Merge branch 'smptp-smuggling-cleanup' into 'master'

postfix: remove option to toggle SMTP smuggling workarounnd

See merge request simple-nixos-mailserver/nixos-mailserver!411
This commit is contained in:
Martin Weinelt 2025-06-12 22:57:43 +00:00
commit 3f1c6960d3
2 changed files with 11 additions and 19 deletions

View file

@ -982,6 +982,14 @@ in
};
redis = {
configureLocally = mkOption {
type = types.bool;
default = true;
description = ''
Whether to provision a local Redis instance.
'';
};
address = mkOption {
type = types.str;
# read the default from nixos' redis module
@ -1021,21 +1029,6 @@ in
'';
};
smtpdForbidBareNewline = mkOption {
type = types.bool;
default = true;
description = ''
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
disconnects a remote SMTP client that sends a line ending in a 'bare
newline'.
This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
default to "yes" in Postfix 3.9.
https://www.postfix.org/smtp-smuggling.html
'';
};
sendingFqdn = mkOption {
type = types.str;
default = cfg.fqdn;
@ -1366,5 +1359,8 @@ in
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'')
(lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
'')
];
}

View file

@ -304,10 +304,6 @@ in
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
milter_protocol = "6";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
# Fix for https://www.postfix.org/smtp-smuggling.html
smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
smtpd_forbid_bare_newline_exclusions = "$mynetworks";
};
submissionOptions = submissionOptions;