfigure linode-locke-lamora-current-config.scm
checking syntax of /gnu/store/42q90z8n03zi9rx29gwdnms4sdr2g2p9-smtpd.conf
configuration OKAfter I rebooted, smtpd still was not starting. Let’s try to find out why:
cat /var/log/maillog | tail
Dec 22 11:38:03 localhost smtpd[498]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:38:03 localhost smtpd[493]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:38:03 localhost smtpd[496]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
Dec 22 11:38:03 localhost smtpd[493]: Exiting
Dec 22 11:40:02 localhost dovecot: master: Dovecot v2.3.19.1 (9b53102964) starting up for imap (core dumps disabled)
Dec 22 11:42:41 localhost smtpd[258]: info: OpenSMTPD 6.8.0p2 starting
Dec 22 11:42:41 localhost smtpd[259]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:42:41 localhost smtpd[262]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
Dec 22 11:42:41 localhost smtpd[264]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:42:41 localhost smtpd[259]: ExitingOk, this is just a permissions error. That’s an easy fix! I changed a
sudo chown -R smtpd /etc/opensmtpd. Then I got this beauty:
sudo herd start smtpd
Service smtpd has been started.Woo hoo! Now let’s try to send an email and see if it works!
I sent an email to gmail, and if you select an email in gmail, you can click on view original. It showed me that I did pass dkimsigning! That’s awesome! And my email was in my gmail inbox. That’s a really good sign! Now I am off to submit a patch to guixrus!
I did get a tip from someone on irc that mentioned that I should verify my dkimsigning and SPF via https://dkimvalidator.com/ And when I used that tool, I discovered that my SPF was failing, so I will need to fix that.