summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--os/kay/modules/services/mail/default.nix26
-rw-r--r--os/kay/modules/services/mail/secrets.yaml8
2 files changed, 26 insertions, 8 deletions
diff --git a/os/kay/modules/services/mail/default.nix b/os/kay/modules/services/mail/default.nix
index 01f44bb..7838801 100644
--- a/os/kay/modules/services/mail/default.nix
+++ b/os/kay/modules/services/mail/default.nix
@@ -22,11 +22,13 @@ in
sops.secrets = {
"mail.${domain}/dkim_rsa".sopsFile = ./secrets.yaml;
"mail.${domain}/dkim_ed25519".sopsFile = ./secrets.yaml;
- "mail.${domain}/password".sopsFile = ./secrets.yaml;
+ "mail.${domain}/password/admin".sopsFile = ./secrets.yaml;
+ "mail.${domain}/password/noreply".sopsFile = ./secrets.yaml;
};
systemd.services.stalwart-mail.serviceConfig.LoadCredential = [
- "password:${config.sops.secrets."mail.${domain}/password".path}"
+ "password_admin:${config.sops.secrets."mail.${domain}/password/admin".path}"
+ "password_noreply:${config.sops.secrets."mail.${domain}/password/noreply".path}"
"dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}"
"dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}"
@@ -151,23 +153,37 @@ in
directory."memory" = {
type = "memory";
-
principals = [
{
class = "admin";
name = "${username}@${domain}";
- secret = "%{file:${credentials_directory}/password}%";
+ secret = "%{file:${credentials_directory}/password_admin}%";
inherit email;
}
{
+ class = "individual";
+ name = "no-reply@${domain}";
+ secret = "%{file:${credentials_directory}/password_noreply}%";
+ email = [ "no-reply@${domain}" ];
+ }
+ {
# for mta-sts & dmarc reports
class = "individual";
name = "reports@${domain}";
- secret = "%{file:${credentials_directory}/password}%";
+ secret = "%{file:${credentials_directory}/password_admin}%";
email = [ "reports@${domain}" ];
}
];
};
+
+ sieve.trusted.scripts.noreply_reject_ingress.contents = ''
+ require ["envelope", "reject"];
+
+ if envelope :localpart :is "to" "no-reply" {
+ reject "550 This is a no-reply address";
+ stop;
+ }
+ '';
};
};
}
diff --git a/os/kay/modules/services/mail/secrets.yaml b/os/kay/modules/services/mail/secrets.yaml
