mail(tripit): send From: plans@viktorbarzin.me instead of spam@

tripit outbound (linked-email verification + trip-share invites) was sent
From: spam@viktorbarzin.me. Switch the From to plans@viktorbarzin.me while
keeping SMTP auth as spam@ (its password, unchanged).

docker-mailserver SPOOF_PROTECTION (reject_sender_login_mismatch) requires
the authed login to "own" the From; the @viktorbarzin.me catch-all does NOT
grant that per-address, so add an explicit `plans@ -> spam@` virtual alias to
authorize it (also keeps inbound plans@ routing to spam@ for the mail-ingest
poller). tripit SMTP_FROM flips to plans@.

Verified: sender-login probe (auth spam@, MAIL FROM plans@) now 250 (was 553);
a real send from the tripit pod logs from=<plans@viktorbarzin.me> accepted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/mailserver/modules/mailserver/extra/aliases.txt

@@ -3,3 +3,10 @@ closely-keith-generated@viktorbarzin.me vbarzin@gmail.com
 literally-paolo-generated@viktorbarzin.me viktorbarzin@fb.com
 hastily-stefanie-generated@viktorbarzin.me elliestamenova@gmail.com
 vaultwarden@viktorbarzin.me me@viktorbarzin.me
+
+# plans@ -> spam@: authorizes tripit (SMTP-authed as spam@) to send mail
+# From: plans@viktorbarzin.me under docker-mailserver SPOOF_PROTECTION (the
+# smtpd_sender_login_maps union exact-matches this alias to spam@; the @domain
+# catch-all does NOT, so an explicit entry is required). Also keeps inbound
+# plans@ routing to spam@ for the tripit mail-ingest poller.
+plans@viktorbarzin.me spam@viktorbarzin.me

stacks/tripit/main.tf

@@ -38,15 +38,19 @@ locals {
     PUSH_PROVIDER        = "webpush"
     LLM_MODE             = "fake"
     MAIL_INGEST_ENABLED  = "false"
-    # Outbound mail for linked-email verification — submitted via the cluster
-    # mailserver as spam@ (which relays out via Brevo). SMTP_PASSWORD comes from
-    # tripit-secrets (mapped to the existing PLANS_IMAP_PASSWORD). PUBLIC_BASE_URL
-    # builds the confirmation link mailed to the address.
+    # Outbound mail (linked-email verification + trip-share invites) — submitted
+    # via the cluster mailserver authenticated as spam@ (SMTP_USER), but sent
+    # From: plans@viktorbarzin.me (SMTP_FROM). docker-mailserver SPOOF_PROTECTION
+    # requires the login to "own" the From; an explicit plans@ -> spam@ virtual
+    # alias grants that (see mailserver extra/aliases.txt) and keeps inbound
+    # plans@ routing to spam@. Relays out via Brevo. SMTP_PASSWORD comes from
+    # tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password).
+    # PUBLIC_BASE_URL builds the links mailed to recipients.
     EMAIL_PROVIDER  = "smtp"
     SMTP_HOST       = "mailserver.mailserver.svc"
     SMTP_PORT       = "587"
     SMTP_USER       = "spam@viktorbarzin.me"
-    SMTP_FROM       = "spam@viktorbarzin.me"
+    SMTP_FROM       = "plans@viktorbarzin.me"
     PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me"
   }
 }