diff options
author | Alvar Penning <post@0x21.biz> | 2023-12-23 20:15:16 +0100 |
---|---|---|
committer | Naïm Favier <n@monade.li> | 2023-12-23 20:15:16 +0100 |
commit | 3f526c08e8d2dc53343f5c12d4e53aecf7ea2172 (patch) | |
tree | 05a92d983354bdc22f305352b7be8578a89c02d0 | |
parent | 008d78cc21959e33d0d31f375b88353a7d7121ae (diff) |
postfix: SMTP Smuggling Protection
Enable Postfix SMTP Smuggling protection, introduced in Postfix 3.8.4,
which is, currently, only available within the nixpkgs' master branch.
- https://github.com/NixOS/nixpkgs/pull/276104
- https://github.com/NixOS/nixpkgs/pull/276264
For information about SMTP Smuggling:
- https://www.postfix.org/smtp-smuggling.html
- https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
-rw-r--r-- | default.nix | 15 | ||||
-rw-r--r-- | mail-server/postfix.nix | 1 |
2 files changed, 16 insertions, 0 deletions
diff --git a/default.nix b/default.nix index fdfaee3..3abdfbc 100644 --- a/default.nix +++ b/default.nix @@ -955,6 +955,21 @@ in ''; }; + smtpdForbidBareNewline = mkOption { + type = types.bool; + default = true; + description = '' + With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server + disconnects a remote SMTP client that sends a line ending in a 'bare + newline'. + + This feature was added in Postfix 3.8.4 against SMTP Smuggling and will + default to "yes" in Postfix 3.9. + + https://www.postfix.org/smtp-smuggling.html + ''; + }; + sendingFqdn = mkOption { type = types.str; default = cfg.fqdn; diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 9362e2c..4967e2d 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -309,6 +309,7 @@ in milter_protocol = "6"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}"; + smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline; }; submissionOptions = submissionOptions; |