diff --git a/default.nix b/default.nix index 58ab271..e4d8785 100644 --- a/default.nix +++ b/default.nix @@ -422,6 +422,19 @@ in ''; }; + dkimKeyBits = mkOption { + type = types.int; + default = 1024; + description = '' + How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys. + + If you have already deployed a key with a different number of bits than specified + here, then you should use a different selector (dkimSelector). In order to get + this package to generate a key with the new number of bits, you will either have to + change the selector or delete the old key file. + ''; + }; + debug = mkOption { type = types.bool; default = false; diff --git a/mail-server/opendkim.nix b/mail-server/opendkim.nix index 33e2e06..d381519 100644 --- a/mail-server/opendkim.nix +++ b/mail-server/opendkim.nix @@ -33,6 +33,7 @@ let then ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \ -d "${dom}" \ + --bits="${toString cfg.dkimKeyBits}" \ --directory="${cfg.dkimKeyDirectory}" mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}" mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}" diff --git a/tests/extern.nix b/tests/extern.nix index 78a5266..301b0ff 100644 --- a/tests/extern.nix +++ b/tests/extern.nix @@ -38,6 +38,7 @@ import { fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; rewriteMessageId = true; + dkimKeyBits = 1535; loginAccounts = { "user1@example.com" = { @@ -321,6 +322,10 @@ import { $client->succeed("grep 'Received: from mail.example.com' ~/mail/*"); }; + subtest "dkim has user-specified size", sub { + $server->succeed("openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit)'"); + }; + subtest "dkim singing, multiple domains", sub { $client->execute("rm ~/mail/*"); # send email from user2 to user1