diff options
| author | lewo <lewo@abesis.fr> | 2020-07-09 20:29:49 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-09 20:29:49 +0200 |
| commit | 9534da25bf7ae57790566efc36b46a4eeaa11fdf (patch) | |
| tree | 796c6894150f187eb32f9b8a811183c67239f274 /nixos | |
| parent | 669de6d21d8bc2618420ff6cd67e640337cf2f43 (diff) | |
| parent | 632104e5a4629959f04b91d851b8d625d4661b53 (diff) | |
| download | nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.tar nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.tar.gz nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.tar.bz2 nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.tar.lz nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.tar.xz nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.tar.zst nixpkgs-9534da25bf7ae57790566efc36b46a4eeaa11fdf.zip | |
Merge pull request #90115 from asbachb/postfix-tls
postfix: Replaced config key by recommendation and introduced usage of system trust store
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 5 | ||||
| -rw-r--r-- | nixos/modules/services/mail/postfix.nix | 29 |
2 files changed, 24 insertions, 10 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 93238a5233f..152c2ba6248 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -119,6 +119,11 @@ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; feature is disabled by default. </para> </listitem> + <listitem> + <para> + <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certifcate authorities. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index f025932fa12..ad10ba1d909 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -488,7 +488,7 @@ in ''; example = { mail_owner = "postfix"; - smtp_use_tls = true; + smtp_tls_security_level = "may"; }; }; @@ -500,16 +500,18 @@ in "; }; - sslCert = mkOption { + tlsTrustedAuthorities = mkOption { type = types.str; - default = ""; - description = "SSL certificate to use."; + default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + description = '' + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + ''; }; - sslCACert = mkOption { + sslCert = mkOption { type = types.str; default = ""; - description = "SSL certificate of CA."; + description = "SSL certificate to use."; }; sslKey = mkOption { @@ -805,18 +807,20 @@ in recipient_canonical_classes = [ "envelope_recipient" ]; } // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } + // optionalAttrs (cfg.tlsTrustedAuthorities != "") { + smtp_tls_CAfile = cfg.tlsTrustedAuthorities; + smtp_tls_security_level = "may"; + } // optionalAttrs (cfg.sslCert != "") { - smtp_tls_CAfile = cfg.sslCACert; smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; - smtp_use_tls = true; + smtp_tls_security_level = "may"; - smtpd_tls_CAfile = cfg.sslCACert; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; - smtpd_use_tls = true; + smtpd_tls_security_level = "may"; }; services.postfix.masterConfig = { @@ -951,4 +955,9 @@ in services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); + + imports = [ + (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] + "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.") + ]; } |