Merge pull request #90115 from asbachb/postfix-tls
postfix: Replaced config key by recommendation and introduced usage of system trust store
This commit is contained in:
commit
9534da25bf
@ -119,6 +119,11 @@ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
|
||||
feature is disabled by default.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certifcate authorities.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -488,7 +488,7 @@ in
|
||||
'';
|
||||
example = {
|
||||
mail_owner = "postfix";
|
||||
smtp_use_tls = true;
|
||||
smtp_tls_security_level = "may";
|
||||
};
|
||||
};
|
||||
|
||||
@ -500,18 +500,20 @@ in
|
||||
";
|
||||
};
|
||||
|
||||
tlsTrustedAuthorities = mkOption {
|
||||
type = types.str;
|
||||
default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
description = ''
|
||||
File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities.
|
||||
'';
|
||||
};
|
||||
|
||||
sslCert = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "SSL certificate to use.";
|
||||
};
|
||||
|
||||
sslCACert = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "SSL certificate of CA.";
|
||||
};
|
||||
|
||||
sslKey = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
@ -805,18 +807,20 @@ in
|
||||
recipient_canonical_classes = [ "envelope_recipient" ];
|
||||
}
|
||||
// optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; }
|
||||
// optionalAttrs (cfg.tlsTrustedAuthorities != "") {
|
||||
smtp_tls_CAfile = cfg.tlsTrustedAuthorities;
|
||||
smtp_tls_security_level = "may";
|
||||
}
|
||||
// optionalAttrs (cfg.sslCert != "") {
|
||||
smtp_tls_CAfile = cfg.sslCACert;
|
||||
smtp_tls_cert_file = cfg.sslCert;
|
||||
smtp_tls_key_file = cfg.sslKey;
|
||||
|
||||
smtp_use_tls = true;
|
||||
smtp_tls_security_level = "may";
|
||||
|
||||
smtpd_tls_CAfile = cfg.sslCACert;
|
||||
smtpd_tls_cert_file = cfg.sslCert;
|
||||
smtpd_tls_key_file = cfg.sslKey;
|
||||
|
||||
smtpd_use_tls = true;
|
||||
smtpd_tls_security_level = "may";
|
||||
};
|
||||
|
||||
services.postfix.masterConfig = {
|
||||
@ -951,4 +955,9 @@ in
|
||||
services.postfix.mapFiles.client_access = checkClientAccessFile;
|
||||
})
|
||||
]);
|
||||
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "postfix" "sslCACert" ]
|
||||
"services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.")
|
||||
];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user