Merge branch 'smptp-smuggling-cleanup' into 'master'

postfix: remove option to toggle SMTP smuggling workarounnd See merge request simple-nixos-mailserver/nixos-mailserver!411
2025-06-12 22:57:43 +00:00 · 2025-06-12 22:57:43 +00:00 · 3f1c6960d3
commit 3f1c6960d3
parent 54cb3e5784 f1bd4b8215
2 changed files with 11 additions and 19 deletions
--- a/default.nix
+++ b/default.nix
@ -982,6 +982,14 @@ in
    };

    redis = {
+      configureLocally = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to provision a local Redis instance.
+        '';
+      };
+
      address = mkOption {
        type = types.str;
        # read the default from nixos' redis module
@ -1021,21 +1029,6 @@ in
      '';
    };

-    smtpdForbidBareNewline = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
-        disconnects a remote SMTP client that sends a line ending in a 'bare
-        newline'.
-
-        This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
-        default to "yes" in Postfix 3.9.
-
-        https://www.postfix.org/smtp-smuggling.html
-      '';
-    };
-
    sendingFqdn = mkOption {
      type = types.str;
      default = cfg.fqdn;
@ -1366,5 +1359,8 @@ in
    (lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
      DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
    '')
+    (lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
+      The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
+    '')
  ];
 }
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -304,10 +304,6 @@ in
        non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
        milter_protocol = "6";
        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
-
-        # Fix for https://www.postfix.org/smtp-smuggling.html
-        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
-        smtpd_forbid_bare_newline_exclusions = "$mynetworks";
      };

      submissionOptions = submissionOptions;