nixos/postfix: replace sslCert and sslKey options

There exist multiple issues with these options, for example they are not introspectable, since the values are configured in the config part of the module. Also the keypair is always configured for both server and client usage, which is really surprising. The postfix docs even advise against setting up client certificates, if they aren't required. [1] The replacements are the `smtpd_tls_chain_files` for server usage and `smtp_tls_chain_files` for client usage, which are the prefered way to configure keys and certificates since Postfix 3.4.0. [2] [1] https://www.postfix.org/postconf.5.html#smtp_tls_cert_file [2] https://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
2025-06-03 02:12:06 +02:00 · 2025-06-03 02:12:06 +02:00 · 3cb8d47c1a
commit 3cb8d47c1a
parent 951a020ed4
3 changed files with 50 additions and 26 deletions
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@ -46,6 +46,11 @@

 - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.

+- The Postfix module has been updated and likely requires configuration changes:
+  - The `services.postfix.sslCert` and `sslKey` options were removed and you now need to configure
+    - [services.postfix.config.smtpd_tls_chain_files](#opt-services.postfix.config.smtpd_tls_chain_files) for server certificates,
+    - [services.postfix.config.smtp_tls_chain_files](#opt-services.postfix.config) for client certificates.
+
 ## Other Notable Changes {#sec-release-25.11-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -584,6 +584,41 @@ in
              ])
            );
          options = {
+            smtpd_tls_chain_files = mkOption {
+              type = with types; listOf path;
+              default = [ ];
+              example = [
+                "/var/lib/acme/mail.example.com/privkey.pem"
+                "/var/lib/acme/mail.example.com/fullchain.pem"
+              ];
+              description = ''
+                List of paths to the server private keys and certificates.
+
+                ::: {.caution}
+                The order of items matters and a private key must always be followed by the corresponding certificate.
+                :::
+
+                <https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files>
+              '';
+            };
+
+            smtpd_tls_security_level = mkOption {
+              type = types.enum [
+                "none"
+                "may"
+                "encrypt"
+              ];
+              default = if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none";
+              defaultText = lib.literalExpression ''
+                if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none"
+              '';
+              example = "may";
+              description = ''
+                The server TLS security level. Enable TLS by configuring at least `may`.
+
+                <https://www.postfix.org/postconf.5.html#smtpd_tls_security_level>
+              '';
+            };
          };
        };

@ -616,18 +651,6 @@ in
        '';
      };

-      sslCert = lib.mkOption {
-        type = lib.types.str;
-        default = "";
-        description = "SSL certificate to use.";
-      };
-
-      sslKey = lib.mkOption {
-        type = lib.types.str;
-        default = "";
-        description = "SSL key to use.";
-      };
-
      recipientDelimiter = lib.mkOption {
        type = lib.types.str;
        default = "";
@ -991,18 +1014,6 @@ in
          // lib.optionalAttrs (cfg.tlsTrustedAuthorities != "") {
            smtp_tls_CAfile = cfg.tlsTrustedAuthorities;
            smtp_tls_security_level = lib.mkDefault "may";
-          }
-          // lib.optionalAttrs (cfg.sslCert != "") {
-            smtp_tls_cert_file = cfg.sslCert;
-            smtp_tls_key_file = cfg.sslKey;
-
-            smtp_tls_security_level = lib.mkDefault "may";
-
-            smtpd_tls_cert_file = cfg.sslCert;
-            smtpd_tls_key_file = cfg.sslKey;
-
-            smtpd_tls_security_level = lib.mkDefault "may";
-
          };

        services.postfix.masterConfig =
@ -1167,6 +1178,12 @@ in
    (lib.mkRemovedOptionModule [ "services" "postfix" "sslCACert" ]
      "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig."
    )
+    (lib.mkRemovedOptionModule [ "services" "postfix" "sslCert" ]
+      "services.postfix.sslCert was removed. Use services.postfix.config.smtpd_tls_chain_files for the server certificate, or services.postfix.config.smtp_tls_chain_files for the client certificate."
+    )
+    (lib.mkRemovedOptionModule [ "services" "postfix" "sslKey" ]
+      "services.postfix.sslKey was removed. Use services.postfix.config.smtpd_tls_chain_files for server private key, or services.postfix.config.smtp_tls_chain_files for the client private key."
+    )

    (lib.mkChangedOptionModule
      [ "services" "postfix" "useDane" ]
--- a/nixos/tests/postfix.nix
+++ b/nixos/tests/postfix.nix
@ -14,8 +14,10 @@ import ./make-test-python.nix {
        enableSubmission = true;
        enableSubmissions = true;
        tlsTrustedAuthorities = "${certs.ca.cert}";
-        sslCert = "${certs.${domain}.cert}";
-        sslKey = "${certs.${domain}.key}";
+        config.smtpd_tls_chain_files = [
+          certs.${domain}.key
+          certs.${domain}.cert
+        ];
        submissionsOptions = {
          smtpd_sasl_auth_enable = "yes";
          smtpd_client_restrictions = "permit";