alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

nixos/dovecot: make ssl_dh optional

Browse source 
hasn't been needed since 2.3.3, in fact it is encouraged not to use such cipher suites anymore
This commit is contained in:
ajs124 2022-01-19 22:39:57 +01:00
parent e83c7692e6
commit c6683b4f27
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/modules/services/mail/dovecot.nix
View file

@ -38,7 +38,7 @@ let
ssl_cert = <${cfg.sslServerCert}
ssl_key = <${cfg.sslServerKey}
${optionalString (cfg.sslCACert != null) ("ssl_ca = <" + cfg.sslCACert)}
ssl_dh = <${config.security.dhparams.params.dovecot2.path}
${optionalString cfg.enableDHE ''ssl_dh = <${config.security.dhparams.params.dovecot2.path}''}
disable_plaintext_auth = yes
''
)
@ -322,6 +322,8 @@ in
description = "Whether to create a own Dovecot PAM service and configure PAM user logins.";
};
enableDHE = mkEnableOption "enable ssl_dh and generation of primes for the key exchange." // { default = true; };
sieveScripts = mkOption {
type = types.attrsOf types.path;
default = {};
@ -376,7 +378,7 @@ in
config = mkIf cfg.enable {
security.pam.services.dovecot2 = mkIf cfg.enablePAM {};
security.dhparams = mkIf (cfg.sslServerCert != null) {
security.dhparams = mkIf (cfg.sslServerCert != null && cfg.enableDHE) {
enable = true;
params.dovecot2 = {};
};