diff options
author | Matt McHenry <github@matt.mchenryfamily.org> | 2020-07-24 14:03:23 -0400 |
---|---|---|
committer | Matt McHenry <github@matt.mchenryfamily.org> | 2020-08-12 21:18:36 -0400 |
commit | a45f1453eb44968ca7c3f2a316951e6947187ee2 (patch) | |
tree | 3f544e3034762c7422766d45a2b05e34a015322d | |
parent | a45f68ccac476dc37ddf294530538f2f2cce5a92 (diff) | |
download | nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.tar nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.tar.gz nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.tar.bz2 nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.tar.lz nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.tar.xz nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.tar.zst nixpkgs-a45f1453eb44968ca7c3f2a316951e6947187ee2.zip |
postfix: add useDane config option
-rw-r--r-- | nixos/modules/services/mail/postfix.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index ad10ba1d909..fd4d16cdc37 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -25,6 +25,8 @@ let clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl); + smtpTlsSecurityLevel = if cfg.useDane then "dane" else "may"; + mainCf = let escape = replaceStrings ["$"] ["$$"]; mkList = items: "\n " + concatStringsSep ",\n " items; @@ -508,6 +510,14 @@ in ''; }; + useDane = mkOption { + type = types.bool; + default = false; + description = '' + Sets smtp_tls_security_level to "dane" rather than "may". See postconf(5) for details. + ''; + }; + sslCert = mkOption { type = types.str; default = ""; @@ -809,13 +819,13 @@ in // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } // optionalAttrs (cfg.tlsTrustedAuthorities != "") { smtp_tls_CAfile = cfg.tlsTrustedAuthorities; - smtp_tls_security_level = "may"; + smtp_tls_security_level = smtpTlsSecurityLevel; } // optionalAttrs (cfg.sslCert != "") { smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; - smtp_tls_security_level = "may"; + smtp_tls_security_level = smtpTlsSecurityLevel; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; |