Submitting Opensmtpd Service to Guixrus — GNUcode.me

Submitting Opensmtpd Service to Guixrus

by Joshua Branson — December 22, 2022

I was recently encouraged by the delightfully friendly raghavgururajan to try to merge my opensmtpd service project into guixrus, which is a small community actively working to upstream packages and services into guix proper. I figured, why not? Sounds like fun. The following post will describe my developmental workflow, which is probably pretty poor…

tl;dr

Soonish, I will clean up the code for a proper ~opensmtpd-service-type~ with ~opensmtpd-records~ for guix system. It may take 6 months to get it in a clean state. Until it is merged, you may find it here:

https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046

The current documentation is here:

https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd-records-documentation.txt

My server's config is here:

https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm

The current task list is here:

https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org

Added, the guixrus channel to my ~/.config/guix/channels.scm

cat ~/.config/guix/channels.scm

(cons* (channel  ;; for firefox-wayland
        (name 'nonguix)
        (url "https://gitlab.com/nonguix/nonguix")
        ;; Enable signature verification:
        (introduction
         (make-channel-introduction
          "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
          (openpgp-fingerprint
           "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
       (channel  ;; for sway-latest
        (name 'guixrus)
        (url "https://git.sr.ht/~whereiseveryone/guixrus")
        (introduction
         (make-channel-introduction
          "7c67c3a9f299517bfc4ce8235628657898dd26b2"
          (openpgp-fingerprint
           "CD2D 5EAA A98C CB37 DA91  D6B0 5F58 1664 7F8B E551"))))
       %default-channels)

Before I submit the patch, I should make sure that the code actually works. To do that, I logged into my gnucode.me server tried to set up the opensmtpd server.

guix pull --url=https://notabug.org/jbranso/guix/src/newOpensmtpdBranch \
    --branch=newOpensmtpdBranch

Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'

guix pull --url=https://notabug.org/jbranso/guix \
    --commit=8abbb6c442d135ae8e7c1cb0e17525478fafe8f0

Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'

Hmm, well my opensmtpd service is NOT using signed commits. That’s probably the problem. Hmmm… Well I guess I need to start signing my commits. Generate an gpg key. grrr….

These three pages are seem promising:

https://moser-isi.ethz.ch/gpg.html

https://wiki.debian.org/Keysigning

https://risanb.com/code/backup-restore-gpg-key/

gpg --full-generate-key

gpg: directory '/home/joshua/.gnupg/openpgp-revocs.d' created
h.lgpg: revocation certificate stored as '/home/joshua/.gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev'

I copied my Revocation-Certificate into my spare usb:

sudo cp .gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev /mnt/gnucode.gpg.rev

Let’s export my gpg key to the server.

gpg --auto-key-locate keyserver -a --send-keys 67A42A3CC23F979886F9686C750BCFEF3A579572

