17 files changed, 196 insertions, 511 deletions

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b50cad60..6214569a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,7 +12,7 @@ let
 in {
   imports = with flake.nixosModules.systemProfiles; [
     ./hw.nix
-    ./mail ./libvirt ./greetd
+    ./email ./libvirt ./greetd
     tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
     flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
     flakeInputs.impermanence.nixosModules.impermanence
@@ -130,6 +130,12 @@ in {
       useNetworkd = true;
     };
 
+    environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
+      text = ''
+        conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
+        dnssec
+      '';
+    };
     environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
       text = ''
         except-interface=virbr0
@@ -372,19 +378,6 @@ in {
     ];
 
     services = {
-      uucp = {
-        enable = true;
-        nodeName = "sif";
-        remoteNodes = {
-          "ymir" = {
-            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
-            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
-          };
-        };
-
-        defaultCommands = lib.mkForce [];
-      };
-
       avahi.enable = true;
 
       fwupd.enable = true;
@@ -680,8 +673,6 @@ in {
         "/var/lib/upower"
         "/var/lib/postfix"
         "/etc/NetworkManager/system-connections"
-        { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }
-        { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
       ];
       files = [
       ];
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..4eda236e
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = false;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    recipientDelimiter = "+";
+    config = {
+      mydomain = "yggdrasil.li";
+
+      local_transport = "error:5.1.1 No local delivery";
+      alias_database = [];
+      alias_maps = [];
+      local_recipient_maps = [];
+
+      inet_interfaces = "loopback-only";
+
+      message_size_limit = "0";
+
+      authorized_submit_users = "inline:{ gkleen= }";
+      authorized_flush_users = "inline:{ gkleen= }";
+      authorized_mailq_users = "inline:{ gkleen= }";
+
+      smtp_generic_maps = "inline:{ root=root+sif }";
+
+      mynetworks = ["127.0.0.0/8" "[::1]/128"];
+      smtpd_client_restrictions = ["permit_mynetworks" "reject"];
+      smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
+
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      relayhost = "[surtr.yggdrasil.li]:465";
+      default_transport = "relay";
+
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    masterConfig = {
+      submission = {
+        type = "inet";
+        private = false;
+        command = "smtpd";
+        args = [
+          "-o" "syslog_name=postfix/$service_name"
+        ];
+      };
+      smtp = { };
+      smtps = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "smtp";
+        args = [
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_security_level=encrypt"
+        ];
+      };
+      relay = {
+        command = "smtp";
+        args = [
+          "-o" "smtp_fallback_relay="
+          "-o" "smtp_tls_security_level=verify"
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_cert_file=${./relay.crt}"
+          "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
+        ];
+      };
+    };
+  };
+
+  systemd.services.postfix = {
+    serviceConfig.LoadCredential = [
+      "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
+      "relay.key:${config.sops.secrets."relay-key".path}"
+    ];
+  };
+
+  sops.secrets = {
+    postfix-sasl-passwd = {
+      key = "sasl-passwd";
+      sopsFile = ./secrets.yaml;
+    };
+    relay-key = {
+      format = "binary";
+      sopsFile = ./relay.key;
+    };
+  };
+}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
+DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
+MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
+m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
+l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
+6DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
+0UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
+kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
+yauId0cXHvN6g5RLAMsMAA==
+-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-04-25T12:14:44Z",
+                "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index 8d6cd705..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  services.postfix = {
-    enable = true;
-    enableSmtp = true;
-    enableSubmission = false;
-    setSendmail = true;
-    networksStyle = "host";
-    hostname = "sif.midgard.yggdrasil";
-    destination = [];
-    relayHost = "uucp:ymir";
-    recipientDelimiter = "+";
-    masterConfig = {
-      uucp = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "pipe";
-        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
-      };
-      smtps = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "smtp";
-        args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
-      };
-    };
-    config = {
-      default_transport = "uucp:ymir";
-
-      inet_interfaces = "loopback-only";
-
-      authorized_submit_users = ["!uucp" "static:anyone"];
-      message_size_limit = "0";
-
-      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
-        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
-        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
-        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
-        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
-      ''}'';
-      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
-        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
-        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
-      ''}'';
-
-      smtp_sasl_auth_enable = true;
-      smtp_sender_dependent_authentication = true;
-      smtp_sasl_tls_security_options = "noanonymous";
-      smtp_sasl_mechanism_filter = ["plain"];
-      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
-      smtp_cname_overrides_servername = false;
-      smtp_always_send_ehlo = true;
-      smtp_tls_security_level = "dane";
-
-      smtp_tls_loglevel = "1";
-      smtp_dns_support_level = "dnssec";
-    };
-  };
-
-  sops.secrets.postfix-sasl-passwd = {
-    key = "sasl-passwd";
-    path = "/var/db/postfix/sasl_passwd";
-    owner = "postfix";
-    sopsFile = ./secrets.yaml;
-  };
-}
diff --git a/hosts/surtr/dns/zones/email.nights.soa b/hosts/surtr/dns/zones/email.nights.soa
index 913a88d4..34209a99 100644
--- a/hosts/surtr/dns/zones/email.nights.soa
+++ b/hosts/surtr/dns/zones/email.nights.soa
@@ -1,7 +1,7 @@
 $ORIGIN nights.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023013000 ; serial
+  2025060700 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -27,11 +27,7 @@ $TTL 3600
 
