Conversation
mweinelt
changed the title
jfly
left a comment
jfly
left a comment
There was a problem hiding this comment.
Thanks for tackling this! Code looks reasonable to me, I also have not tested it. I can deploy a version of this to my personal mailserver next week if that would be helpful.
Is ARC generally applicable for SNM users? Or is it really only useful if you're operating mailing lists and forwarding emails onto other domains? If it's generally applicable, I'd like to submit these instructions to the SNM setup guide.
| path = "${config.mailserver.dkimKeyDirectory}/nixos.org.mail.key"; | ||
| }; | ||
|
|
||
| sops.secrets."nixos.org.${arc.selector}.key" = { |
There was a problem hiding this comment.
Should we reload rspamd.service when this changes? Please include restartUnits if appropriate.
There was a problem hiding this comment.
Looks similar to mine: https://github.com/Mic92/dotfiles/blob/main/machines/eve/modules/rspamd/rspamd.nix
| DMARC_BUILDER({ | ||
| policy: "none", | ||
| }), | ||
| TXT("arc-2025._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwFK4Z4C0D3ea7Avv+oI25PS6WjcOh3A/2URanFtY6+oLpbtFdZi/Z/ou2VPTNcS1QUxw5pSmV4L1fcaVqM+elPHq1GN/38TkpwcZEnSHK5tX0PS5Jae2Q+e68yEZAwNDi5abjXswehuxX/F9R4GXpC/tOEyeHP8xfvRmDUq3mgIgWpfCcvdwQvxp25/umufjqGHdQXuq9/9yfpAL72hUXbOrvQ5hd56U7tv0/llIs5CyaGU76hA4kRXkd+iYUxcITzLjbc3ZRhIDs9b0zv0z2YPYgVgj2GiKL+TdcQ9z5Y5M0H4EGq6/Gn5fUILGRkCaBGvE3s3mY/aYUCvv4v0W9wIDAQAB"), |
There was a problem hiding this comment.
nit: Could we add a comment here helping people understand where the other half of this is? For example, see this DKIM comment.
| owner = "rspamd"; | ||
| group = "rpsamd"; | ||
| mode = "0400"; | ||
| # rspamadm dkim_keygen --selector arc-2025 --domain nixos.org --type rsa --bits 2048 |
There was a problem hiding this comment.
nit: Could you elaborate on this a bit? Specifically where the public half of this comes from? See
infra/non-critical-infra/modules/mailserver/default.nix
Lines 24 to 36 in d30eea2
jfly
left a comment
jfly
left a comment
There was a problem hiding this comment.
Forgot to click approve. LGTM
Google and iCloud require it for bulk senders. Proposed in https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/376. |
|
Discussed at today's infra meeting: @jfly to test this on his personal mailserver and then deploy this if all looks good |
|
@mweinelt, I deployed a version of this to my personal mailserver and while it didn't break anything, I couldn't find any evidence of this doing anything. Emails I sent directly as a SMTP-authenticated user, and emails I relay through it all don't show any ARC related headers when they land in my personal gmail. I also don't see anything showing up in rspamd logs. |
|
@Mic92 also has this configured, can you give that a try? We have that for DKIM in nixos-mailserver as well. |
Works similarly to DKIM and uses the same keys. Went for a 2048 bit RSA key for compat reasons. Larger ones are probably too large to put them into DNS.
|
I will try when I'm back at a computer! |
|
Adding |
3 participants
Works similarly to DKIM and uses the same keys. Went for a 2048 bit RSA key for compat reasons. Larger ones are probably too large to put them into DNS.
Untested.