gpg -a --export gnucode

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGOSU7sBEAC/8renj2OgTHKJfbqz7CRplPQ0su8aasJXTkunx70IhVpTFBS+
9Bwvjbo7HM2aBYD/NYa6n24J3OXla17uDxFt2i63ojhbl5AVntac3ZOeyn661Y2U
r9szIRM+edTieWZZvY5G49ZFTH5VJ+jZS2leRLpIqsYCst+Ru61MdUUggBNvPgBm
q97HAylBqQs0kf7XfctyqKbkChLsvkuD5cR1X8BQL8KAn/KDXrDSwj4hIO+tSdv5
VmaTC+6/xbdqfq6gpywJMEPkLNUjCArlF+Oz5UqQvLh1lRXWPejzFa0LmXsviqb3
RmQh+9cNvDVge+kYIRWHhCXY5dTau7ABnYsgxnW3zlBkFNbc+I5Sqiz6LDcuInlA
QznFw90GL3l0+1WGzeAD5DhNx6hgpOYvFZV7S3OgbOGeOHvF7bFBixB6Pa3oByMn
euKqol+rOZiUkjcaxo5XUKsglFLgOaxfmZujO7lwoipYXxiyD7jf1+ou1WZ5C3l+
YCOnia2qWE5DRpR/WDBRLQl3ZrCUtDQW7dKNAuweEgDT5T53k2m3Gqu1Z28SrzIS
is+SHZcZhv4dx9Cs6sX6me3WzQ3wgoI9DNW5v8XGitaGQFjIRI33Y8MeGjEBMip3
ZnT6Cl8WJgd0JBXsPQnKw1EO1sh2S5cU5drvHkuCPMA/PaBb8XrNpobSlwARAQAB
tDNKb3NodWEgQWxsZW4gQnJhbnNvbiAoZ251Y29kZSkgPGpicmFuc29AZGlzbWFp
bC5kZT6JAk4EEwEIADgWIQRnpCo8wj+XmIb5aGx1C8/vOleVcgUCY5JTuwIbAwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB1C8/vOleVcgwwEACp4ZwBIM/4Udc9
ndZvUJeegSP0W7o86v+9ELXfXdX99ZO0iErr6/XTWxov0mw7AaoDJRdETBTkYeU0
/CDrLcjklW8b7RZe98+Cr0+IB9XSozpqNVhiP7/TogL80lkbu2+Khtk29E/UYupt
8rihR+2tkDKPaWOufGgi+6ftw8A9P9jlFsV1N1Oxo4rA+gbcXHtxbDiZ1dR2UOAS
Ge7TJPpIjgSiG+nm6b9BIoAxLpjf5JrwpNm5wvDXic1YP27GC2Il9Ny7TdGyKpn9
RCZXR1yEMQTVNn4iEiMK6XIcoAFUS1oWAP2JKQ4bCfcxM/VGx31rsGgNL36iW6yj
zLD9yJYhbvm536CiRb2cTco+lAmwS9/iM4Bdpp/H9fZFPp2CxeB02mOd/P0HkC+2
Po2KXpEj6Ettjp0xJcAQye75vRvjDMkHvTvugfY4FQg6V6a6N3jxSbfwuFUp426F
fgfki4Y7OWm47mYa7goI4oDOG2qUdN5YkbhpVA+j2tGGHbbXmUtvj4MES4fnaSkF
vc6+xMZpFTWcFRt8rVTqS1Vu1w8zfT/VUV+FC/J6hdSxIQJ4dg4WsaD2kzGflZzO
miTyxMYPvdQ6I7Nshp/bEyfd9F40sXm/kzL6r+qm9+ly2uR5V+bIo9gu6CfkM0ZJ
DDiIf9wkk+xSb/AGj1YVazQKpKS0wLkCDQRjklO7ARAAzrtyGaOFTtCHlItxxb51
s0Qt5LZwG3sNUjI9P7n3oZrzI35sbPrWxWCX2MMW0gUIx79dlMzQBt1RXQEKiipr
RdSrtuclTytxaMtLRP+VtmcRQkGgKb20ipCvFHX4oA7L+3Y8s2RQBsz+wo9h55Dt
iQRxoONm9biHXBUZ4EJnR4B8z0dp9j+fctTR4ds6OI3jIeKHcd4AALYIpyBnh5ue
5Iictiv0evBjcogfCttHlg/NK3TVZpq8YYOG8x+8XVrvvJ5WKtmXduZuFIL3+Wmv
jBv807a4zGLPLpB6OcD7fj/12Eo9n7d9gHZOV200rPguzt9YMIoRGgtSEEpMsvrJ
5upiFLPULj/14arXePdqZshlU01U0uE6glGJRUt7IVyU+1LbziQ8JqBlVTnRRYrb
uKDFqzmtd3zhLDPAPLkv7xLtEjYUPcFDmrf33dz22FHUGeOB0G5Ur+e9qTedfmj0
r5sHaoCspZzDcVR8sKyuUdAnRAGxJs9eIFUq2GkyxZGgfJoU2A9RMxg+YTfFfdQV
guvvPj6udOF4ugmIW1EnDXza08UyDqOITLIadNu4GqZL407JRIRtYfw48qQgL3Zo
6lqxC/3n7orkuRU/cKvHArqQt1sP7ZYzAy5N/yoY0/m3o2RV9Li7SkF2m5By8EjH
RNvQMPsipdvjWf4I+jLaAM0AEQEAAYkCNgQYAQgAIBYhBGekKjzCP5eYhvlobHUL
z+86V5VyBQJjklO7AhsMAAoJEHULz+86V5Vy6U0QAJtjybCfDAqE5DIcKkiBDbIN
erk+MTU+uOROuVigDCyvqJUuxtGaJPIRWdBQuHcQxnf6Bv1xoAeDk/7hyL7i5+rz
9vWZnSZRr4DB6pY8G5jz/HGdML4luEtuOrE5UMN8Bf5PM/9sj/c1QSuMhpAMw5TL
GoAu+MY/uDCHLb2nzwLIaCPFDTX0q5HgFQA7Do78fdxxPLqPlbg9xeTsAP5P6Egb
/8NUUa1SM4mfygriyL82nLH9SvwtnEbItovAWE+GH4XkE8xSjvWl6MpCk0+H0Xtr
WdbxtKqE7BPzs0lN3NOi+mOJABDt5ozPGfVcUsB/nqz00YiF33CQWu0ote1Q1TKn
NPOCLqFM3F1rG2z7Bf/LP9p6CpmfQGr54XmKpGinYNr8dqRtLEMVERCxGI+BuNhZ
ppQLuqOlHinKPaBO58LCwLA0uMScbmjgTQrJiXolCGHYXorCx3rcqitvMzbAcswr
wMeAXMREYKGM84Pf8fGxv+GZZwfQJHQNbOFrOTpnRITDAZvzKBD97yWkXcLGt6B7
A5iRXOI8sv9CGM3kI78b+MCcgbz8HNGF2RQipGNQZhEgL4ixbhpMaMVUuTo7BrKr
M3IeyVwUMpUBFbk5OqLsMqPbL2VvL6x1zgg4P0LmGQYoikKiwmPl/OyRQW6btWCG
1f7+w1RrcKjUANLQNjXm
=Vl9S
-----END PGP PUBLIC KEY BLOCK-----

