Merge branch 'smptp-smuggling-cleanup' into 'master'
postfix: remove option to toggle SMTP smuggling workarounnd See merge request simple-nixos-mailserver/nixos-mailserver!411
This commit is contained in:
commit
3f1c6960d3
2 changed files with 11 additions and 19 deletions
26
default.nix
26
default.nix
|
@ -982,6 +982,14 @@ in
|
|||
};
|
||||
|
||||
redis = {
|
||||
configureLocally = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to provision a local Redis instance.
|
||||
'';
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
# read the default from nixos' redis module
|
||||
|
@ -1021,21 +1029,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
smtpdForbidBareNewline = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
|
||||
disconnects a remote SMTP client that sends a line ending in a 'bare
|
||||
newline'.
|
||||
|
||||
This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
|
||||
default to "yes" in Postfix 3.9.
|
||||
|
||||
https://www.postfix.org/smtp-smuggling.html
|
||||
'';
|
||||
};
|
||||
|
||||
sendingFqdn = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.fqdn;
|
||||
|
@ -1366,5 +1359,8 @@ in
|
|||
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
|
||||
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
|
||||
The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
|
||||
'')
|
||||
];
|
||||
}
|
||||
|
|
|
@ -304,10 +304,6 @@ in
|
|||
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||
milter_protocol = "6";
|
||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
|
||||
|
||||
# Fix for https://www.postfix.org/smtp-smuggling.html
|
||||
smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
|
||||
smtpd_forbid_bare_newline_exclusions = "$mynetworks";
|
||||
};
|
||||
|
||||
submissionOptions = submissionOptions;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue