Group config parameters

Enable DKIM signing
Filter out catch-all addresses of the form "@domain.tld" from the allowlist that are not intended for HRZ
2025-03-02 14:05:28 +01:00 · 2025-03-02 14:03:36 +01:00 · 2025-03-02 14:03:36 +01:00 · 2025-03-02 14:03:32 +01:00
1 changed files with 15 additions and 7 deletions
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@ -113,7 +113,7 @@ in {
            dkim.sign = [
              {
                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
-                "then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
+                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
              }
              {"else" = false;}
            ];
@ -214,14 +214,14 @@ in {
            ++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script
          sieve.trusted = {
            scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
-            from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
-            from-namo = "sender";
+            trusted.from-addr = "sender"; # set the from-address to the original sender as specified in the MAIL FROM.
+            from-name = "sender";
            return-path = "sender";
            # If we are the sender, we sign the message with DKIM. Else we leave it alone.
            sign = [
              {
                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
-                "then" = "['rsa_' + sender_domain, 'ed25519_' + sender_domain]";
+                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
              }
              {"else" = false;}
            ];
@ -230,12 +230,11 @@ in {
              out-messages = 50;
            };
          };
-
          # See https://stalw.art/docs/smtp/authentication/dkim/sign
          # We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.
          signature = let
            signatureTemplate = domain: {
-              "rsa_${domain}" = {
+              "rsa-${domain}" = {
                private-key = "%{file:/run/secrets/dkim_rsa}%";
                domain = "${domain}";
                selector = "rsa-default";
@ -243,7 +242,7 @@ in {
                algorithm = "rsa-sha256";
                canonicalization = "relaxed/relaxed";
              };
-              "ed25519_${domain}" = {
+              "ed25519-${domain}" = {
                private-key = "%{file:/run/secrets/dkim_ed25519}%";
                domain = "${domain}";
                selector = "ed-default";
@ -255,6 +254,15 @@ in {
          in
            map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));

+          # Sign *our* outgoing mails with the configured signatures.
+          auth.dkim.sign = [
+            {
+              "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
+              "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+            }
+            {"else" = false;}
+          ];
+
          authentication.fallback-admin = {
            user = "admin";
            # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
Author	SHA1	Message	Date
Gonne	b3ac11ddc9	Group config parameters	2025-03-02 14:05:28 +01:00
Gonne	654922c40a	Enable DKIM signing	2025-03-02 14:03:36 +01:00
Gonne	a486d42e1c	Filter out catch-all addresses of the form "@domain.tld" from the allowlist that are not intended for HRZ	2025-03-02 14:03:36 +01:00
Gonne	74e5df98b1	Set sender and increase redirect limit for our alias file	2025-03-02 14:03:32 +01:00