gpg -a --export gnucode > gnucode.pub
sudo cp gnucode.pub /mnt/

Now let’s backup the gpg key.

  gpg --export-secret-keys --armor gnucode > secret-key-backup.asc
sudo mv secret-key-backup.asc /mnt/

If I ever need to move that gpg key to another computer, all I have to do is:

gpg --import /path/to/secret-key-backup.asc

Let’s try testing a signed commit.

git config --global commit.gpgsign true

https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

gpg --list-secret-keys --keyid-format=long

# git config --global user.signingkey MYSIGNINGKEY
git config --global alias.logs "log --show-signature"
git commit -m "mail.scm: minor sanitization improvements."

Ok well let’s try this to see what the error was:

GIT_TRACE=1 git commit -m "blah" -S

23:07:37.656401 git.c:460               trace: built-in: git commit -m blah -S
23:07:37.678825 run-command.c:655       trace: run_command: gpg --status-fd=2 -bsau 750BCFEF3A579572
error: gpg failed to sign the data
fatal: failed to write commit object

gpg --status-fd=2 -bsau 750BCFEF3A579572

As I was running through the above command, I realized that, it is possible that I did not have pinentry installed:

guix install pinentry

git logs

Now I think I will try rebooting and check to see if I can still sign git commits.

And after I rebooted, I cannot sign commits with emacs…

Emacs says “hint: Waiting for your editor to close the file…” “Waiting for Emacs”

Well online, I see this as a possible solution

git config --global core.editor emacs

Well that didn’t quite work. I was able to squash two commits, via emacs, but only after I had the gpg agent had cached my private key password. That makes me think that magit is having a hard time querying my for my password.

