Group config parameters

Enable DKIM signing
Filter out catch-all addresses of the form "@domain.tld" from the allowlist that are not intended for HRZ
2025-03-02 13:38:51 +01:00 · 2025-03-02 11:44:08 +01:00 · 2025-03-02 11:40:31 +01:00 · 2025-03-02 11:40:15 +01:00
1 changed files with 7 additions and 15 deletions
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@ -113,7 +113,7 @@ in {
            dkim.sign = [
              {
                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
-                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+                "then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
              }
              {"else" = false;}
            ];
@ -214,14 +214,14 @@ in {
            ++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script
          sieve.trusted = {
            scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
-            trusted.from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
-            from-name = "sender";
+            from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
+            from-namo = "sender";
            return-path = "sender";
            # If we are the sender, we sign the message with DKIM. Else we leave it alone.
            sign = [
              {
                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
-                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+                "then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
              }
              {"else" = false;}
            ];
@ -230,11 +230,12 @@ in {
              out-messages = 50;
            };
          };
+
          # See https://stalw.art/docs/smtp/authentication/dkim/sign
          # We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.
          signature = let
            signatureTemplate = domain: {
-              "rsa-${domain}" = {
+              "rsa_${domain}" = {
                private-key = "%{file:/run/secrets/dkim_rsa}%";
                domain = "${domain}";
                selector = "rsa-default";
@ -242,7 +243,7 @@ in {
                algorithm = "rsa-sha256";
                canonicalization = "relaxed/relaxed";
              };
-              "ed25519-${domain}" = {
+              "ed25519_${domain}" = {
                private-key = "%{file:/run/secrets/dkim_ed25519}%";
                domain = "${domain}";
                selector = "ed-default";
@ -254,15 +255,6 @@ in {
          in
            map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));

-          # Sign *our* outgoing mails with the configured signatures.
-          auth.dkim.sign = [
-            {
-              "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
-              "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
-            }
-            {"else" = false;}
-          ];
-
          authentication.fallback-admin = {
            user = "admin";
            # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
Author	SHA1	Message	Date
Gonne	d7f4598be3	Group config parameters	2025-03-02 13:38:51 +01:00
Gonne	5dfd352edd	Enable DKIM signing	2025-03-02 11:44:08 +01:00
Gonne	836971cac4	Filter out catch-all addresses of the form "@domain.tld" from the allowlist that are not intended for HRZ	2025-03-02 11:40:31 +01:00
Gonne	32716973d0	Set sender and increase redirect limit for our alias file	2025-03-02 11:40:15 +01:00