Merge pull request #94270 from jerith666/postfix-dane

postfix: add useDane config option

1 files changed, 12 insertions, 2 deletions

diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index ad10ba1d9090..fd4d16cdc37b 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -25,6 +25,8 @@ let
 
   clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl);
 
+  smtpTlsSecurityLevel = if cfg.useDane then "dane" else "may";
+
   mainCf = let
     escape = replaceStrings ["$"] ["$$"];
     mkList = items: "\n  " + concatStringsSep ",\n  " items;
@@ -508,6 +510,14 @@ in
         '';
       };
 
+      useDane = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Sets smtp_tls_security_level to "dane" rather than "may". See postconf(5) for details.
+        '';
+      };
+
       sslCert = mkOption {
         type = types.str;
         default = "";
@@ -809,13 +819,13 @@ in
       // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; }
       // optionalAttrs (cfg.tlsTrustedAuthorities != "") {
         smtp_tls_CAfile = cfg.tlsTrustedAuthorities;
-        smtp_tls_security_level = "may";
+        smtp_tls_security_level = smtpTlsSecurityLevel;
       }
       // optionalAttrs (cfg.sslCert != "") {
         smtp_tls_cert_file = cfg.sslCert;
         smtp_tls_key_file = cfg.sslKey;
 
-        smtp_tls_security_level = "may";
+        smtp_tls_security_level = smtpTlsSecurityLevel;
 
         smtpd_tls_cert_file = cfg.sslCert;
         smtpd_tls_key_file = cfg.sslKey;