diff options
author | Benjamin Asbach <asbachb@users.noreply.github.com> | 2020-06-11 03:37:36 +0200 |
---|---|---|
committer | Benjamin Asbach <asbachb@users.noreply.github.com> | 2020-07-05 14:53:34 +0200 |
commit | 632104e5a4629959f04b91d851b8d625d4661b53 (patch) | |
tree | 84d6211a9968ca1b1f6f1b051d6dbb6f39e594e4 /nixos/modules/services/mail/postfix.nix | |
parent | 9d697837f087ac6b9863fcbe33c8477fbc0d6807 (diff) | |
download | nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.tar nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.tar.gz nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.tar.bz2 nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.tar.lz nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.tar.xz nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.tar.zst nixpkgs-632104e5a4629959f04b91d851b8d625d4661b53.zip |
postfix: deprecated `sslCACert` in favour of `tlsTrustedAuthorities`
`sslCACert` was used for trust store of client and server certificates. Since `smtpd_tls_ask_ccert` defaults to no the setup of `smtpd_tls_CApath` was removed. >By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. see http://www.postfix.org/postconf.5.html#smtpd_tls_CAfile
Diffstat (limited to 'nixos/modules/services/mail/postfix.nix')
-rw-r--r-- | nixos/modules/services/mail/postfix.nix | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 74d80a55b14..b1fa7f1c3c1 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -466,16 +466,18 @@ in "; }; - sslCert = mkOption { + tlsTrustedAuthorities = mkOption { type = types.str; - default = ""; - description = "SSL certificate to use."; + default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + description = '' + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + ''; }; - sslCACert = mkOption { + sslCert = mkOption { type = types.str; default = ""; - description = "SSL certificate of CA."; + description = "SSL certificate to use."; }; sslKey = mkOption { @@ -771,14 +773,16 @@ in recipient_canonical_classes = [ "envelope_recipient" ]; } // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } + // optionalAttrs (cfg.tlsTrustedAuthorities != "") { + smtp_tls_CAfile = cfg.tlsTrustedAuthorities; + smtp_tls_security_level = "may"; + } // optionalAttrs (cfg.sslCert != "") { - smtp_tls_CAfile = cfg.sslCACert; smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; smtp_tls_security_level = "may"; - smtpd_tls_CAfile = cfg.sslCACert; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; @@ -900,4 +904,9 @@ in services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); + + imports = [ + (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] + "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.") + ]; } |