Merge pull request #90115 from asbachb/postfix-tls

postfix: Replaced config key by recommendation and introduced usage of system trust store
2020-07-09 20:29:49 +02:00 · 2020-07-09 20:29:49 +02:00 · 9534da25bf
parent 669de6d21d 632104e5a4
commit 9534da25bf
2 changed files with 25 additions and 11 deletions
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -119,6 +119,11 @@ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
      feature is disabled by default.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certifcate authorities.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -488,7 +488,7 @@ in
        '';
        example = {
          mail_owner = "postfix";
-          smtp_use_tls = true;
+          smtp_tls_security_level = "may";
        };
      };

@ -500,18 +500,20 @@ in
        ";
      };

+      tlsTrustedAuthorities = mkOption {
+        type = types.str;
+        default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+        description = ''
+          File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities.
+        '';
+      };
+
      sslCert = mkOption {
        type = types.str;
        default = "";
        description = "SSL certificate to use.";
      };

-      sslCACert = mkOption {
-        type = types.str;
-        default = "";
-        description = "SSL certificate of CA.";
-      };
-
      sslKey = mkOption {
        type = types.str;
        default = "";
@ -805,18 +807,20 @@ in
        recipient_canonical_classes = [ "envelope_recipient" ];
      }
      // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; }
+      // optionalAttrs (cfg.tlsTrustedAuthorities != "") {
+        smtp_tls_CAfile = cfg.tlsTrustedAuthorities;
+        smtp_tls_security_level = "may";
+      }
      // optionalAttrs (cfg.sslCert != "") {
-        smtp_tls_CAfile = cfg.sslCACert;
        smtp_tls_cert_file = cfg.sslCert;
        smtp_tls_key_file = cfg.sslKey;

-        smtp_use_tls = true;
+        smtp_tls_security_level = "may";

-        smtpd_tls_CAfile = cfg.sslCACert;
        smtpd_tls_cert_file = cfg.sslCert;
        smtpd_tls_key_file = cfg.sslKey;

-        smtpd_use_tls = true;
+        smtpd_tls_security_level = "may";
      };

      services.postfix.masterConfig = {
@ -951,4 +955,9 @@ in
      services.postfix.mapFiles.client_access = checkClientAccessFile;
    })
  ]);
+
+  imports = [
+   (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ]
+     "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.")
+  ];
 }