Well let me try updating doom emacs. I doubt that will work, but I’ll try it. That didn’t work. :(

Well I found a possible error here:

https://github.com/magit/with-editor/issues/69

https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os

https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html

Then I thought, how about I disable the with-editor elisp package that doom emacs ships and instead guix install emacs-with-editor. Let’s try that.

cat .doom.d/packages.el | grep with-editor

(package! with-editor :disable t)

doom upgrade
doom sync
guix install emacs-with-editor

Nope. That didn’t work either. Hmmm. I can get emacs to commit the message, after the gpg agent caches my key’s password.

Well let’s try running emacs without any configuration: emacs -q. Nope. That also didn’t work. :(

My current theory is that my wayland only session is prohibiting the pinentry from displaying, which is NOT allowing me to enter in my gpg password. I shall try temporarily enabling Xwayland and see if that fixed it.

cat config | grep xwayland

# disable xwayland.  Just trying it out
xwayland enable

Yup! That fixed it. With the above, I can now sign my commits with emacs! But I would rather keep my wayland only session. Let’s try pinetry-bemenu:

guix package -i pinentry-bemenu -r pinentry

cat config | grep xwayland

# disable xwayland.
xwayland disable

Well that didn’t work. Let’s try pinetry-gnome3.

guix package -r pinentry-bemenu -i pinentry-gnome3

Nope. It’s X only. Let’s try qt:

guix package -r pinentry-gnome3 -i pinentry-qt

Nope. That also seems to be X only. grr. Maybe this bemenu thing works, but I need to configure it properly.

Well let’s install pinentry, and temporarily enable xwayland.

guix package -r pinentry-tty -i pinentry

cat config | grep xwayland

# enable xwayland.
xwayland enable

Well I should probably try eventually to edit .config/gpg.conf and tell it to use pinentry-bemu as the pinentry program.

I think that spending all that time working on getting gpg key signing to work was probably a big waste of time. :( I think instead of keeping my opensmtpd code in guix-src/gnu/services/mail.scm, I will move it to guixrus/services/opensmtpd.scm. Then I can just copy opensmtpd.scm file to my linode server, and manually load in that code to start my opensmtpd service.

First I will delete the opensmtpd record stuff in gnu/services/mail.scm. I don’t want myself getting confused where I am storing my developmental code.

Now I will cp my opensmtpd.scm code into my linode service git repo.

cp opensmtpd.scm ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/
ls ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
cat ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm | tail

/home/joshua/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
          (service-extension pam-root-service-type
                             (const %opensmtpd-pam-services))
          (service-extension profile-service-type
                             (compose list opensmtpd-configuration-package))
          (service-extension shepherd-root-service-type
                             opensmtpd-shepherd-service)
          (service-extension setuid-program-service-type
                             opensmtpd-set-gids)))
   (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
Transfer Protocol} server.")))

Now I will commit the changes to my linode git repo and push them.

git add opensmtpd.scm
git commit -m "copying opensmtpd.scm from guixrus."

[master 7399550] copying opensmtpd.scm from guixrus.
 1 file changed, 7 insertions(+)
 rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)

Hmmm, was that commit signed? No idea.

Now let’s push that commit.

git push

Now let's log into the gnucode service and pull that commit.

git pull
cat opensmtpd.scm | tail

Updating a8d88b9..7399550
Fast-forward
 opensmtpd.scm => guixrus/services/opensmtpd.scm | 7 +++++++
 1 file changed, 7 insertions(+)
 rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)

I am realizing that it will probably be easiest to reconfigure my server with my opensmtpd records, if my server has the same directory structure as my local machine. Namely my git repos are in the same directories. So I did some changes on my server to make sure that my server's directory structure matches my local one. Now my server’s config.scm is no longer at ~/linode-guix-system-configuration/linode-locke-lamora-current-config.scm. Now it is at:

find . -name '*current-config.scm'

./prog/gnu/guix/guix-config/linode-guix-system-configuration/linode-locke-lamora-current-config.scm

I want to make sure that my remote server has a copy of the guixrus source code with my newest commit committing services/opensmtpd.scm.

