From febf12bddd5e5f3f6b48f3520be289127f1b8b9b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 5 Jun 2026 18:41:08 +0000 Subject: [PATCH] mail(tripit): send From: plans@viktorbarzin.me instead of spam@ tripit outbound (linked-email verification + trip-share invites) was sent From: spam@viktorbarzin.me. Switch the From to plans@viktorbarzin.me while keeping SMTP auth as spam@ (its password, unchanged). docker-mailserver SPOOF_PROTECTION (reject_sender_login_mismatch) requires the authed login to "own" the From; the @viktorbarzin.me catch-all does NOT grant that per-address, so add an explicit `plans@ -> spam@` virtual alias to authorize it (also keeps inbound plans@ routing to spam@ for the mail-ingest poller). tripit SMTP_FROM flips to plans@. Verified: sender-login probe (auth spam@, MAIL FROM plans@) now 250 (was 553); a real send from the tripit pod logs from= accepted. Co-Authored-By: Claude Opus 4.8 --- .../modules/mailserver/extra/aliases.txt | 7 +++++++ stacks/tripit/main.tf | 14 +++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/stacks/mailserver/modules/mailserver/extra/aliases.txt b/stacks/mailserver/modules/mailserver/extra/aliases.txt index 40fb640d..61df501c 100644 --- a/stacks/mailserver/modules/mailserver/extra/aliases.txt +++ b/stacks/mailserver/modules/mailserver/extra/aliases.txt @@ -3,3 +3,10 @@ closely-keith-generated@viktorbarzin.me vbarzin@gmail.com literally-paolo-generated@viktorbarzin.me viktorbarzin@fb.com hastily-stefanie-generated@viktorbarzin.me elliestamenova@gmail.com vaultwarden@viktorbarzin.me me@viktorbarzin.me + +# plans@ -> spam@: authorizes tripit (SMTP-authed as spam@) to send mail +# From: plans@viktorbarzin.me under docker-mailserver SPOOF_PROTECTION (the +# smtpd_sender_login_maps union exact-matches this alias to spam@; the @domain +# catch-all does NOT, so an explicit entry is required). Also keeps inbound +# plans@ routing to spam@ for the tripit mail-ingest poller. +plans@viktorbarzin.me spam@viktorbarzin.me diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf index d790b7b0..87d87c2a 100644 --- a/stacks/tripit/main.tf +++ b/stacks/tripit/main.tf @@ -38,15 +38,19 @@ locals { PUSH_PROVIDER = "webpush" LLM_MODE = "fake" MAIL_INGEST_ENABLED = "false" - # Outbound mail for linked-email verification — submitted via the cluster - # mailserver as spam@ (which relays out via Brevo). SMTP_PASSWORD comes from - # tripit-secrets (mapped to the existing PLANS_IMAP_PASSWORD). PUBLIC_BASE_URL - # builds the confirmation link mailed to the address. + # Outbound mail (linked-email verification + trip-share invites) — submitted + # via the cluster mailserver authenticated as spam@ (SMTP_USER), but sent + # From: plans@viktorbarzin.me (SMTP_FROM). docker-mailserver SPOOF_PROTECTION + # requires the login to "own" the From; an explicit plans@ -> spam@ virtual + # alias grants that (see mailserver extra/aliases.txt) and keeps inbound + # plans@ routing to spam@. Relays out via Brevo. SMTP_PASSWORD comes from + # tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password). + # PUBLIC_BASE_URL builds the links mailed to recipients. EMAIL_PROVIDER = "smtp" SMTP_HOST = "mailserver.mailserver.svc" SMTP_PORT = "587" SMTP_USER = "spam@viktorbarzin.me" - SMTP_FROM = "spam@viktorbarzin.me" + SMTP_FROM = "plans@viktorbarzin.me" PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me" } }