Use postfix-tlspol for DANE/MTA-STS policy lookups

Postfix with plain DANE only secures domains that configure DNSSEC and
publish TLSA records. With postfix-tlspol we support MTA-STS protected
connections and get caching for its policy results.

Finally, we use this as a stepping stone to build TLSRPT support on top.

mail-server/postfix.nix

@@ -243,6 +243,12 @@ in
 {
   config = lib.mkIf cfg.enable {
 
+    # SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
+    services.postfix-tlspol = {
+      enable = true;
+      configurePostfix = true;
+    };
+
     systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
       preStart = ''
         ${appendPwdInVirtualMailboxMap}
@@ -350,7 +356,7 @@ in
         smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
         smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
 
-        # Opportunistic DANE support when delivering mail to other servers
+        # Enable DNSSEC/DANE support for outgoing SMTP connections
         # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
         smtp_dns_support_level = "dnssec";
         smtp_tls_security_level = "dane";