diff --git a/default.nix b/default.nix
index 58ab271..e4d8785 100644
--- a/default.nix
+++ b/default.nix
@@ -422,6 +422,19 @@ in
'';
};
+ dkimKeyBits = mkOption {
+ type = types.int;
+ default = 1024;
+ description = ''
+ How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
+
+ If you have already deployed a key with a different number of bits than specified
+ here, then you should use a different selector (dkimSelector). In order to get
+ this package to generate a key with the new number of bits, you will either have to
+ change the selector or delete the old key file.
+ '';
+ };
+
debug = mkOption {
type = types.bool;
default = false;
diff --git a/mail-server/opendkim.nix b/mail-server/opendkim.nix
index 33e2e06..d381519 100644
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@@ -33,6 +33,7 @@ let
then
${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
-d "${dom}" \
+ --bits="${toString cfg.dkimKeyBits}" \
--directory="${cfg.dkimKeyDirectory}"
mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
diff --git a/tests/extern.nix b/tests/extern.nix
index 78a5266..301b0ff 100644
--- a/tests/extern.nix
+++ b/tests/extern.nix
@@ -38,6 +38,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
fqdn = "mail.example.com";
domains = [ "example.com" "example2.com" ];
rewriteMessageId = true;
+ dkimKeyBits = 1535;
loginAccounts = {
"user1@example.com" = {
@@ -321,6 +322,10 @@ import <nixpkgs/nixos/tests/make-test.nix> {
$client->succeed("grep 'Received: from mail.example.com' ~/mail/*");
};
+ subtest "dkim has user-specified size", sub {
+ $server->succeed("openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit)'");
+ };
+
subtest "dkim singing, multiple domains", sub {
$client->execute("rm ~/mail/*");
# send email from user2 to user1