tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

nixos/postfix: replace tls cert/key options and allow removing settings from rendered main.cf (#413427)

authored by

Martin Weinelt and committed by
GitHub d94de054 71cb4b80

+76 -35
unified split
+5
nixos/doc/manual/release-notes/rl-2511.section.md
··· 46 47 - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. 48 49 ## Other Notable Changes {#sec-release-25.11-notable-changes} 50 51 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
··· 46 47 - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. 48 49 + - The Postfix module has been updated and likely requires configuration changes: 50 + - The `services.postfix.sslCert` and `sslKey` options were removed and you now need to configure 51 + - [services.postfix.config.smtpd_tls_chain_files](#opt-services.postfix.config.smtpd_tls_chain_files) for server certificates, 52 + - [services.postfix.config.smtp_tls_chain_files](#opt-services.postfix.config) for client certificates. 53 + 54 ## Other Notable Changes {#sec-release-25.11-notable-changes} 55 56 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+67 -33
nixos/modules/services/mail/postfix.nix
··· 5 ... 6 }: 7 let 8 9 cfg = config.services.postfix; 10 user = cfg.user; ··· 47 ); 48 mkEntry = name: value: "${escape name} =${mkVal value}"; 49 in 50 - lib.concatStringsSep "\n" (lib.mapAttrsToList mkEntry cfg.config) + "\n" + cfg.extraConfig; 51 52 masterCfOptions = 53 { ··· 564 }; 565 566 config = lib.mkOption { 567 - type = 568 - with lib.types; 569 - attrsOf (oneOf [ 570 - bool 571 - int 572 - str 573 - (listOf str) 574 - ]); 575 description = '' 576 The main.cf configuration file as key value set. 577 ''; 578 example = { 579 mail_owner = "postfix"; ··· 597 description = '' 598 File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options). 599 ''; 600 - }; 601 - 602 - sslCert = lib.mkOption { 603 - type = lib.types.str; 604 - default = ""; 605 - description = "SSL certificate to use."; 606 - }; 607 - 608 - sslKey = lib.mkOption { 609 - type = lib.types.str; 610 - default = ""; 611 - description = "SSL key to use."; 612 }; 613 614 recipientDelimiter = lib.mkOption { ··· 974 // lib.optionalAttrs (cfg.tlsTrustedAuthorities != "") { 975 smtp_tls_CAfile = cfg.tlsTrustedAuthorities; 976 smtp_tls_security_level = lib.mkDefault "may"; 977 - } 978 - // lib.optionalAttrs (cfg.sslCert != "") { 979 - smtp_tls_cert_file = cfg.sslCert; 980 - smtp_tls_key_file = cfg.sslKey; 981 - 982 - smtp_tls_security_level = lib.mkDefault "may"; 983 - 984 - smtpd_tls_cert_file = cfg.sslCert; 985 - smtpd_tls_key_file = cfg.sslKey; 986 - 987 - smtpd_tls_security_level = lib.mkDefault "may"; 988 - 989 }; 990 991 services.postfix.masterConfig = ··· 1149 imports = [ 1150 (lib.mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] 1151 "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig." 1152 ) 1153 1154 (lib.mkChangedOptionModule
··· 5 ... 6 }: 7 let 8 + inherit (lib) 9 + mkOption 10 + types 11 + ; 12 13 cfg = config.services.postfix; 14 user = cfg.user; ··· 51 ); 52 mkEntry = name: value: "${escape name} =${mkVal value}"; 53 in 54 + lib.concatStringsSep "\n" ( 55 + lib.mapAttrsToList mkEntry (lib.filterAttrsRecursive (_: value: value != null) cfg.config) 56 + ) 57 + + "\n" 58 + + cfg.extraConfig; 59 60 masterCfOptions = 61 { ··· 572 }; 573 574 config = lib.mkOption { 575 + type = lib.types.submodule { 576 + freeformType = 577 + with types; 578 + attrsOf ( 579 + nullOr (oneOf [ 580 + bool 581 + int 582 + str 583 + (listOf str) 584 + ]) 585 + ); 586 + options = { 587 + smtpd_tls_chain_files = mkOption { 588 + type = with types; listOf path; 589 + default = [ ]; 590 + example = [ 591 + "/var/lib/acme/mail.example.com/privkey.pem" 592 + "/var/lib/acme/mail.example.com/fullchain.pem" 593 + ]; 594 + description = '' 595 + List of paths to the server private keys and certificates. 596 + 597 + ::: {.caution} 598 + The order of items matters and a private key must always be followed by the corresponding certificate. 599 + ::: 600 + 601 + <https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files> 602 + ''; 603 + }; 604 + 605 + smtpd_tls_security_level = mkOption { 606 + type = types.enum [ 607 + "none" 608 + "may" 609 + "encrypt" 610 + ]; 611 + default = if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none"; 612 + defaultText = lib.literalExpression '' 613 + if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none" 614 + ''; 615 + example = "may"; 616 + description = '' 617 + The server TLS security level. Enable TLS by configuring at least `may`. 618 + 619 + <https://www.postfix.org/postconf.5.html#smtpd_tls_security_level> 620 + ''; 621 + }; 622 + }; 623 + }; 624 + 625 description = '' 626 The main.cf configuration file as key value set. 627 + 628 + Null values will not be rendered. 629 ''; 630 example = { 631 mail_owner = "postfix"; ··· 649 description = '' 650 File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options). 651 ''; 652 }; 653 654 recipientDelimiter = lib.mkOption { ··· 1014 // lib.optionalAttrs (cfg.tlsTrustedAuthorities != "") { 1015 smtp_tls_CAfile = cfg.tlsTrustedAuthorities; 1016 smtp_tls_security_level = lib.mkDefault "may"; 1017 }; 1018 1019 services.postfix.masterConfig = ··· 1177 imports = [ 1178 (lib.mkRemovedOptionModule [ "services" "postfix" "sslCACert" ] 1179 "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig." 1180 + ) 1181 + (lib.mkRemovedOptionModule [ "services" "postfix" "sslCert" ] 1182 + "services.postfix.sslCert was removed. Use services.postfix.config.smtpd_tls_chain_files for the server certificate, or services.postfix.config.smtp_tls_chain_files for the client certificate." 1183 + ) 1184 + (lib.mkRemovedOptionModule [ "services" "postfix" "sslKey" ] 1185 + "services.postfix.sslKey was removed. Use services.postfix.config.smtpd_tls_chain_files for server private key, or services.postfix.config.smtp_tls_chain_files for the client private key." 1186 ) 1187 1188 (lib.mkChangedOptionModule
+4 -2
nixos/tests/postfix.nix
··· 14 enableSubmission = true; 15 enableSubmissions = true; 16 tlsTrustedAuthorities = "${certs.ca.cert}"; 17 - sslCert = "${certs.${domain}.cert}"; 18 - sslKey = "${certs.${domain}.key}"; 19 submissionsOptions = { 20 smtpd_sasl_auth_enable = "yes"; 21 smtpd_client_restrictions = "permit";
··· 14 enableSubmission = true; 15 enableSubmissions = true; 16 tlsTrustedAuthorities = "${certs.ca.cert}"; 17 + config.smtpd_tls_chain_files = [ 18 + certs.${domain}.key 19 + certs.${domain}.cert 20 + ]; 21 submissionsOptions = { 22 smtpd_sasl_auth_enable = "yes"; 23 smtpd_client_restrictions = "permit";