diff options
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 5 | ||||
-rw-r--r-- | nixos/modules/services/mail/postfix.nix | 29 |
2 files changed, 24 insertions, 10 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 93238a5233fac..152c2ba6248e0 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -119,6 +119,11 @@ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; feature is disabled by default. </para> </listitem> + <listitem> + <para> + <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certifcate authorities. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index f025932fa126e..ad10ba1d9090d 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -488,7 +488,7 @@ in ''; example = { mail_owner = "postfix"; - smtp_use_tls = true; + smtp_tls_security_level = "may"; }; }; @@ -500,16 +500,18 @@ in "; }; - sslCert = mkOption { + tlsTrustedAuthorities = mkOption { type = types.str; - default = ""; - description = "SSL certificate to use."; + default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + description = '' + File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities. + ''; }; - sslCACert = mkOption { + sslCert = mkOption { type = types.str; default = ""; - description = "SSL certificate of CA."; + description = "SSL certificate to use."; }; sslKey = mkOption { @@ -805,18 +807,20 @@ in recipient_canonical_classes = [ "envelope_recipient" ]; } // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; } + // optionalAttrs (cfg.tlsTrustedAuthorities != "") { + smtp_tls_CAfile = cfg.tlsTrustedAuthorities; + smtp_tls_security_level = "may"; + } // optionalAttrs (cfg.sslCert != "") { - smtp_tls_CAfile = cfg.sslCACert; smtp_tls_cert_file = cfg.sslCert; smtp_tls_key_file = cfg.sslKey; - smtp_use_tls = true; + smtp_tls_security_level = "may"; - smtpd_tls_CAfile = cfg.sslCACert; smtpd_tls_cert_file = cfg.sslCert; smtpd_tls_key_file = cfg.sslKey; - smtpd_use_tls = true; + smtpd_tls_security_level = "may"; }; services.postfix.masterConfig = { @@ -951,4 +955,9 @@ in services.postfix.mapFiles.client_access = checkClientAccessFile; }) ]); + + imports = [ + (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] + "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.") + ]; } |