mailserver: Allow using implicit TLS

The configuration dates back quite a bit and then STARTTLS was
considered the best option. However, with RFC 8314 from 2018, which now
recommends implicit TLS for IMAP and SMTP submission, this changed.

This allows using implicit TLS for those services. STARTTLS might become
deprecated and/or removed in the future.

modules/mailserver.nix

@@ -111,8 +111,10 @@ in
     # Firewall
     networking.firewall.allowedTCPPorts = [
       143 # IMAP
+      993 # IMAP (implicit TLS)
       25 # SMTP
       587 # SMTP submission
+      465 # SMTP submission (implicit TLS)
     ];
 
     # Service dependencies
@@ -186,7 +188,8 @@ in
       {
         enable = true;
 
-        enableSubmission = true;
+        enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
+        enableSubmissions = true; # submission with implicit TLS (TCP/465)
 
         hostname = cfg.fqdn;
         networksStyle = "host";
@@ -257,6 +260,7 @@ in
           non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
         };
 
+        # plain/STARTTLS (forced with smtpd_tls_security_level)
         submissionOptions = {
           smtpd_tls_security_level = "encrypt";
           smtpd_sasl_auth_enable = "yes";
@@ -278,6 +282,8 @@ in
 
           cleanup_service_name = "submission-header-cleanup";
         };
+        # implicit TLS
+        submissionsOptions = config.services.postfix.submissionOptions;
 
         masterConfig = {
           submission-header-cleanup = {