aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Disable submission with explicit STARTTLS by default

Browse Source 
Deprecated, but not yet scheduled for removal pending user feedback.
This commit is contained in:
Martin Weinelt
2025-11-08 12:37:29 +01:00
parent 58659fbdfd
commit 1337e2eece
3 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
default.nix
View File

@@ -877,9 +877,11 @@ in
enableSubmission = mkOption { enableSubmission = mkOption {
type = types.bool; type = types.bool;
default = true; default = false;
description = '' description = ''
Whether to enable SMTP with STARTTLS on port 587. Whether to enable SMTP with STARTTLS on port 587.
The use of this port is discouraged per RFC 8314 3.3, see also Appendix A.
''; '';
}; };

14
docs/release-notes.rst
View File

@@ -11,15 +11,19 @@ NixOS 25.11
recommended in `RFC 8301 3.2`_. recommended in `RFC 8301 3.2`_.
We recommend rotating existing keys, as the RFC advises that signatures from We recommend rotating existing keys, as the RFC advises that signatures from
1024 bit keys should not be considered valid any longer. 1024 bit keys should not be considered valid any longer.
- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the - IMAP access over port ``143/tcp`` is now default disabled in line
system domain. with `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp``
- IMAP access over port ``143/tcp`` is now default disabled in line with instead. If you still require this feature you can reenable it using
`RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp`` instead.
If you still require this feature you can reenable it using
``mailserver.enableImap``, but it is scheduled for removal after the 25.11 ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
release. release.
- SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line
with `RFC 8314 3.3`_. If you still require this feature you can renable it using
``mailserver.enableSubmission``.
- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
system domain.
.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
.. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
NixOS 25.05 NixOS 25.05

3
tests/lib/config.nix
View File

@@ -7,6 +7,9 @@
# Testing eval failures that result from stateVersion assertion is out of scope # Testing eval failures that result from stateVersion assertion is out of scope
mailserver.stateVersion = 999; mailserver.stateVersion = 999;
# Keep testing submission with explicit TLS
mailserver.enableSubmission = true;
# Enable second CPU core # Enable second CPU core
virtualisation.cores = lib.mkDefault 2; virtualisation.cores = lib.mkDefault 2;