So, I made a guixrus repo on notabug.org, then I pulled that repo on my server:

git clone  https://notabug.org/jbranso/guixrus

git show HEAD | head

commit 147a9ce316be2f9f7c9ed25b3e097fd84b8b01eb
Author: Joshua Branson <jbranso@dismail.de>
Date:   Thu Dec 22 09:21:19 2022 -0500

    services (opensmtpd): add opensmtpd records to enhance opensmtpd-configuration.

    Openmstpd-configuration may only be configured by a config-file that
    uses the smtpd.conf syntax.  This patch, enables one to configure
    opensmtpd by using record types.

It would be nice to test the configuration locally, to see if it will work before I push it to the server.

guix system vm linode-locke-lamora-current-config.scm

guix system: error: (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem") is invalid.
hint: Try a file.

The above is actually a good sign. I do not have that certificate locally, but it is available on the server. If that is the only error, then let’s go ahead and try to reconfigure the server.

The relevant opensmtpd-service looks like:

(service opensmtpd-service-type
         (let ([action-receive (opensmtpd-local-delivery
                                (name "receive")
                                (method (opensmtpd-maildir
                                         (pathname "/home/%{rcpt.user}/Maildir")
                                         (junk #t)))
                                (virtual (opensmtpd-table
                                          (name "vusers")
                                          (data '(("joshua@gnucode.me"  . "joshua")
                                                  ("jbranso@gnucode.me" . "joshua")
                                                  ("postmaster@gnucode.me" .  "joshua"))))))]
               [pki-gnucode (opensmtpd-pki
                             (domain "smtp.gnucode.me")
                             (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
                             (key "/etc/letsencrypt/live/gnucode.me/privkey.pem"))]
               [filter-dkimsign (opensmtpd-filter
                                 (name "dkimsign")
                                 (exec #t)
                                 (proc (list (file-append opensmtpd-filter-dkimsign "/libexec/opensmtpd/filter-dkimsign")
                                             " -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k "
                                             "/etc/dkim/private.key "
                                             "user nobody group nogroup")))]
               [table-creds (opensmtpd-table
                             (name "creds")
                             (data
                              (list
                               (cons "joshua"
                                     "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))])
           (opensmtpd-configuration
            (interfaces
             (list
              ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
              ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
              ;; this listens for email from the outside world
              (opensmtpd-interface
               (interface "eth0")
               (port 25)
               (secure-connection "tls")
               (pki pki-gnucode))
              ;; this lets local users logged into the system via ssh send email
              (opensmtpd-interface
               (interface "lo")
               (port 25)
               (secure-connection "tls")
               (pki pki-gnucode))
              (opensmtpd-interface
               (interface "eth0")
               (port 465)
               (secure-connection "smtps")
               (pki pki-gnucode)
               (auth table-creds)
               (filters (list filter-dkimsign)))
              (opensmtpd-interface
               (interface "eth0")
               (port 587)
               (secure-connection "tls-require")
               (pki pki-gnucode)
               (auth table-creds)
               (filters (list filter-dkimsign)))))
            (matches (list
                      (opensmtpd-match
                       (action (opensmtpd-relay
                                (name "relay")))
                       (options
                        (list
                         (opensmtpd-option
                          (option "for any"))
                         (opensmtpd-option
                          (option "from any"))
                         (opensmtpd-option
                          (option "auth")))))
                      (opensmtpd-match
                       (action action-receive)
                       (options
                        (list
                         (opensmtpd-option
                          (option "from any"))
                         (opensmtpd-option
                          (option "for domain")
                          (data (opensmtpd-table
                                 (name "vdoms")
                                 (data (list "gnucode.me"
                                             "gnu-hurd.com"))))))))
                      (opensmtpd-match
                       (action action-receive)
                       (options
                        (list
                         (opensmtpd-option
                          (option "for local"))))))))))

I was curious to see how outdated my server is. It’s dated apparently.

