Enable DKIM signing

2025-03-02 11:44:08 +01:00 · 2025-03-02 11:44:08 +01:00 · 10ca56c064
commit 10ca56c064
parent c05d7591a8
3 changed files with 102 additions and 0 deletions
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@ -108,6 +108,15 @@ in {
            iprev.verify = "relaxed";
            spf.verify.ehlo = "relaxed";
            spf.verify.mail-from = "relaxed";
+
+            # Sign *our* outgoing mails with the configured signatures.
+            dkim.sign = [
+              {
+                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
+                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+              }
+              {"else" = false;}
+            ];
          };

          # Forward outgoing mail to HRZ or mail VMs.
@ -202,12 +211,53 @@ in {
          sieve.trusted.from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
          sieve.trusted.from-name = "sender";
          sieve.trusted.return-path = "sender";
+          # If we are the sender, we sign the message with DKIM. Else we leave it alone.
+          sieve.trusted.sign = [
+            {
+              "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
+              "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+            }
+            {"else" = false;}
+          ];
          sieve.trusted.limits = {
            redirects = 50;
            out-messages = 50;
          };
          session.data.script = "'redirects'";

+          # See https://stalw.art/docs/smtp/authentication/dkim/sign
+          # We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.
+          signature = let
+            signatureTemplate = domain: {
+              "rsa-${domain}" = {
+                private-key = "%{file:/run/secrets/dkim_rsa}%";
+                domain = "${domain}";
+                selector = "rsa-default";
+                headers = ["From" "To" "Cc" "Date" "Subject" "Message-ID" "Organization" "MIME-Version" "Content-Type" "In-Reply-To" "References" "List-Id" "User-Agent" "Thread-Topic" "Thread-Index"];
+                algorithm = "rsa-sha256";
+                canonicalization = "relaxed/relaxed";
+              };
+              "ed25519-${domain}" = {
+                private-key = "%{file:/run/secrets/dkim_ed25519}%";
+                domain = "${domain}";
+                selector = "ed-default";
+                headers = ["From" "To" "Cc" "Date" "Subject" "Message-ID" "Organization" "MIME-Version" "Content-Type" "In-Reply-To" "References" "List-Id" "User-Agent" "Thread-Topic" "Thread-Index"];
+                algorithm = "ed25519-sha256";
+                canonicalization = "relaxed/relaxed";
+              };
+            };
+          in
+            map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));
+
+          # Sign *our* outgoing mails with the configured signatures.
+          auth.dkim.sign = [
+            {
+              "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
+              "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+            }
+            {"else" = false;}
+          ];
+
          authentication.fallback-admin = {
            user = "admin";
            # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH