Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Use rspamd for DKIM signing, drop OpenDKIM

Browse source 
OpenDKIM has not been updated in the last 7 years and failed to adopt
RFC8463, which introduces Ed25519-SHA256 signatures.

It has thereby held back the DKIM ecosystem, which relies on the DNS
system to publish its public keys. The DNS system in turn does not handle
large record sizes well (see RFC8301), which is why Ed25519 public keys
would be preferable, but I'm not sure the ecosystem has caught up, so we
stay on the conservative side with RSA for now.

Fixes: #203 #210 #279
Obsoletes: !162 !338
Supersedes: !246
This commit is contained in:
Martin Weinelt 2025-04-11 05:25:08 +02:00
parent 2c37e563fd
commit 630b5c4fdd
9 changed files with 78 additions and 123 deletions
Download patch file Download diff file Expand all files Collapse all files

40
default.nix
View file

@ -802,6 +802,19 @@ in
'';
};
dkimKeyType = mkOption {
type = types.enum [ "rsa" "ed25519" ];
default = "rsa";
description = ''
The key type used for generating DKIM keys. ED25519 was introduced in RFC6376 (2018).
If you have already deployed a key with a different type than specified
here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
this package to generate a key with the new type, you will either have to
change the selector or delete the old key file.
'';
};
dkimKeyBits = mkOption {
type = types.int;
default = 1024;
@ -815,26 +828,6 @@ in
'';
};
dkimHeaderCanonicalization = mkOption {
type = types.enum ["relaxed" "simple"];
default = "relaxed";
description = ''
DKIM canonicalization algorithm for message headers.
See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
'';
};
dkimBodyCanonicalization = mkOption {
type = types.enum ["relaxed" "simple"];
default = "relaxed";
description = ''
DKIM canonicalization algorithm for message bodies.
See https://datatracker.ietf.org/doc/html/rfc6376/#section-3.4 for details.
'';
};
dmarcReporting = {
enable = mkOption {
type = types.bool;
@ -1299,7 +1292,6 @@ in
./mail-server/networking.nix
./mail-server/systemd.nix
./mail-server/dovecot.nix
./mail-server/opendkim.nix
./mail-server/postfix.nix
./mail-server/rspamd.nix
./mail-server/nginx.nix
@ -1308,5 +1300,11 @@ in
SPF checking has been migrated to Rspamd, which makes this config redundant. Please look into the rspamd config to migrate your settings.
It may be that they are redundant and are already configured in rspamd like for skip_addresses.
'')
(lib.mkRemovedOptionModule [ "mailserver" "dkimHeaderCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'')
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'')
];
}