From 3cb8d47c1ae94135a5ef3ab4e65646ffe51d51c4 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 3 Jun 2025 02:12:06 +0200 Subject: [PATCH] nixos/postfix: replace sslCert and sslKey options There exist multiple issues with these options, for example they are not introspectable, since the values are configured in the config part of the module. Also the keypair is always configured for both server and client usage, which is really surprising. The postfix docs even advise against setting up client certificates, if they aren't required. [1] The replacements are the `smtpd_tls_chain_files` for server usage and `smtp_tls_chain_files` for client usage, which are the prefered way to configure keys and certificates since Postfix 3.4.0. [2] [1] https://www.postfix.org/postconf.5.html#smtp_tls_cert_file [2] https://www.postfix.org/postconf.5.html#smtpd_tls_cert_file --- .../manual/release-notes/rl-2511.section.md | 5 ++ nixos/modules/services/mail/postfix.nix | 65 ++++++++++++------- nixos/tests/postfix.nix | 6 +- 3 files changed, 50 insertions(+), 26 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index d0da48a610d6..63180e564ff0 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -46,6 +46,11 @@ - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. +- The Postfix module has been updated and likely requires configuration changes: + - The `services.postfix.sslCert` and `sslKey` options were removed and you now need to configure + - [services.postfix.config.smtpd_tls_chain_files](#opt-services.postfix.config.smtpd_tls_chain_files) for server certificates, + - [services.postfix.config.smtp_tls_chain_files](#opt-services.postfix.config) for client certificates. + ## Other Notable Changes {#sec-release-25.11-notable-changes} diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 37bd3877747e..85e04b992259 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -584,6 +584,41 @@ in ]) ); options = { + smtpd_tls_chain_files = mkOption { + type = with types; listOf path; + default = [ ]; + example = [ + "/var/lib/acme/mail.example.com/privkey.pem" + "/var/lib/acme/mail.example.com/fullchain.pem" + ]; + description = '' + List of paths to the server private keys and certificates. + + ::: {.caution} + The order of items matters and a private key must always be followed by the corresponding certificate. + ::: + + + ''; + }; + + smtpd_tls_security_level = mkOption { + type = types.enum [ + "none" + "may" + "encrypt" + ]; + default = if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none"; + defaultText = lib.literalExpression '' + if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none" + ''; + example = "may"; + description = '' + The server TLS security level. Enable TLS by configuring at least `may`. + + + ''; + }; }; }; @@ -616,18 +651,6 @@ in ''; }; - sslCert = lib.mkOption { - type = lib.types.str; - default = ""; - description = "SSL certificate to use."; - }; - - sslKey = lib.mkOption { - type = lib.types.str; - default = ""; - description = "SSL key to use."; - }; - recipientDelimiter = lib.mkOption { type = lib.types.str; default = ""; @@ -991,18 +1014,6 @@ in // lib.optionalAttrs (cfg.tlsTrustedAuthorities != "") { smtp_tls_CAfile = cfg.tlsTrustedAuthorities; smtp_tls_security_level = lib.mkDefault "may"; - } - // lib.optionalAttrs (cfg.sslCert != "") { - smtp_tls_cert_file = cfg.sslCert; - smtp_tls_key_file = cfg.sslKey; - - smtp_tls_security_level = lib.mkDefault "may"; - - smtpd_tls_cert_file = cfg.sslCert; - smtpd_tls_key_file = cfg.sslKey; - - smtpd_tls_security_level = lib.mkDefault "may"; - }; services.postfix.masterConfig = @@ -1167,6 +1178,12 @@ in (lib.mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig." ) + (lib.mkRemovedOptionModule [ "services" "postfix" "sslCert" ] + "services.postfix.sslCert was removed. Use services.postfix.config.smtpd_tls_chain_files for the server certificate, or services.postfix.config.smtp_tls_chain_files for the client certificate." + ) + (lib.mkRemovedOptionModule [ "services" "postfix" "sslKey" ] + "services.postfix.sslKey was removed. Use services.postfix.config.smtpd_tls_chain_files for server private key, or services.postfix.config.smtp_tls_chain_files for the client private key." + ) (lib.mkChangedOptionModule [ "services" "postfix" "useDane" ] diff --git a/nixos/tests/postfix.nix b/nixos/tests/postfix.nix index 674a7656079f..36a2b03469d6 100644 --- a/nixos/tests/postfix.nix +++ b/nixos/tests/postfix.nix @@ -14,8 +14,10 @@ import ./make-test-python.nix { enableSubmission = true; enableSubmissions = true; tlsTrustedAuthorities = "${certs.ca.cert}"; - sslCert = "${certs.${domain}.cert}"; - sslKey = "${certs.${domain}.key}"; + config.smtpd_tls_chain_files = [ + certs.${domain}.key + certs.${domain}.cert + ]; submissionsOptions = { smtpd_sasl_auth_enable = "yes"; smtpd_client_restrictions = "permit";