This migrates the security level for outgoing SMTP connections to
dane[1]. Either a server is configured for DANE or it now uses mandatory
unauthenticated TLS.
If DANE validation fails, the delivery will be tempfailed.
If DANE is invalid or unusable the connection will fall back to
unauthenticated mandatory TLS
This has been the default in various mail distributions:
- Mailcow since December 2016[2]
- mailinabox since July 2014[3]
[1] https://www.postfix.org/TLS_README.html#client_tls_dane
[2] 47a5166383
[3] e713af5f5a
OpenDKIM has not been updated in the last 7 years and failed to adopt
RFC8463, which introduces Ed25519-SHA256 signatures.
It has thereby held back the DKIM ecosystem, which relies on the DNS
system to publish its public keys. The DNS system in turn does not handle
large record sizes well (see RFC8301), which is why Ed25519 public keys
would be preferable, but I'm not sure the ecosystem has caught up, so we
stay on the conservative side with RSA for now.
Fixes: #203#210#279
Obsoletes: !162!338
Supersedes: !246
All ciphers in TLSv1.2/TLSv1.3 are considered secure, so we can allow the
client to choose the most performant cipher according to their hardware
and software configuration.
This is in line with general recommendations, e.g. by Mozilla[1].
[1] https://wiki.mozilla.org/Security/Server_Side_TLS
Both rspamd and redis run on the same host by default, so a UNIX domain
socket is the cheapest way to facilitate that communication.
It also allows us to get rid of overly complicated IP adddress parsing
logic, that we can shift onto the user if they need it.
I recently went through this, and the generated file looks a bit
different than was previously documented.
I opted to be explicit about `k=rsa` (even though [the default is
"rsa"](https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.1)).
I also opted to be explicit about `s=email` ([the default is
"*"](https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.1)).
Honestly not sure what the consequences of this are, I don't know if
DKIM is used for anything besides email.
The option `exclude_domains` for dmarc reporting in `rspamd`[1] allows
to configure a list of domains and/or eSLDs (external effective second level
domain) to be excluded from dmarc reports.
Helpful because e.g. dmarc reports to hotmail.com always fail for me
with the following undeliverable notification:
The recipient's mailbox is full and can't accept messages now.
[1] https://www.rspamd.com/doc/modules/dmarc.html
This is not a feature specific to the mailserver. Indeed, the feature
was added to `system.autoUpgrade.allowReboot` with NixOS 19.09 and it
has better detection if a reboot is necessary.
For the system.autoUpgrade there is no kexec option, but the use was
discouraged.
Since NixOS 19.09 autoUpgrade also has the ability to do automatic
reboots. Its detection on whether a reboot is necessary is a bit more
sophisticated. Having this option in the mail-server implied to me that
it did something additionally, though it was just a feature which was
not included in NixOS at the time it was introduced for the mail-server.
Mentioning the fact in the documentation might help people not to get
confused why they should turn the `system.autoUpgrade.allowReboot` off
and instead use the mail-servers reboot flag.
fts xapian does not publish configuration changes in a changelog. As a
result, some options that nixos mailserver was setting for it have been
ignored for several years. New options (process_limit) are now
recommended. This adapts the module to these changes.
The default value of partial= is 2, but fts_xapian 1.8.3 now requires it
to be at least 3, and fails loudly in case it is 2. As a result, this
change is required to support fts_xapian 1.8.3 and later.