Add support for SMTP TLS reports
When enabled the tlsrpt services will send out aggregated reports about TLS connections the local Postfix made to interested parties, who set up a `_smtp._tls` TXT record with a rua attribute. Introduces mailserver.systemContact to specify an administrative contact advertised in these automated reports.
This commit is contained in:
Martin Weinelt
@@ -30,6 +30,7 @@ SNM branch corresponding to your NixOS version.
|
|||||||
* [x] Submission StartTLS on port 587
|
* [x] Submission StartTLS on port 587
|
||||||
* [x] LMTP with Dovecot
|
* [x] LMTP with Dovecot
|
||||||
* [x] DANE and MTA-STS validation
|
* [x] DANE and MTA-STS validation
|
||||||
|
* [x] SMTP TLS Reports ([RFC 8460](https://www.rfc-editor.org/rfc/rfc8460))
|
||||||
* Dovecot
|
* Dovecot
|
||||||
* [x] Maildir folders
|
* [x] Maildir folders
|
||||||
* [x] IMAP with TLS on port 993
|
* [x] IMAP with TLS on port 993
|
||||||
|
|||||||
13
default.nix
13
default.nix
@@ -94,6 +94,17 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemContact = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
example = "postmaster@example.com";
|
||||||
|
description = ''
|
||||||
|
The email address where the administrative contact for this mail server is reachable.
|
||||||
|
|
||||||
|
Currently, this is only required when one of the following features is enabled:
|
||||||
|
- SMTP TLS reports (`mailserver.tlsrpt.enable`)
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemDomain = mkOption {
|
systemDomain = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default =
|
default =
|
||||||
@@ -1032,6 +1043,8 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
tlsrpt.enable = mkEnableOption "delivery of SMTP TLS reports according to RFC 8460";
|
||||||
|
|
||||||
debug = {
|
debug = {
|
||||||
all = mkOption {
|
all = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
|
|||||||
@@ -23,11 +23,16 @@ NixOS 25.11
|
|||||||
system domain.
|
system domain.
|
||||||
- DANE and MTA-STS are now validated for outgoing SMTP connections using
|
- DANE and MTA-STS are now validated for outgoing SMTP connections using
|
||||||
`postfix-tlspol`_.
|
`postfix-tlspol`_.
|
||||||
|
- SMTP TLS connection reports (`RFC 8460`_) are now supported using
|
||||||
|
`tlsrpt-reporter`_. They can be enabled with the ``mailserver.tlsrpt.enable``
|
||||||
|
option.
|
||||||
|
|
||||||
.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
|
.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
|
||||||
.. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
|
.. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
|
||||||
.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
|
.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
|
||||||
|
.. _RFC 8460: https://www.rfc-editor.org/rfc/rfc8460
|
||||||
.. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
|
.. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
|
||||||
|
.. _tlsrpt-reporter: https://github.com/sys4/tlsrpt-reporter
|
||||||
|
|
||||||
NixOS 25.05
|
NixOS 25.05
|
||||||
-----------
|
-----------
|
||||||
|
|||||||
@@ -242,6 +242,16 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
# SMTP TLS error reporting (RFC 8460)
|
||||||
|
services.tlsrpt = {
|
||||||
|
inherit (cfg.tlsrpt) enable;
|
||||||
|
configurePostfix = true;
|
||||||
|
reportd.settings = {
|
||||||
|
organization_name = cfg.systemName;
|
||||||
|
contact_info = "${cfg.systemContact}";
|
||||||
|
sender_address = "noreply-tlsrpt@${cfg.systemDomain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
|
# SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
|
||||||
services.postfix-tlspol = {
|
services.postfix-tlspol = {
|
||||||
|
|||||||
Reference in New Issue
Block a user