Merge branch 'tlsrpt' into 'master'

MTA-STS lookups, SMTP TLS reports See merge request simple-nixos-mailserver/nixos-mailserver!430
2025-11-08 22:39:42 +00:00
parent bd56d97299 3555a546ab
commit 44dd1778a0
5 changed files with 44 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -29,6 +29,8 @@ SNM branch corresponding to your NixOS version.
  * [x] Submission TLS on port 465
  * [x] Submission StartTLS on port 587
  * [x] LMTP with Dovecot
+  * [x] DANE and MTA-STS validation
+  * [x] SMTP TLS Reports ([RFC 8460](https://www.rfc-editor.org/rfc/rfc8460))
 * Dovecot
  * [x] Maildir folders
  * [x] IMAP with TLS on port 993
--- a/default.nix
+++ b/default.nix
@@ -94,6 +94,17 @@ in
      '';
    };

+    systemContact = mkOption {
+      type = types.str;
+      example = "postmaster@example.com";
+      description = ''
+        The email address where the administrative contact for this mail server is reachable.
+
+        Currently, this is only required when one of the following features is enabled:
+        - SMTP TLS reports (`mailserver.tlsrpt.enable`)
+      '';
+    };
+
    systemDomain = mkOption {
      type = types.str;
      default =
@@ -1032,6 +1043,8 @@ in
      };
    };

+    tlsrpt.enable = mkEnableOption "delivery of SMTP TLS reports according to RFC 8460";
+
    debug = {
      all = mkOption {
        type = types.bool;
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -21,10 +21,18 @@ NixOS 25.11
  ``mailserver.enableSubmission``.
 - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
  system domain.
+- DANE and MTA-STS are now validated for outgoing SMTP connections using
+  `postfix-tlspol`_.
+- SMTP TLS connection reports (`RFC 8460`_) are now supported using
+  `tlsrpt-reporter`_. They can be enabled with the ``mailserver.tlsrpt.enable``
+  option.

 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
 .. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
+.. _RFC 8460: https://www.rfc-editor.org/rfc/rfc8460
+.. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
+.. _tlsrpt-reporter: https://github.com/sys4/tlsrpt-reporter

 NixOS 25.05
 -----------
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -242,6 +242,22 @@ let
 in
 {
  config = lib.mkIf cfg.enable {
+    # SMTP TLS error reporting (RFC 8460)
+    services.tlsrpt = {
+      inherit (cfg.tlsrpt) enable;
+      configurePostfix = true;
+      reportd.settings = {
+        organization_name = cfg.systemName;
+        contact_info = "${cfg.systemContact}";
+        sender_address = "noreply-tlsrpt@${cfg.systemDomain}";
+      };
+    };
+
+    # SMTP client policy mapping for DANE (RFC 6698) and MTA-STS (RFC 8461)
+    services.postfix-tlspol = {
+      enable = true;
+      configurePostfix = true;
+    };

    systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
      preStart = ''
@@ -350,7 +366,7 @@ in
        smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
        smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";

-        # Opportunistic DANE support when delivering mail to other servers
+        # Enable DNSSEC/DANE support for outgoing SMTP connections
        # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
        smtp_dns_support_level = "dnssec";
        smtp_tls_security_level = "dane";
--- a/tests/multiple.nix
+++ b/tests/multiple.nix
@@ -1,6 +1,7 @@
 # This tests is used to test features requiring several mail domains.

 {
+  lib,
  pkgs,
  ...
 }:
@@ -49,6 +50,9 @@ let
          "domain2.com,domain2,10"
        ];
      };
+
+      # breaks the test, due to running into DNS timeouts
+      services.postfix-tlspol.configurePostfix = lib.mkForce false;
    };

 in