Merge branch 'dkim-rsa2048' into 'master'
Increase default DKIM key bits to 2048 Closes #333 See merge request simple-nixos-mailserver/nixos-mailserver!442
This commit is contained in:
Martin Weinelt
commit
958c112fba
2 changed files with 8 additions and 2 deletions
|
|
@ -976,9 +976,9 @@ in
|
|||
|
||||
dkimKeyBits = mkOption {
|
||||
type = types.int;
|
||||
default = 1024;
|
||||
default = 2048;
|
||||
description = ''
|
||||
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
|
||||
How many bits in generated DKIM keys. RFC8301 suggests a minimum RSA key length of 2048 bit.
|
||||
|
||||
If you have already deployed a key with a different number of bits than specified
|
||||
here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
|
||||
|
|
|
|||
|
|
@ -7,9 +7,15 @@ NixOS 25.11
|
|||
- The ``systemName`` and ``systemDomain`` options have been introduced to have
|
||||
reusable configurations for automated reports (DMARC, TLSRPT). They come with
|
||||
reasonable defaults, but it is suggested to check and change them as needed.
|
||||
- The default key length for new DKIM RSA keys was increased to 2048 bits as
|
||||
recommended in `RFC 8301 3.2`_.
|
||||
We recommend rotating existing keys, as the RFC advises that signatures from
|
||||
1024 bit keys should not be considered valid any longer.
|
||||
- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
|
||||
system domain.
|
||||
|
||||
.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
|
||||
|
||||
NixOS 25.05
|
||||
-----------
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue