aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add support for DKIM key management

Browse Source 
After bumping the generation of new DKIM keys to RSA 2048 in NixOS 25.11
key rotation for existing users could not be done safely.

To resolve this situation we now support multiple generations of
selectors per domain to enable proper DKIM key transitions as described
in RFC6376 3.1. The added documentation introduces and motivates DKIM
and guides the user through a DKIM key rotation.

Additionally, DKIM key material can now also be treated as a managed
secrets when autogenerated state on the mail server host is undesirable.

This change is fully backwards compatible in behavior and will continue
to use the previously generated DKIM key without any additional
configuration up until the point when DKIM selectors are configured
explicitly.
This commit is contained in:
Martin Weinelt
2026-03-06 02:36:42 +01:00
parent ea775773d9
commit 6ff4a50f02
11 changed files with 512 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mail-server/systemd.nix
+2 -2
View File
@@ -66,9 +66,9 @@ in
after = [
"dovecot.service"
]
++ lib.optional cfg.dkimSigning "rspamd.service"
++ lib.optional cfg.dkim.enable "rspamd.service"
++ certificateDeps;
requires = [ "dovecot.service" ] ++ lib.optional cfg.dkimSigning "rspamd.service";
requires = [ "dovecot.service" ] ++ lib.optional cfg.dkim.enable "rspamd.service";
};
};
}