From 21e139f313f842266e62210d159434f2be564569 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Wed, 31 May 2023 12:11:21 +0200
Subject: [PATCH] mailserver: Allow using implicit TLS

The configuration dates back quite a bit and then STARTTLS was
considered the best option. However, with RFC 8314 from 2018, which now
recommends implicit TLS for IMAP and SMTP submission, this changed.

This allows using implicit TLS for those services. STARTTLS might become
deprecated and/or removed in the future.
---
 modules/mailserver.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/mailserver.nix b/modules/mailserver.nix
index 8ef9056..2a8c287 100644
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@@ -111,8 +111,10 @@ in
     # Firewall
     networking.firewall.allowedTCPPorts = [
       143 # IMAP
+      993 # IMAP (implicit TLS)
       25 # SMTP
       587 # SMTP submission
+      465 # SMTP submission (implicit TLS)
     ];
 
     # Service dependencies
@@ -186,7 +188,8 @@ in
       {
         enable = true;
 
-        enableSubmission = true;
+        enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
+        enableSubmissions = true; # submission with implicit TLS (TCP/465)
 
         hostname = cfg.fqdn;
         networksStyle = "host";
@@ -257,6 +260,7 @@ in
           non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
         };
 
+        # plain/STARTTLS (forced with smtpd_tls_security_level)
         submissionOptions = {
           smtpd_tls_security_level = "encrypt";
           smtpd_sasl_auth_enable = "yes";
@@ -278,6 +282,8 @@ in
 
           cleanup_service_name = "submission-header-cleanup";
         };
+        # implicit TLS
+        submissionsOptions = config.services.postfix.submissionOptions;
 
         masterConfig = {
           submission-header-cleanup = {