 _acme-challenge         IN      NS      ns.yggdrasil.li.
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index ab117f09..78d137bb 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
 $ORIGIN 141.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025020900 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -45,11 +45,8 @@ ymir                    IN      AAAA    2a03:4000:6:d004::
 ymir                    IN      MX      0 ymir.yggdrasil.li
 ymir                    IN      TXT     "v=spf1 redirect=ymir.yggdrasil.li"
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
+surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa
index a1c7d35a..5dd3e697 100644
--- a/hosts/surtr/dns/zones/li.kleen.soa
+++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -1,7 +1,7 @@
 $ORIGIN kleen.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023013000 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -27,11 +27,8 @@ $TTL 3600
 
 _acme-challenge         IN      NS      ns.yggdrasil.li.
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
+surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index 086d4a85..247cf025 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
 $ORIGIN synapse.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023092100 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
index df505b4c..2b97ca19 100644
--- a/hosts/surtr/dns/zones/org.praseodym.soa
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -1,7 +1,7 @@
 $ORIGIN praseodym.org.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023013000 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -32,11 +32,8 @@ surtr			IN	AAAA	2a03:4000:52:ada::
 surtr                   IN      MX      0 ymir.yggdrasil.li
 surtr                   IN      TXT     "v=spf1 redirect=yggdrasil.li"
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
+surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index dac3054a..7c931559 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -48,7 +48,7 @@ class PolicyHandler(StreamRequestHandler):
                     cur.row_factory = namedtuple_row
 
                     if relay_eligible:
-                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR "domain" ilike CONCAT("%%_.", %(domain)s))) as "exists"', params = {'user': user, 'domain': domain})
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
                         if (row := cur.fetchone()) is not None:
                             allowed = row.exists
 
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 0a42b808..c993bb18 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -275,6 +275,17 @@ in {
         postscreen_access_list = "";
         postscreen_denylist_action = "drop";
         postscreen_greet_action = "enforce";
+
+        sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
+        ''}'';
+        recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
+        ''}'';
       };
       masterConfig = {
         "465" = {
@@ -392,7 +403,7 @@ in {
       enable = true;
       user = "postfix"; group = "postfix";
       socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
+      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
       selector = "surtr";
       configFile = builtins.toFile "opendkim.conf" ''
         Syslog true
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index e29da0b8..3786ea7c 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -314,6 +314,30 @@ in {
           CREATE UNIQUE INDEX relay_unique ON relay_access (mailbox, domain);
 
           COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('015-sender_bcc', null, null);
+
+          CREATE TABLE sender_bcc_maps (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            key text NOT NULL CONSTRAINT key_not_empty CHECK (key <> '''),
+            value text NOT NULL CONSTRAINT value_not_empty CHECK (value <> '''),
+            CONSTRAINT key_unique UNIQUE (key)
+          );
+
+          COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('016-recipient_bcc', null, null);
+
+          CREATE TABLE recipient_bcc_maps (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            key text NOT NULL CONSTRAINT key_not_empty CHECK (key <> '''),
+            value text NOT NULL CONSTRAINT value_not_empty CHECK (value <> '''),
+            CONSTRAINT recipient_bcc_maps_key_unique UNIQUE (key)
+          );
+
+          COMMIT;
         ''}
 
         psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''
diff --git a/modules/uucp.nix b/modules/uucp.nix
deleted file mode 100644
index 10f7297b..00000000
--- a/modules/uucp.nix
+++ /dev/null
@@ -1,373 +0,0 @@
-{ flake, config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  portSpec = name: node: concatStringsSep "\n" (map (port: ''
-    port ${name}.${port}
-    type pipe
-    protocol ${node.protocols}
-    reliable true
-    command ${pkgs.openssh}/bin/ssh -x -o batchmode=yes ${name}.${port}
-  '') node.hostnames);
-  sysSpec = name: node: ''
-    system ${name}
-    time any
-    chat-seven-bit false
-    chat . ""
-    protocol ${node.protocols}
-    command-path ${concatStringsSep " " cfg.commandPath}
-    commands ${concatStringsSep " " node.commands}
-    ${concatStringsSep "\nalternate\n" (map (port: ''
-      port ${name}.${port}
-    '') node.hostnames)}
-  '';
-  sshConfig = name: node: concatStringsSep "\n" (map (port: ''
-    Host ${name}.${port}
-      Hostname ${port}
-      IdentitiesOnly Yes
-      IdentityFile ${cfg.sshKeyDir}/${name}
-  '') node.hostnames);
-  sshKeyGen = name: node: ''
-    if [[ ! -e ${cfg.sshKeyDir}/${name} ]]; then
-      ${pkgs.openssh}/bin/ssh-keygen ${escapeShellArgs node.generateKey} -f ${cfg.sshKeyDir}/${name}
-    fi
-  '';
-  restrictKey = key: ''
-    restrict,command="${chat}" ${key}
-  '';
-  chat = pkgs.writeScript "chat" ''
-    #!${pkgs.stdenv.shell}
-
-    echo .
-    exec ${config.security.wrapperDir}/uucico
-  '';
-
-  nodeCfg = {
-    options = {
-      commands = mkOption {
-        type = types.listOf types.str;
-        default = cfg.defaultCommands;
-        defaultText = literalExpression "config.services.uucp.defaultCommands";
-        description = "Commands to allow for this remote";
-      };
-
-      protocols = mkOption {
-        type = types.separatedString "";
-              default = cfg.defaultProtocols;
-        defaultText = literalExpression "config.services.uucp.defaultProtocols";
-              description = "UUCP protocols to use for this remote";
-      };
-
-      publicKeys = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "SSH client public keys for this node";
-      };
-
-      generateKey = mkOption {
-        type = types.listOf types.str;
-        default = [ "-t" "ed25519" "-N" "" ];
-        description = "Arguments to pass to `ssh-keygen` to generate a keypair for communication with this host";
-      };
-
-      hostnames = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "Hostnames to try in order when connecting";
-      };
-    };
-  };
-
-  cfg = config.services.uucp;
-in {
-  options = {
-    services.uucp = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled we set up an account accesible via uucp over ssh
-        '';
-      };
-
-      nodeName = mkOption {
-        type = types.str;
-        default = "nixos";
-        description = "uucp node name";
-      };
-
-      sshUser = mkOption { 
-        type = types.attrs;
-        default = {};
-        description = "Overrides for the local uucp linux-user";
-      };
-
-      extraSSHConfig = mkOption {
-        type = types.str;
-        default = "";
-        description = "Extra SSH config";
-      };
-
-      remoteNodes = mkOption {
-        type = types.attrsOf (types.submodule nodeCfg);
-        default = {};
-        description = ''
-          Ports to set up
-          Names will probably need to be configured in sshConfig
-        '';
-      };
-
-      commandPath = mkOption {
-        type = types.listOf types.path;
-        default = [ "${pkgs.rmail}/bin" ];
-        defaultText = literalExpression ''[ "''${pkgs.rmail}/bin" ]'';
-        description = ''
-          Command search path for all systems
-        '';
-      };
-
-      defaultCommands = mkOption {
-        type = types.listOf types.str;
-        default = ["rmail"];
-        description = "Commands allowed for remotes without explicit override";
-      };
-
-      defaultProtocols = mkOption {
-        type = types.separatedString "";
-              default = "te";
