mail: send mail through icloud (cringe)

flake.lock: Update
Flake lock file updates: • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/f8ef4541bb8a54a8b52f19b52912119e689529b3?narHash=sha256-0NBrY2A7buujKmeCbieopOMSbLxTu8TFcTLqAbTnQDw%3D' (2025-01-19) → 'github:nix-community/home-manager/4481a16d1ac5bff4a77c608cefe08c9b9efe840d?narHash=sha256-rk/cmrvq3In0TegW9qaAxw%2B5YpJhRWt2p74/6JStrw0%3D' (2025-01-21) • Updated input 'secrets': 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=a5a11ce1f8e323f82dcbbe3b38ab112ce5f5fd7f' (2025-01-17) → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=725ccdd9169ae40d56f1b07f53918e4e27898c08' (2025-01-22)
2025-01-22 03:29:15 +01:00 · 2025-01-22 02:48:34 +01:00
2 changed files with 49 additions and 22 deletions
--- a/flake.lock
+++ b/flake.lock
@ -85,11 +85,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737299337,
-        "narHash": "sha256-0NBrY2A7buujKmeCbieopOMSbLxTu8TFcTLqAbTnQDw=",
+        "lastModified": 1737480538,
+        "narHash": "sha256-rk/cmrvq3In0TegW9qaAxw+5YpJhRWt2p74/6JStrw0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f8ef4541bb8a54a8b52f19b52912119e689529b3",
+        "rev": "4481a16d1ac5bff4a77c608cefe08c9b9efe840d",
        "type": "github"
      },
      "original": {
@ -214,11 +214,11 @@
    },
    "secrets": {
      "locked": {
-        "lastModified": 1737137052,
-        "narHash": "sha256-mizVntH8Pn7tzs3/5kZH5Cd28ztfT/vfenpdvphQ4cM=",
+        "lastModified": 1737510423,
+        "narHash": "sha256-FjyBCMyzYcQUW9J7VsMB9fTVrQpYHLlLNjcZpxdMB2I=",
        "ref": "refs/heads/master",
-        "rev": "a5a11ce1f8e323f82dcbbe3b38ab112ce5f5fd7f",
-        "revCount": 53,
+        "rev": "725ccdd9169ae40d56f1b07f53918e4e27898c08",
+        "revCount": 54,
        "type": "git",
        "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
      },
--- a/hosts/sigma/mail.nix
+++ b/hosts/sigma/mail.nix
@ -11,29 +11,56 @@
  # Simple NixOS Mailserver.
  # https://nixos-mailserver.readthedocs.io
  # https://wiki.nixos.org/wiki/Imapsync
+
+  # INCOMING mail is delegated to mail.caspervk.net by each domain, e.g.
+  # vkristensen.dk.
  #
-  # DNS
-  # Each domain delegates mail-handling to mail.caspervk.net using an MX
-  # record. mail.caspervk.net MUST be an A/AAAA record *NOT* CNAME. For spam
-  # purposes, the IP-addresses pointed to by mail.caspervk.net MUST point back
-  # to mail.caspervk.net using reverse-DNS.
-  # > dig mail.caspervk.net
-  # > dig -x 1.2.3.4
-  # Mail to e.g. vkristensen.dk should be delegated to mail.caspervk.net. Each
-  # domain's DKIM key in /var/dkim/ MUST be added to its DNS zone.
-  # > dig MX vkristensen.dk
-  # > dig TXT vkristensen.dk
-  # > dig TXT mail._domainkey.vkristensen.dk
-  # > dig TXT _dmarc.vkristensen.dk
+  # vkristensen.dk.zone:
  #
+  # @                         IN  MX    10 mail.caspervk.net.
+  #
+  # For anti-spam purposes, mail.caspervk.net MUST be an A/AAAA record (not
+  # CNAME) and the IP-addresses MUST point back to mail.caspervk.net using a
+  # reverse pointer record:
+  #
+  # caspervk.net.zone:
+  #
+  # mail                      IN  A     49.13.33.75
+  # 75.33.13.49.in-addr.arpa. IN  PTR   mail.caspervk.net.
+
+  # OUTGOING mail is sent through icloud because email is a racket where the
+  # big providers only accept mail from the other big providers. Perfect
+  # SPF/DKIM? Well fuck you. If you're lucky we'll send you to spam, otherwise
+  # it's straight to /dev/null. What happened to the decentralised internet!?
+  # At least give me a chance until you've actually seen me send spam??
+  # https://www.icloud.com/icloudplus/customdomain
+  #
+  # Anyway.. Each domain delegates SPF and DMARC to mail.caspervk.net so we
+  # only have to define the policies once, and adds icloud's dkim key:
+  #
+  # vkristensen.dk.zone:
+  #
+  # @                         IN  TXT   "v=spf1 redirect=mail.caspervk.net"
+  # _dmarc                    IN  CNAME _dmarc.mail.caspervk.net.
+  # sig1._domainkey           IN  CNAME sig1.dkim.caspervk.net.at.icloudmailadmin.com.
+  #
+  # The SPF and DMARC policies are defined centrally.
+  #
+  # caspervk.net.zone:
+  #
+  #  mail                     IN  TXT   "v=spf1 ..."
+  # _dmarc.mail               IN  TXT   "v=DMARC1; ..."
+
  # Online verification tools:
+  # https://dmarcchecker.app
  # https://www.mail-tester.com/
  # https://mxtoolbox.com/deliverability
-  #
+
  # Client Setup
  # Account: casper@vkristensen.dk
  # IMAP: mail.caspervk.net:993 (SSL/TLS)
-  # SMTP: mail.caspervk.net:465 (SSL/TLS)
+  # SMTP: mail.caspervk.net:465 (SSL/TLS) TODO!
+
  mailserver = {
    enable = true;
    # Firewall is handled manually in networking.nix