diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-07-01 22:07:52 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-07-01 22:07:52 +0200 |
commit | afcc5de071dfffdc507995d1845372ba40dc1dc2 (patch) | |
tree | c96fe6b4d915e7382316a57d0d626760a7fd2876 /modules/private/dns.nix | |
parent | 2f16a987d306cdb7bf9b4e80fa4af173373719bd (diff) | |
download | Nix-afcc5de071dfffdc507995d1845372ba40dc1dc2.tar.gz Nix-afcc5de071dfffdc507995d1845372ba40dc1dc2.tar.zst Nix-afcc5de071dfffdc507995d1845372ba40dc1dc2.zip |
Implement mta-sts and move mail services to specific domain
Diffstat (limited to 'modules/private/dns.nix')
-rw-r--r-- | modules/private/dns.nix | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/modules/private/dns.nix b/modules/private/dns.nix index 6647c14..01a3cbb 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix | |||
@@ -94,10 +94,10 @@ | |||
94 | ${conf.entries} | 94 | ${conf.entries} |
95 | 95 | ||
96 | ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then '' | 96 | ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then '' |
97 | mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4} | ||
98 | mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4} | 97 | mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4} |
99 | ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)} | 98 | mx-2 IN A ${myconfig.env.servers.immaeEu.ips.main.ip4} |
100 | ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)} | 99 | ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)} |
100 | ${builtins.concatStringsSep "\n" (map (i: "mx-2 IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)} | ||
101 | ${lib.concatStringsSep "\n\n" (map (e: | 101 | ${lib.concatStringsSep "\n\n" (map (e: |
102 | let | 102 | let |
103 | n = if e.domain == "" then "@" else "${e.domain} "; | 103 | n = if e.domain == "" then "@" else "${e.domain} "; |
@@ -105,8 +105,8 @@ | |||
105 | in | 105 | in |
106 | '' | 106 | '' |
107 | ; ------------------ mail: ${n} --------------------------- | 107 | ; ------------------ mail: ${n} --------------------------- |
108 | ${n} IN MX 10 mail.${conf.name}. | 108 | ${n} IN MX 10 mx-1.${conf.name}. |
109 | ${n} IN MX 50 mx-1.${conf.name}. | 109 | ${n} IN MX 20 mx-2.${conf.name}. |
110 | 110 | ||
111 | ; https://tools.ietf.org/html/rfc6186 | 111 | ; https://tools.ietf.org/html/rfc6186 |
112 | _submission._tcp${suffix} SRV 0 1 587 smtp.immae.eu. | 112 | _submission._tcp${suffix} SRV 0 1 587 smtp.immae.eu. |
@@ -116,6 +116,14 @@ | |||
116 | _pop3s._tcp${suffix} SRV 10 1 995 pop3.immae.eu. | 116 | _pop3s._tcp${suffix} SRV 10 1 995 pop3.immae.eu. |
117 | _sieve._tcp${suffix} SRV 0 1 4190 imap.immae.eu. | 117 | _sieve._tcp${suffix} SRV 0 1 4190 imap.immae.eu. |
118 | 118 | ||
119 | ; MTA-STS | ||
120 | ; https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/ | ||
121 | ; https://support.google.com/a/answer/9261504 | ||
122 | _mta-sts${suffix} IN TXT "v=STSv1;id=20190630054629Z" | ||
123 | _smtp._tls${suffix} IN TXT "v=TLSRPTv1;rua=mailto:postmaster+mta-sts@immae.eu" | ||
124 | mta-sts${suffix} IN A ${myconfig.env.servers.eldiron.ips.main.ip4} | ||
125 | ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)} | ||
126 | |||
119 | ; Mail sender authentications | 127 | ; Mail sender authentications |
120 | ${n} IN TXT "v=spf1 mx ~all" | 128 | ${n} IN TXT "v=spf1 mx ~all" |
121 | _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster+rua@immae.eu; ruf=mailto:postmaster+ruf@immae.eu;" | 129 | _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster+rua@immae.eu; ruf=mailto:postmaster+ruf@immae.eu;" |