-              description = "UUCP protocol to use within ssh unless overriden";
-      };
-
-      incomingProtocols = mkOption {
-        type = types.separatedString "";
-        default = "te";
-        description = "UUCP protocols to use when called";
-      };
-
-      homeDir = mkOption {
-        type = types.path;
-        default = "/var/uucp";
-        description = "Home of the uucp user";
-      };
-
-      sshKeyDir = mkOption {
-        type = types.path;
-        default = "${cfg.homeDir}/.ssh/";
-        defaultText = literalExpression ''''${config.services.uucp.homeDir}/.ssh/'';
-        description = "Directory to store ssh keypairs";
-      };
-
-      spoolDir = mkOption {
-        type = types.path;
-        default = "/var/spool/uucp";
-        description = "Spool directory";
-      };
-
-      lockDir = mkOption {
-        type = types.path;
-        default = "/var/spool/uucp";
-        description = "Lock directory";
-      };
-
-      pubDir = mkOption {
-        type = types.path;
-        default = "/var/spool/uucppublic";
-        description = "Public directory";
-      };
-
-      logFile = mkOption {
-        type = types.path;
-        default = "/var/log/uucp";
-        description = "Log file";
-      };
-
-      statFile = mkOption {
-        type = types.path;
-        default = "/var/log/uucp.stat";
-        description = "Statistics file";
-      };
-
-      debugFile = mkOption {
-        type = types.path;
-        default = "/var/log/uucp.debug";
-        description = "Debug file";
-      };
-
-      interval = mkOption {
-        type = types.nullOr types.str;
-        default = "1h";
-        description = ''
-          Specification of when to run `uucico' in format used by systemd timers
-          The default is to do so every hour
-        '';
-      };
-
-      nmDispatch = mkOption {
-        type = types.bool;
-        default = config.networking.networkmanager.enable;
-        defaultText = literalExpression "config.networking.networkmanager.enable";
-        description = ''
-          Install a network-manager dispatcher script to automatically
-          call all remotes when networking is available
-        '';
-      };
-
-      extraConfig = mkOption {
-        type = types.lines;
-        default = ''
-          run-uuxqt 1
-        '';
-        description = "Extra configuration to append verbatim to `/etc/uucp/config'";
-      };
-
-      extraSys = mkOption {
-        type = types.lines;
-        default = ''
-          protocol-parameter g packet-size 4096
-        '';
-              description = "Extra configuration to prepend verbatim to `/etc/uucp/sys`";
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment.etc."uucp/config" = {
-      text = ''
-        hostname ${cfg.nodeName}
-      
-        spool ${cfg.spoolDir}
-        lockdir ${cfg.lockDir}
-        pubdir ${cfg.pubDir}
-        logfile ${cfg.logFile}
-        statfile ${cfg.statFile}
-        debugfile ${cfg.debugFile}
-        
-        ${cfg.extraConfig}
-      '';
-    };
-
-    users.groups."uucp" = {};
-    users.users."uucp" = {
-      name = "uucp";
-      group = "uucp";
-      isSystemUser = true;
-      isNormalUser = false;
-      createHome = true;
-      home = cfg.homeDir;
-      description = "User for uucp over ssh";
-      useDefaultShell = true;
-      openssh.authorizedKeys.keys = map restrictKey (concatLists (mapAttrsToList (name: node: node.publicKeys) cfg.remoteNodes));
-    } // cfg.sshUser;
-
-    system.activationScripts."uucp-sshconfig" = ''
-      mkdir -p ${config.users.users."uucp".home}/.ssh
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${config.users.users."uucp".home}/.ssh
-      chmod 700 ${config.users.users."uucp".home}/.ssh
-      ln -fs ${builtins.toFile "ssh-config" ''
-        ${concatStringsSep "\n" (mapAttrsToList sshConfig cfg.remoteNodes)}
-      
-        ${cfg.extraSSHConfig}
-      ''} ${config.users.users."uucp".home}/.ssh/config
-
-      mkdir -p ${cfg.sshKeyDir}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.sshKeyDir}
-      chmod 700 ${cfg.sshKeyDir}
-
