diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/mail/postfix.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/mail/postfix.nix | 90 |
1 files changed, 80 insertions, 10 deletions
diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index 608f64a68fb..fd4d16cdc37 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -25,6 +25,8 @@ let clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl); + smtpTlsSecurityLevel = if cfg.useDane then "dane" else "may"; + mainCf = let escape = replaceStrings ["$"] ["$$"]; mkList = items: "\n " + concatStringsSep ",\n " items; @@ -280,6 +282,17 @@ in description = "Whether to enable smtp submission."; }; + enableSubmissions = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable smtp submission via smtps. + + According to RFC 8314 this should be preferred + over STARTTLS for submission of messages by end user clients. + ''; + }; + submissionOptions = mkOption { type = types.attrs; default = { @@ -298,6 +311,29 @@ in description = "Options for the submission config in master.cf"; }; + submissionsOptions = mkOption { + type = types.attrs; + default = { + smtpd_sasl_auth_enable = "yes"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + milter_macro_daemon_name = "ORIGINATING"; + }; + example = { + smtpd_sasl_auth_enable = "yes"; + smtpd_sasl_type = "dovecot"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + milter_macro_daemon_name = "ORIGINATING"; + }; + description = '' + Options for the submission config via smtps in master.cf. + + smtpd_tls_security_level will be set to encrypt, if it is missing + or has one of the values "may" or "none". + + smtpd_tls_wrappermode with value "yes" will be added automatically. + ''; + }; + setSendmail = mkOption { type = types.bool; default = true; @@ -454,7 +490,7 @@ in ''; example = { mail_owner = "postfix"; - smtp_use_tls = true; + smtp_tls_security_level = "may"; }; }; @@ -466,16 +502,26 @@ in "; }; - sslCert = mkOption { + tlsTrustedAuthorities = mkOption { type = types.str; - default = ""; - description = "SSL certificate to use."; + default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + description = '' + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + ''; + }; + + useDane = mkOption { + type = types.bool; + default = false; + description = '' + Sets smtp_tls_security_level to "dane" rather than "may". See postconf(5) for details. + ''; }; - sslCACert = mkOption { + sslCert = mkOption { type = types.str; default = ""; - description = "SSL certificate of CA."; + description = "SSL certificate to use."; }; sslKey = mkOption { @@ -771,18 +817,20 @@ in recipient_canonical_classes = [ "envelope_recipient" ]; } // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } + // optionalAttrs (cfg.tlsTrustedAuthorities != "") { + smtp_tls_CAfile = cfg.tlsTrustedAuthorities; + smtp_tls_security_level = smtpTlsSecurityLevel; + } // optionalAttrs (cfg.sslCert != "") { - smtp_tls_CAfile = cfg.sslCACert; smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; - smtp_use_tls = true; + smtp_tls_security_level = smtpTlsSecurityLevel; - smtpd_tls_CAfile = cfg.sslCACert; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; - smtpd_use_tls = true; + smtpd_tls_security_level = "may"; }; services.postfix.masterConfig = { @@ -878,6 +926,23 @@ in command = "smtp"; args = [ "-o" "smtp_fallback_relay=" ]; }; + } // optionalAttrs cfg.enableSubmissions { + submissions = { + type = "inet"; + private = false; + command = "smtpd"; + args = let + mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ]; + adjustSmtpTlsSecurityLevel = !(cfg.submissionsOptions ? smtpd_tls_security_level) || + cfg.submissionsOptions.smtpd_tls_security_level == "none" || + cfg.submissionsOptions.smtpd_tls_security_level == "may"; + submissionsOptions = cfg.submissionsOptions // { + smtpd_tls_wrappermode = "yes"; + } // optionalAttrs adjustSmtpTlsSecurityLevel { + smtpd_tls_security_level = "encrypt"; + }; + in concatLists (mapAttrsToList mkKeyVal submissionsOptions); + }; }; } @@ -900,4 +965,9 @@ in services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); + + imports = [ + (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] + "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.") + ]; } |