mailserver: Allow using implicit TLS
The configuration dates back quite a bit and then STARTTLS was considered the best option. However, with RFC 8314 from 2018, which now recommends implicit TLS for IMAP and SMTP submission, this changed. This allows using implicit TLS for those services. STARTTLS might become deprecated and/or removed in the future.
This commit is contained in:
parent
75fd40abb3
commit
21e139f313
|
@ -111,8 +111,10 @@ in
|
|||
# Firewall
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
143 # IMAP
|
||||
993 # IMAP (implicit TLS)
|
||||
25 # SMTP
|
||||
587 # SMTP submission
|
||||
465 # SMTP submission (implicit TLS)
|
||||
];
|
||||
|
||||
# Service dependencies
|
||||
|
@ -186,7 +188,8 @@ in
|
|||
{
|
||||
enable = true;
|
||||
|
||||
enableSubmission = true;
|
||||
enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
|
||||
enableSubmissions = true; # submission with implicit TLS (TCP/465)
|
||||
|
||||
hostname = cfg.fqdn;
|
||||
networksStyle = "host";
|
||||
|
@ -257,6 +260,7 @@ in
|
|||
non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
|
||||
};
|
||||
|
||||
# plain/STARTTLS (forced with smtpd_tls_security_level)
|
||||
submissionOptions = {
|
||||
smtpd_tls_security_level = "encrypt";
|
||||
smtpd_sasl_auth_enable = "yes";
|
||||
|
@ -278,6 +282,8 @@ in
|
|||
|
||||
cleanup_service_name = "submission-header-cleanup";
|
||||
};
|
||||
# implicit TLS
|
||||
submissionsOptions = config.services.postfix.submissionOptions;
|
||||
|
||||
masterConfig = {
|
||||
submission-header-cleanup = {
|
||||
|
|
Loading…
Reference in a new issue