guix system describe

Generation 118  Aug 14 2022 02:45:18    (current)
  file name: /var/guix/profiles/system-118-link
  canonical file name: /gnu/store/7jkrafkf61bw3fdxlrlzvkrl98ys1icj-system
  label: GNU with Linux-Libre 5.18.16
  bootloader: grub
  root device: /dev/sda
  kernel: /gnu/store/iz6xn1b1dyk6pwaf6dym3jm3vwnh4gz9-linux-libre-5.18.16/bzImage
  channels:
    guix:
      repository URL: https://git.savannah.gnu.org/git/guix.git
      branch: master
      commit: 43decd1f7ea4ebd911199ad10c0ca555d0dffbd6
  configuration file: /gnu/store/rv7rhwn5kd9yxv8kayqlsgxwyhcz55ca-configuration.scm

Let's try reconfiguring my server with the opensmtpd configuration.

guix pull
sudo guix system reconfigure linode-locke-lamora-current-config.scm

In srfi/srfi-1.scm:
   586:29 19 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
   586:29 18 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
   586:29 17 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
   586:29 16 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
   586:29 15 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
   586:29 14 (map1 (#<<service> type: #<service-type agetty 7f8c1…> …))
   586:29 13 (map1 (#<<service> type: #<service-type syslog 7f8c1…> …))
   586:29 12 (map1 (#<<service> type: #<service-type console-font…> …))
   586:29 11 (map1 (#<<service> type: #<service-type virtual-term…> …))
   586:17 10 (map1 (#<<service> type: #<service-type opensmtpd 7f…> …))
In guixrus/services/opensmtpd.scm:
  2567:27  9 (opensmtpd-shepherd-service #<<opensmtpd-configuration>…>)
  2541:19  8 (opensmtpd-configuration->mixed-text-file #<<opensmtpd-…>)
   2496:3  7 (opensmtpd-configuration->string #<<opensmtpd-configura…>)
   2421:9  6 (opensmtpd-configuration-fieldname->string #<<opensmtp…> …)
  2430:10  5 (list-of-records->string (#<<opensmtpd-interface> i…> …) …)
  2434:17  4 (loop (#<<opensmtpd-interface> interface: "eth0" fam…> …))
   1848:5  3 (opensmtpd-interface->string #<<opensmtpd-interface> in…>)
In unknown file:
           2 (string-append "" "" "" "" "" "tls " #<unspecified> "p…" …)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure string-append: Wrong type (expecting string): #<unspecified>

Ahh, I know what that problem is! Let’s fix that. So now I have make a local commit. Push it to my notabug.org/guixrus, ssh into lamora, run git pull on the guixrus repo, then try to reconfigure. This seems like a very odd/poor way to test changes. By making a commit locally, pushing it, pulling it, and then wondering if the reconfigure will work. I should really set up guix deploy.

sudo guix system reconfigure linode-locke-lamora-current-config.scm

 module-import-compiled  1.0MiB                                         1.6MiB/s 00:01 [##################] 100.0%
building /gnu/store/mw8x4pbl11a5pdgxqcw2vvczdccpmicf-switch-to-system.scm.drv...
making '/gnu/store/0v5sbvlx9r151gjlc906lxyhps7xx1h8-system' the current system...
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/1n0l349b03h7dclwai9l0kxglb8kwyv0-etc...
checking syntax of /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf
/gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:14: syntax error
/gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:21: no such dispatcher: relay

Ok, so I have a configuration error. Let’s take a look at the generated configuration file:

  • The first error is this:

    cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep '<"<"'
    
    listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"<"creds">">
    listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"<"creds">">

    It should be <“creds”>.

  • Another error is this:

    cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf  | grep match
    
    match !for any !from any !auth action "relay"
    match !from any !for domain <"vdoms"> action "receive"
    match !for local action "receive"

These match options should NOT be false. Let's quickly fix those issues reconfigure again:

sudo guix system reconfigure linode-locke-lamora-current-config.scm

checking syntax of /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
configuration OK

That’s a good sign!

