From 3555a546ab8d8cc5bbb393a25835b548d0f352ca Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 8 Jul 2025 04:36:50 +0200
Subject: [PATCH] Add support for SMTP TLS reports

When enabled the tlsrpt services will send out aggregated reports about
TLS connections the local Postfix made to interested parties, who set up
a `_smtp._tls` TXT record with a rua attribute.

Introduces mailserver.systemContact to specify an administrative contact
advertised in these automated reports.
---
 README.md               |  1 +
 default.nix             | 13 +++++++++++++
 docs/release-notes.rst  |  5 +++++
 mail-server/postfix.nix | 10 ++++++++++
 4 files changed, 29 insertions(+)

diff --git a/README.md b/README.md
index 1ec1b39..79f8cd7 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ SNM branch corresponding to your NixOS version.
   * [x] Submission StartTLS on port 587
   * [x] LMTP with Dovecot
   * [x] DANE and MTA-STS validation
+  * [x] SMTP TLS Reports ([RFC 8460](https://www.rfc-editor.org/rfc/rfc8460))
 * Dovecot
   * [x] Maildir folders
   * [x] IMAP with TLS on port 993
diff --git a/default.nix b/default.nix
index 97485a4..3ca92d0 100644
--- a/default.nix
+++ b/default.nix
@@ -94,6 +94,17 @@ in
       '';
     };
 
+    systemContact = mkOption {
+      type = types.str;
+      example = "postmaster@example.com";
+      description = ''
+        The email address where the administrative contact for this mail server is reachable.
+
+        Currently, this is only required when one of the following features is enabled:
+        - SMTP TLS reports (`mailserver.tlsrpt.enable`)
+      '';
+    };
+
     systemDomain = mkOption {
       type = types.str;
       default =
@@ -1032,6 +1043,8 @@ in
       };
     };
 
+    tlsrpt.enable = mkEnableOption "delivery of SMTP TLS reports according to RFC 8460";
+
     debug = {
       all = mkOption {
         type = types.bool;
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 2614e45..51c15bc 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -23,11 +23,16 @@ NixOS 25.11
   system domain.
 - DANE and MTA-STS are now validated for outgoing SMTP connections using
   `postfix-tlspol`_.
+- SMTP TLS connection reports (`RFC 8460`_) are now supported using
+  `tlsrpt-reporter`_. They can be enabled with the ``mailserver.tlsrpt.enable``
+  option.
 
 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
 .. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
+.. _RFC 8460: https://www.rfc-editor.org/rfc/rfc8460
 .. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
+.. _tlsrpt-reporter: https://github.com/sys4/tlsrpt-reporter
 
 NixOS 25.05
 -----------
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index b32eb91..7baa49c 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -242,6 +242,16 @@ let
 in
 {
   config = lib.mkIf cfg.enable {
+    # SMTP TLS error reporting (RFC 8460)
+    services.tlsrpt = {
+      inherit (cfg.tlsrpt) enable;
+      configurePostfix = true;
+      reportd.settings = {
+        organization_name = cfg.systemName;
+        contact_info = "${cfg.systemContact}";
+        sender_address = "noreply-tlsrpt@${cfg.systemDomain}";
+      };
+    };
 
     # SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
     services.postfix-tlspol = {