Skip to content

mailserver: Enable ARC signing #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

mailserver: Enable ARC signing #634

wants to merge 1 commit into from
+55 −0

Conversation

mweinelt
Copy link
Member

Works similarly to DKIM and uses the same keys. Went for a 2048 bit RSA key for compat reasons. Larger ones are probably too large to put them into DNS.

Untested.

@mweinelt mweinelt requested a review from a team as a code owner April 11, 2025 00:32
@mweinelt mweinelt changed the title mailserver: enable arc signing mailserver: Enable ARC signing Apr 11, 2025
@mweinelt
mailserver: Enable ARC signing
4c073e4 
Works similarly to DKIM and uses the same keys. Went for a 2048 bit RSA
key for compat reasons. Larger ones are probably too large to put them
into DNS.
@mweinelt mweinelt linked an issue Apr 11, 2025 that may be closed by this pull request
Investigate why ARC doesn't seem to be working with nixos.org (umbriel) mailserver #631
Open
jfly
jfly reviewed Apr 11, 2025
View reviewed changes
Copy link
Contributor

@jfly jfly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this! Code looks reasonable to me, I also have not tested it. I can deploy a version of this to my personal mailserver next week if that would be helpful.

Is ARC generally applicable for SNM users? Or is it really only useful if you're operating mailing lists and forwarding emails onto other domains? If it's generally applicable, I'd like to submit these instructions to the SNM setup guide.

non-critical-infra/modules/mailserver/default.nix
@@ -41,6 +47,26 @@
path = "${config.mailserver.dkimKeyDirectory}/nixos.org.mail.key";
};

sops.secrets."nixos.org.${arc.selector}.key" = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we reload rspamd.service when this changes? Please include restartUnits if appropriate.

Copy link
Member

@Mic92 Mic92 May 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks similar to mine: https://github.com/Mic92/dotfiles/blob/main/machines/eve/modules/rspamd/rspamd.nix

dns/nixos.org.js
@@ -19,6 +19,7 @@ D("nixos.org",
DMARC_BUILDER({
policy: "none",
}),
TXT("arc-2025._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwFK4Z4C0D3ea7Avv+oI25PS6WjcOh3A/2URanFtY6+oLpbtFdZi/Z/ou2VPTNcS1QUxw5pSmV4L1fcaVqM+elPHq1GN/38TkpwcZEnSHK5tX0PS5Jae2Q+e68yEZAwNDi5abjXswehuxX/F9R4GXpC/tOEyeHP8xfvRmDUq3mgIgWpfCcvdwQvxp25/umufjqGHdQXuq9/9yfpAL72hUXbOrvQ5hd56U7tv0/llIs5CyaGU76hA4kRXkd+iYUxcITzLjbc3ZRhIDs9b0zv0z2YPYgVgj2GiKL+TdcQ9z5Y5M0H4EGq6/Gn5fUILGRkCaBGvE3s3mY/aYUCvv4v0W9wIDAQAB"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Could we add a comment here helping people understand where the other half of this is? For example, see this DKIM comment.

non-critical-infra/modules/mailserver/default.nix
owner = "rspamd";
group = "rpsamd";
mode = "0400";
# rspamadm dkim_keygen --selector arc-2025 --domain nixos.org --type rsa --bits 2048
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Could you elaborate on this a bit? Specifically where the public half of this comes from? See

infra/non-critical-infra/modules/mailserver/default.nix

Lines 24 to 36 in d30eea2

# How to generate:
#
# ```console
# cd non-critical-infra
# DOMAIN=nixos.org
# SELECTOR=mail
# PRIVATE_KEY_PATH=secrets/$DOMAIN.$SELECTOR.key.umbriel
# nix shell nixpkgs#opendkim --command opendkim-genkey --selector="$SELECTOR" --domain="$DOMAIN" --bits=1024
# mv mail.private "$PRIVATE_KEY_PATH"
# sops encrypt --in-place "$PRIVATE_KEY_PATH"
# ```
#
# Next, look at `mail.txt` and update DNS accordingly.
for how I handled this for DKIM.

jfly
jfly approved these changes Apr 11, 2025
View reviewed changes
Copy link
Contributor

@jfly jfly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Forgot to click approve. LGTM

@mweinelt
Copy link
Member Author

Is ARC generally applicable for SNM users? Or is it really only useful if you're operating mailing lists and forwarding emails onto other domains? If it's generally applicable, I'd like to submit these instructions to the SNM setup guide.

Google and iCloud require it for bulk senders. Proposed in https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/376.

@jfly
Copy link
Contributor

jfly commented May 1, 2025

Discussed at today's infra meeting: @jfly to test this on his personal mailserver and then deploy this if all looks good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 approved these changes

@jfly jfly jfly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate why ARC doesn't seem to be working with nixos.org (umbriel) mailserver
3 participants
@mweinelt @jfly @Mic92