Let’s reboot and see what happens!

Well when I reboot, smtpd refused to start. Let’s look at the config file.

cat /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf

filter "dkimsign" proc-exec "/gnu/store/n2f5waxzdzcsdvh0xydhnc174n3kingw-opensmtpd-filter-dkimsign-0.6/libexec/opensmtpd/filter-dkimsign -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k /etc/dkim/private.key user nobody group nogroup"

mta max-deferred 100

table "creds" { "joshua" = "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86." }
table "vusers" { "joshua@gnucode.me" = "joshua", "jbranso@gnucode.me" = "joshua", "postmaster@gnucode.me" = "joshua" }
table "vdoms" { "gnucode.me", "gnu-hurd.com" }

pki smtp.gnucode.me cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem"
pki smtp.gnucode.me key "/etc/letsencrypt/live/gnucode.me/privkey.pem"

listen on eth0 tls port 25 pki smtp.gnucode.me
listen on lo tls port 25 pki smtp.gnucode.me
listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"creds">
listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"creds">

action "relay" relay

action "receive" maildir "/home/%{rcpt.user}/Maildir" junk virtual <"vusers">

match for any from any auth action "relay"
match from any for domain <"vdoms"> action "receive"
match for local action "receive"

It seems to be just fine...hmmm. What does the error log say?

cat /var/log/maillog | tail

Dec 22 10:05:41 localhost smtpd[19325]: warn: lost processor: dkimsign exited abnormally
Dec 22 10:05:41 localhost smtpd[19328]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
Dec 22 10:05:41 localhost smtpd[19330]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 10:05:41 localhost smtpd[19325]: Exiting
Dec 22 11:22:18 localhost smtpd[268]: info: OpenSMTPD 6.8.0p2 starting
Dec 22 11:22:18 localhost smtpd[269]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:22:18 localhost smtpd[272]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
Dec 22 11:22:18 localhost smtpd[274]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:22:18 localhost smtpd[269]: Exiting

Ok, well I think I found the problem. haha. Let’s see, ah, looks like that key is here:

find . -name '*key'

/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key

Let’s commit my current-config locally, push it upstream, pull it from my server and reconfigure.

sudo guix system reconfigure linode-locke-lamora-current-config.scm

checking syntax of /gnu/store/42q90z8n03zi9rx29gwdnms4sdr2g2p9-smtpd.conf
configuration OK

After I rebooted, smtpd still was not starting. Let’s try to find out why:

cat /var/log/maillog | tail

Dec 22 11:38:03 localhost smtpd[498]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:38:03 localhost smtpd[493]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:38:03 localhost smtpd[496]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
Dec 22 11:38:03 localhost smtpd[493]: Exiting
Dec 22 11:40:02 localhost dovecot: master: Dovecot v2.3.19.1 (9b53102964) starting up for imap (core dumps disabled)
Dec 22 11:42:41 localhost smtpd[258]: info: OpenSMTPD 6.8.0p2 starting
Dec 22 11:42:41 localhost smtpd[259]: warn: lost processor: dkimsign exited abnormally
Dec 22 11:42:41 localhost smtpd[262]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
Dec 22 11:42:41 localhost smtpd[264]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
Dec 22 11:42:41 localhost smtpd[259]: Exiting

Ok, this is just a permissions error. That’s an easy fix! I changed a sudo chown -R smtpd /etc/opensmtpd. Then I got this beauty:

sudo herd start smtpd

Service smtpd has been started.

Woo hoo! Now let’s try to send an email and see if it works!

I sent an email to gmail, and if you select an email in gmail, you can click on view original. It showed me that I did pass dkimsigning! That’s awesome! And my email was in my gmail inbox. That’s a really good sign! Now I am off to submit a patch to guixrus!

I did get a tip from someone on irc that mentioned that I should verify my dkimsigning and SPF via https://dkimvalidator.com/ And when I used that tool, I discovered that my SPF was failing, so I will need to fix that.