aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use postfix-tlspol for DANE/MTA-STS policy lookups

Browse Source 
Postfix with plain DANE only secures domains that configure DNSSEC and
publish TLSA records. With postfix-tlspol we support MTA-STS protected
connections and get caching for its policy results.

Finally, we use this as a stepping stone to build TLSRPT support on top.
This commit is contained in:
Martin Weinelt
2025-06-29 00:57:56 +02:00
parent ed771e37f7
commit 0812ca1e48
4 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -29,6 +29,7 @@ SNM branch corresponding to your NixOS version.
* [x] Submission TLS on port 465 * [x] Submission TLS on port 465
* [x] Submission StartTLS on port 587 * [x] Submission StartTLS on port 587
* [x] LMTP with Dovecot * [x] LMTP with Dovecot
* [x] DANE and MTA-STS validation
* Dovecot * Dovecot
* [x] Maildir folders * [x] Maildir folders
* [x] IMAP with TLS on port 993 * [x] IMAP with TLS on port 993

3
docs/release-notes.rst
View File

@@ -21,10 +21,13 @@ NixOS 25.11
``mailserver.enableSubmission``. ``mailserver.enableSubmission``.
- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
system domain. system domain.
- DANE and MTA-STS are now validated for outgoing SMTP connections using
`postfix-tlspol`_.
.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
.. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3 .. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
.. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
NixOS 25.05 NixOS 25.05
----------- -----------

8
mail-server/postfix.nix
View File

@@ -243,6 +243,12 @@ in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
services.postfix-tlspol = {
enable = true;
configurePostfix = true;
};
systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable { systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
preStart = '' preStart = ''
${appendPwdInVirtualMailboxMap} ${appendPwdInVirtualMailboxMap}
@@ -350,7 +356,7 @@ in
smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL"; smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL"; smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
# Opportunistic DANE support when delivering mail to other servers # Enable DNSSEC/DANE support for outgoing SMTP connections
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_dns_support_level = "dnssec"; smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane"; smtp_tls_security_level = "dane";

4
tests/multiple.nix
View File

@@ -1,6 +1,7 @@
# This tests is used to test features requiring several mail domains. # This tests is used to test features requiring several mail domains.
{ {
lib,
pkgs, pkgs,
... ...
}: }:
@@ -49,6 +50,9 @@ let
"domain2.com,domain2,10" "domain2.com,domain2,10"
]; ];
}; };
# breaks the test, due to running into DNS timeouts
services.postfix-tlspol.configurePostfix = lib.mkForce false;
}; };
in in