-      ${concatStringsSep "\n" (mapAttrsToList sshKeyGen cfg.remoteNodes)}
-    '';
-
-    system.activationScripts."uucp-logs" = ''
-      touch ${cfg.logFile}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.logFile}
-      chmod 644 ${cfg.logFile}
-      touch ${cfg.statFile}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.statFile}
-      chmod 644 ${cfg.statFile}
-      touch ${cfg.debugFile}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.debugFile}
-      chmod 644 ${cfg.debugFile}
-    '';
-
-    environment.etc."uucp/port" = {
-      text = ''
-        port ssh
-        type stdin
-        protocol ${cfg.incomingProtocols}
-      '' + concatStringsSep "\n" (mapAttrsToList portSpec cfg.remoteNodes);
-    };
-    environment.etc."uucp/sys" = {
-      text = cfg.extraSys + "\n" + concatStringsSep "\n" (mapAttrsToList sysSpec cfg.remoteNodes);
-    };
-
-    security.wrappers = let
-      wrapper = p: {
-        name = p;
-        value = {
-          source = "${pkgs.uucp}/bin/${p}";
-          owner = "root";
-          group = "root";
-          setuid = true;
-          setgid = false;
-        };
-      };
-    in listToAttrs (map wrapper ["uucico" "cu" "uucp" "uuname" "uustat" "uux" "uuxqt"]);
-
-    nixpkgs.overlays = [(self: super: {
-      rmail = super.writeShellScriptBin "rmail" ''
-          # Dummy UUCP rmail command for postfix/qmail systems
-
-          IFS=" " read junk from junk junk junk junk junk junk junk relay
-
-          case "$from" in
-            *[@!]*) ;;
-            *) from="$from@$relay";;
-          esac
-
-          exec ${config.security.wrapperDir}/sendmail -G -i -f "$from" -- "$@"
-        '';
-    })];
-
-    environment.systemPackages = with pkgs; [
-      uucp
-    ];
-
-    systemd.services."uucico@" = {
-      serviceConfig = {
-        User = "uucp";
-        Type = "oneshot";
-        ExecStart = "${config.security.wrapperDir}/uucico -D -S %i";
-      };
-    };
-
-    systemd.timers."uucico@" = {
-      timerConfig.OnActiveSec = cfg.interval;
-      timerConfig.OnUnitActiveSec = cfg.interval;
-    };
-
-    systemd.targets."multi-user" = {
-      wants = mapAttrsToList (name: node: "uucico@${name}.timer") cfg.remoteNodes;
-    };
-
-    systemd.kill-user.enable = true;
-    systemd.targets."sleep" = {
-      after = [ "kill-user@uucp.service" ];
-      wants = [ "kill-user@uucp.service" ];
-    };
-    
-    networking.networkmanager.dispatcherScripts = optional cfg.nmDispatch {
-      type = "basic";
-      source = pkgs.writeScript "callRemotes.sh" ''
-        #!${pkgs.stdenv.shell}
-
-        shopt -s extglob
-
-        case "''${2}" in
-          (?(vpn-)up)
-            ${concatStringsSep "\n    " (mapAttrsToList (name: node: "${pkgs.systemd}/bin/systemctl start uucico@${name}.service") cfg.remoteNodes)}
-            ;;
-        esac
-      '';
-    };
-  };
-}
diff --git a/overlays/uucp/default.nix b/overlays/uucp/default.nix
deleted file mode 100644
index 4189dbcc..00000000
--- a/overlays/uucp/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ final, prev, ... }: {
-  uucp = prev.uucp.overrideAttrs (oldAttrs: {
-    configureFlags = (oldAttrs.configureFlags or []) ++ ["--with-newconfigdir=/etc/uucp"];
-    patches = (oldAttrs.patches or []) ++ [
-      ./mailprogram.patch
-    ];
-    NIX_CFLAGS_COMPILE = "${oldAttrs.NIX_CFLAGS_COMPILE or ""} -Wno-error=incompatible-pointer-types";
-  });
-}
diff --git a/overlays/uucp/mailprogram.patch b/overlays/uucp/mailprogram.patch
deleted file mode 100644
index 89ac8f31..00000000
--- a/overlays/uucp/mailprogram.patch
+++ /dev/null
@@ -1,16 +0,0 @@
- policy.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy.h b/policy.h
-index 5afe34b..8e92c8b 100644
---- a/policy.h
-+++ b/policy.h
-@@ -240,7 +240,7 @@
-    the sendmail choice below.  Otherwise, select one of the other
-    choices as appropriate.  */
- #if 1
--#define MAIL_PROGRAM "/usr/lib/sendmail -t"
-+#define MAIL_PROGRAM "${config.security.wrapperDir}/sendmail -t"
- /* #define MAIL_PROGRAM "/usr/sbin/sendmail -t" */
- #define MAIL_PROGRAM_TO_BODY 1
- #define MAIL_PROGRAM_SUBJECT_BODY 1