Add support for DKIM key management
After bumping the generation of new DKIM keys to RSA 2048 in NixOS 25.11 key rotation for existing users could not be done safely. To resolve this situation we now support multiple generations of selectors per domain to enable proper DKIM key transitions as described in RFC6376 3.1. The added documentation introduces and motivates DKIM and guides the user through a DKIM key rotation. Additionally, DKIM key material can now also be treated as a managed secrets when autogenerated state on the mail server host is undesirable. This change is fully backwards compatible in behavior and will continue to use the previously generated DKIM key without any additional configuration up until the point when DKIM selectors are configured explicitly.
This commit is contained in:
Martin Weinelt
@@ -21,7 +21,7 @@ Maildir.
|
||||
|
||||
To backup spam and ham training data, backup ``/var/lib/redis-rspamd``.
|
||||
|
||||
Finally you can (optionally) make a backup of ``/var/dkim`` (or whatever
|
||||
you specified as ``dkimKeyDirectory``). If you should lose those don’t
|
||||
worry, new ones will be created on the fly. But you will need to repeat
|
||||
step ``B)5`` and correct all the ``dkim`` keys.
|
||||
Finally you can (optionally) make a backup of ``/var/dkim`` (or whatever you
|
||||
specified as :option:`mailserver.dkim.keyDirectory`). If you should lose those
|
||||
don’t worry, new ones will be created on the fly. But you will need to update
|
||||
the DKIM TXT records to reflect the new key material.
|
||||
|
||||
Reference in New Issue
Block a user