summaryrefslogtreecommitdiff
path: root/os/kay/modules/services/mail/default.nix
diff options
context:
space:
mode:
authorsinanmohd <sinan@sinanmohd.com>2025-12-27 09:17:51 +0530
committersinanmohd <sinan@sinanmohd.com>2025-12-27 09:22:29 +0530
commit52a1db773e5e5d8bc0a803f537ef074c63a84b54 (patch)
tree7cd7371a9ecbcee1572229d1d53cfdc1ac15c75a /os/kay/modules/services/mail/default.nix
parent5b32b947de3ac1adb4317e9c92094d67561d1230 (diff)
chore(os/kay/mail): init noreply
Diffstat (limited to 'os/kay/modules/services/mail/default.nix')
-rw-r--r--os/kay/modules/services/mail/default.nix26
1 files changed, 21 insertions, 5 deletions
diff --git a/os/kay/modules/services/mail/default.nix b/os/kay/modules/services/mail/default.nix
index 01f44bb..7838801 100644
--- a/os/kay/modules/services/mail/default.nix
+++ b/os/kay/modules/services/mail/default.nix
@@ -22,11 +22,13 @@ in
sops.secrets = {
"mail.${domain}/dkim_rsa".sopsFile = ./secrets.yaml;
"mail.${domain}/dkim_ed25519".sopsFile = ./secrets.yaml;
- "mail.${domain}/password".sopsFile = ./secrets.yaml;
+ "mail.${domain}/password/admin".sopsFile = ./secrets.yaml;
+ "mail.${domain}/password/noreply".sopsFile = ./secrets.yaml;
};
systemd.services.stalwart-mail.serviceConfig.LoadCredential = [
- "password:${config.sops.secrets."mail.${domain}/password".path}"
+ "password_admin:${config.sops.secrets."mail.${domain}/password/admin".path}"
+ "password_noreply:${config.sops.secrets."mail.${domain}/password/noreply".path}"
"dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}"
"dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}"
@@ -151,23 +153,37 @@ in
directory."memory" = {
type = "memory";
-
principals = [
{
class = "admin";
name = "${username}@${domain}";
- secret = "%{file:${credentials_directory}/password}%";
+ secret = "%{file:${credentials_directory}/password_admin}%";
inherit email;
}
{
+ class = "individual";
+ name = "no-reply@${domain}";
+ secret = "%{file:${credentials_directory}/password_noreply}%";
+ email = [ "no-reply@${domain}" ];
+ }
+ {
# for mta-sts & dmarc reports
class = "individual";
name = "reports@${domain}";
- secret = "%{file:${credentials_directory}/password}%";
+ secret = "%{file:${credentials_directory}/password_admin}%";
email = [ "reports@${domain}" ];
}
];
};
+
+ sieve.trusted.scripts.noreply_reject_ingress.contents = ''
+ require ["envelope", "reject"];
+
+ if envelope :localpart :is "to" "no-reply" {
+ reject "550 This is a no-reply address";
+ stop;
+ }
+ '';
};
};
}