From 632104e5a4629959f04b91d851b8d625d4661b53 Mon Sep 17 00:00:00 2001 From: Benjamin Asbach Date: Thu, 11 Jun 2020 03:37:36 +0200 Subject: [PATCH] postfix: deprecated `sslCACert` in favour of `tlsTrustedAuthorities` `sslCACert` was used for trust store of client and server certificates. Since `smtpd_tls_ask_ccert` defaults to no the setup of `smtpd_tls_CApath` was removed. >By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. see http://www.postfix.org/postconf.5.html#smtpd_tls_CAfile --- nixos/doc/manual/release-notes/rl-2009.xml | 5 +++++ nixos/modules/services/mail/postfix.nix | 25 +++++++++++++++------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index c2f26371d66..dacae379589 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -119,6 +119,11 @@ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; feature is disabled by default. + + + services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities which now defaults to system certifcate authorities. + + diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 74d80a55b14..b1fa7f1c3c1 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -466,18 +466,20 @@ in "; }; + tlsTrustedAuthorities = mkOption { + type = types.str; + default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + description = '' + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + ''; + }; + sslCert = mkOption { type = types.str; default = ""; description = "SSL certificate to use."; }; - sslCACert = mkOption { - type = types.str; - default = ""; - description = "SSL certificate of CA."; - }; - sslKey = mkOption { type = types.str; default = ""; @@ -771,14 +773,16 @@ in recipient_canonical_classes = [ "envelope_recipient" ]; } // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } + // optionalAttrs (cfg.tlsTrustedAuthorities != "") { + smtp_tls_CAfile = cfg.tlsTrustedAuthorities; + smtp_tls_security_level = "may"; + } // optionalAttrs (cfg.sslCert != "") { - smtp_tls_CAfile = cfg.sslCACert; smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; smtp_tls_security_level = "may"; - smtpd_tls_CAfile = cfg.sslCACert; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; @@ -900,4 +904,9 @@ in services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); + + imports = [ + (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] + "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.") + ]; }