index e3b4c5d..e2dee47 100644
--- a/os/kay/modules/services/mail/secrets.yaml
+++ b/os/kay/modules/services/mail/secrets.yaml
@@ -1,7 +1,9 @@
mail.sinanmohd.com:
dkim_rsa: ENC[AES256_GCM,data:i1UuddRDoIxa+4rHq9v86gY7BSxWkL6F+WOTwrgLeMwmNkCzoko4X8RjlbPKLpqAD4ZOBCet+d6cnGdNjjaaubKD/RdUOqo90fpuyxDnMe7sOGY5iL19CpeK2ksTVBHGAyX61/qBXJwvUT/qFY5BKDqx3h/9FQu5miNzCyHihqiFmjxQ+F5SvnQ9zCU+Lgn8saPcSUA79mUFNyzzCoMExnoMNQXMPtnqdc3cOeTE3w3/0H//LH2auTgGB/BW+/wflDNGk9kpiNO2ElzHfaU7RR22dw8/cfcedU7VnABZngtUu115WlIi2WkDT4ChF+noZHJQhdMn64SpmDRMVsL04LBZpMWShGvBzBg8ypioBl8ze+OLdel/hnizYjL8dV+/Bp3CM8muGA26H9Et6LDZjP5kSvMU585+lvGFABMBPrJTkHuHykU5mL7vTf9YGuCqqvYRqZ8pbvQxmlNS9722278Jq5URinVcQoojzqfqTFJUFHcQMt4/mByxJgaylzsZKYDlQkwNvIp4hoFu8VEyJbdZbJ/xusiQ5PEPw74UaUCxxTuNPYPNnuVjRB2zE5m9qe0uBwyZHJ/gZqpOvzAmVeqxOL4HlliIcqD697oN+m7RCTw5MIeLHNCf0/e7x6pTS8XhYAlZq6hzXK9InEexojwqLCIE/G2W2yhK05+7RdyB498rxQEb/fGIjtrQ/zqOnUpzsVzXAtzI2DWHpy805CWfeouhpbQdRdl4MPNjWhCOXYWsuI/FKtfPNMXpO0OoNEK8WENRKRMQjIO62tMZ4FjYVEB9wJzulmBf5FrMeZs9GsPbk+rhonCOrIPECUe4tUfJ3Epp1JeVqJfyuG6XA8OpfUi91lRWk9qofjZDiHr03oPXk3+KUU+na9k5kJ5AboCTvRFRNTCTD92P1rYMgkFVQX931ByC5tUi4Rjc90NGpy6/uxgxElVkjwa+uRA35gWbth93w5ETYfsa5w6N+Qnh1xqQ+kSQBGkMeTl7AcGkJYimfGAETJJBSatruWGj8cIMP0zof6e+Fb/pv0qzBPB9y1u5NM9A68bJdNQGu+vyBBklsNvm8dBFOKcMXvdHsrvH+Tx2gDzeIWhS7ptcSahjpzIIX2SR5c0JC6tR+gYE1uoqjCFYX87NY6jD+fHWVMi2qbO1iaaiOCo+Gs6ndiPheQnRbEtJVDlrMwogwv19DBFuWQjQ7J3Z940aX+aj7mfXfMAusyKMSx96rCLiT2+/3bS/mcj9KEptzQPQxHv+7qDELKNAhb2U2gz/bjQVKfWMmbF6lCFH+nBahJh1xXWo5gnVjGb4ABwhr8NhaFuMP4HUwvI50CWNHLGjbWGdkNgl6osmvDnmyX5BEzcnbsA8Jb07qOKWt9TlqtDlKVpbmBd1bxKrxIIjPHLuW9ccQdD/NI1fnVL8MPpHAgWQa26oTbV80IlATeQUtklzwfVR1o32ZYRXxkP3XJsTNHMUAKRWiMtLp/A1GnqPncgW7if/VUp2T4BsPgV/3/lqYuZKfmqvTLOvOsivdvsexbEp6lReoIyrq3CwaqqbvJzt4OJaLU26KQIbUuH419s5HcEfB6dFZ7+t5SiqNBnKD6Qv45wmVdu/LUu3fxm6CKLgTRWss/m/M43IXvca3mkCNyCjwiXkZ3yxu/NHTyzjYPw0Kzdeci7dplz+VVS8kBoqCUZbVoK7WVrBM/7QcxnlsCAf4PaFpr4uGvcWF8jj8jz6Il4iipwsyA9353MO0wLfBhrLofWUhBaiCxvtBr4GIninWuZW/DW+O7Rfzr0SDXQgn1l991S/1RpPw8RTICj/NBuVVht7rxo/CG1l/zBXQ6Zd45mfP7i4lmPZLtUajqm3I4DUUGVDsn434cc4xGcftj5XoRP2Zc73sTJ0tru1XdM2g8Tscd7O4b6thf+iA6CgzbsFejFjL5W/t1ePzqnK8sZ2gDFTt/YqmdBuyIjn1nrYBrGLQMb4x4Ujbzd/JWiQwV0rzbVlUXUznpHW4PINxf5eHXuM08RTkougDCe//XBdsmQ8TVl0mLbKLJ1xLOaFtCf2fMBf5MWK9v8pQbSCB2u/M7UTS4y4QA9fzvGxZarwC9NTRAjFDNtuw6bhea2h+2zs2A5XV8otE0pF3sau/ZaNrYPBNDF1fQycJIY81k/o8SPUTTBavV9CCuZnpMFFtf1AzjI3s3dIWsbGApnOFlRCNFVDTpAHZR7GTIC15NQyjEzijN+Hsh3htm2pSH1BH0skFqLA+7WHPDOnGd0x6rxtViPMIug=,iv:W8YAldq0KjrNe7WhGSUNI2+bq2CJrLhq+XPQVR9QsBo=,tag:LRfmBBFuFR8QR8pCj8OzSw==,type:str]
dkim_ed25519: ENC[AES256_GCM,data:gmI789Z7c9QZMRWOD300cDw0vLNLv4VMhV2jF4M/1roraLqKE/2cA4qv9i8qFmBMJjsq3iUKJBUJ+tBLsUkIR9UnwplQDjAyNaMZsxg0eT3HyssUZ2w2Dnd+EdJb+n/fGwsezHizYORz5qVU/ZUuSiCtuE4LEg==,iv:eAmJgIu++veapN1M3sYkYPAMP8CROFWdDIBmkXuzofw=,tag:hkCDPDDCBxE7DXSuSBFsGg==,type:str]
- password: ENC[AES256_GCM,data:LJi8+a1dGus+XLt3k/K/3Mb0tNUJj7HDpPdqfYhU,iv:Iurz9YegxJ/coDQ6PbezeSni2DWYzpzlju6mJ90WLe8=,tag:2HgYlwDGqaklpdc+LOA0bQ==,type:str]
+ password:
+ admin: ENC[AES256_GCM,data:g3trECMERFDilTfUjkGp5u83f3HsstfAnRI9V8R6,iv:qNs9Yt5CcZib20xZFACN76lMeQ6BqiQoOvi3/ILqIog=,tag:/gfnfw+ht2J8E4Dg33oK2w==,type:str]
+ noreply: ENC[AES256_GCM,data:0fslUDX7t8s+xkQVw/IacsmU59tzmHCWKTRvFG1YIpk=,iv:053B9GXdHc1xWRpAcmULMXWuIW/n+XNi8Iqbsc931LI=,tag:87YqBmntu5/ja04oW8vuGg==,type:str]
sops:
age:
- recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
@@ -22,7 +24,7 @@ sops:
enJZVFAxdEprdTVzbC8yWGJyWnFNREkK3/OgnLjS/sj4MzZPLH3QhEWd6WKiu4nM
wRNvhl7nDe1IwLoHbNSqTwEkalyEA3yIVlst3KyEpKb5q9H2+avqAQ==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-12-27T03:23:15Z"
- mac: ENC[AES256_GCM,data:vlks8inOi7qmCKmx1SsCf1ipbwMNFfHsJGny4YGCUr+GWvvtdsLXsf8+AGUfoDa/2fBp7Wv2h1HIx1QY1JX3JgzKoyjEa1rRczJyWW9C/sR5UjyjUa0/t1MNMB7X1l9GGZObDQj9lrWm1e9JUIR6+63mESeykUzh3Wt8qhEgBAo=,iv:l1JWmFqR3lvsyYbPzHzCT6/Yj5qAvMv18jhhXdh2Ex4=,tag:JgXSqfeFVHzg5SeP/5bE+g==,type:str]
+ lastmodified: "2025-12-27T03:41:02Z"
+ mac: ENC[AES256_GCM,data:UFyN6ZIwX55mLnnamYyaxD+3Bg1ib12xfqp8nADPL/42f+moYKcI/hrqEVliMSvQMCDfsjELxOcmWSoQQcduvx4WNS3cF05sFuVL8LhAA98gVURERh86OlRkKBrTYIUExGTP4cocqBibuo1zoHEMnz9aJLeqwy868SH0gTzTAyM=,iv:ndsJysYLhYz2f5ZHaaP7vgVLJHTB/WsBNqoGTbBIghE=,tag:fWU94w4qKmbzPklKPXJQUQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0