mailserver: Allow using implicit TLS

The configuration dates back quite a bit and then STARTTLS was
considered the best option. However, with RFC 8314 from 2018, which now
recommends implicit TLS for IMAP and SMTP submission, this changed.

This allows using implicit TLS for those services. STARTTLS might become
deprecated and/or removed in the future.
This commit is contained in:
Simon Bruder 2023-05-31 12:11:21 +02:00
parent 75fd40abb3
commit 21e139f313
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC

View file

@ -111,8 +111,10 @@ in
# Firewall
networking.firewall.allowedTCPPorts = [
143 # IMAP
993 # IMAP (implicit TLS)
25 # SMTP
587 # SMTP submission
465 # SMTP submission (implicit TLS)
];
# Service dependencies
@ -186,7 +188,8 @@ in
{
enable = true;
enableSubmission = true;
enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
enableSubmissions = true; # submission with implicit TLS (TCP/465)
hostname = cfg.fqdn;
networksStyle = "host";
@ -257,6 +260,7 @@ in
non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
};
# plain/STARTTLS (forced with smtpd_tls_security_level)
submissionOptions = {
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
@ -278,6 +282,8 @@ in
cleanup_service_name = "submission-header-cleanup";
};
# implicit TLS
submissionsOptions = config.services.postfix.submissionOptions;
masterConfig = {
submission-header-cleanup = {