feat: enable mail transport security policies

2026-06-01 14:15:16 -07:00 · 2026-06-01 14:15:16 -07:00 · c82a15b415
commit c82a15b415
parent f9f75eb4cd
3 changed files with 27 additions and 3 deletions
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -77,6 +77,22 @@
        '';
      };

+      "mta-sts.extremist.software" = {
+        extraConfig = ''
+          handle /.well-known/mta-sts.txt {
+            header Content-Type "text/plain"
+            respond `version: STSv1
+mode: enforce
+mx: mail.extremist.software
+max_age: 604800
+`
+          }
+          handle {
+            respond 404
+          }
+        '';
+      };
+
      "search.extremist.software" = {
        extraConfig = ''
          rate_limit {
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -4,8 +4,7 @@
  services.stalwart = {
    enable = true;
    stateVersion = config.system.stateVersion;
-    # Let stalwart open its own ports if needed for the main services
-    openFirewall = true;
+    openFirewall = false;

    settings = {
      server = {
@ -24,6 +23,11 @@
            protocol = "smtp";
            tls.implicit = true;
          };
+          submission = {
+            bind = "[::]:587";
+            protocol = "smtp";
+            tls.implicit = false;
+          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";