opendkim no TrustedHosts/InternalHosts file: opendkim will not sign mail from an internal "trusted" network.
When you have an internal network (via services.postfix.networks ) opendkim won't sign outgoing mail coming from the internal network.
This is because opendkim doesn't know it's safe to sign and you get something like this in the log:
opendkim[8564]: EB44F70C273: [10.1.1.16] [10.1.1.16] not internal
opendkim[8564]: EB44F70C273: not authenticated
opendkim[8564]: EB44F70C273: no signature data
I have it working by brute-forcing the problem like so:
put in a trustedHosts file like:
trustedHosts = pkgs.writeText "opendkim-TrustedHosts" ''
127.0.0.1
::1
10.0.0.0/8
example.com
'';
and then in the config section for opendkim:
InternalHosts refile:${trustedHosts}
This obviously is not even remotely patch-friendly.
This variable should probably be called internalHosts, not trustedHosts, but when searching the web for dkim errors like this, all of the non-official documentation calls it 'TrustedHosts', so I left it trustedHosts for now.
I tried to do something like:
trustedHosts = pkgs.writeText "opendkim-TrustedHosts" (lib.concatStringsSep "\n" (lib.flip map cfg.domains (dom: "${dom}"))) ++ (lib.concatStringsSep "\n" (lib.flip map config.services.postfix.networks (net: "${net}")));
but I get an error:
error: value is a set while a list was expected, at
I'm new to nix and not sure how to fix that, so I have some more learning to do. I expect this is because lib.flip's map
is giving me a type error, since config.services.postfix.networks
is not the same data type as cfg.domains
, but I don't know that for sure at this point, and haven't had a chance to dig into it yet.
Anyways, I think the above idea will work, once the technical bit is worked out. Basically the idea is, write out 1 per line: the config.services.postfix.networks and the cfg.domains information, so that all of that is considered trusted by opendkim to sign.
Help in getting the above to work would speed up a PR. Assuming a PR is even wanted.
In the meantime, my brute-forced hack works, for others having this issue.