From 0812ca1e486a776c6734cb3a3f9cb327646605f6 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 29 Jun 2025 00:57:56 +0200
Subject: [PATCH] Use postfix-tlspol for DANE/MTA-STS policy lookups

Postfix with plain DANE only secures domains that configure DNSSEC and
publish TLSA records. With postfix-tlspol we support MTA-STS protected
connections and get caching for its policy results.

Finally, we use this as a stepping stone to build TLSRPT support on top.
---
 README.md               | 1 +
 docs/release-notes.rst  | 3 +++
 mail-server/postfix.nix | 8 +++++++-
 tests/multiple.nix      | 4 ++++
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ef3042a..1ec1b39 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ SNM branch corresponding to your NixOS version.
   * [x] Submission TLS on port 465
   * [x] Submission StartTLS on port 587
   * [x] LMTP with Dovecot
+  * [x] DANE and MTA-STS validation
 * Dovecot
   * [x] Maildir folders
   * [x] IMAP with TLS on port 993
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 744d2bc..2614e45 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -21,10 +21,13 @@ NixOS 25.11
   ``mailserver.enableSubmission``.
 - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
   system domain.
+- DANE and MTA-STS are now validated for outgoing SMTP connections using
+  `postfix-tlspol`_.
 
 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
 .. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
+.. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
 
 NixOS 25.05
 -----------
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 8c0bccd..b32eb91 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -243,6 +243,12 @@ in
 {
   config = lib.mkIf cfg.enable {
 
+    # SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
+    services.postfix-tlspol = {
+      enable = true;
+      configurePostfix = true;
+    };
+
     systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
       preStart = ''
         ${appendPwdInVirtualMailboxMap}
@@ -350,7 +356,7 @@ in
         smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
         smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
 
-        # Opportunistic DANE support when delivering mail to other servers
+        # Enable DNSSEC/DANE support for outgoing SMTP connections
         # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
         smtp_dns_support_level = "dnssec";
         smtp_tls_security_level = "dane";
diff --git a/tests/multiple.nix b/tests/multiple.nix
index 8ba2920..d222b82 100644
--- a/tests/multiple.nix
+++ b/tests/multiple.nix
@@ -1,6 +1,7 @@
 # This tests is used to test features requiring several mail domains.
 
 {
+  lib,
   pkgs,
   ...
 }:
@@ -49,6 +50,9 @@ let
           "domain2.com,domain2,10"
         ];
       };
+
+      # breaks the test, due to running into DNS timeouts
+      services.postfix-tlspol.configurePostfix = lib.mkForce false;
     };
 
 in