diff --git a/default.nix b/default.nix index 71effa0..afe77b8 100644 --- a/default.nix +++ b/default.nix @@ -982,6 +982,14 @@ in }; redis = { + configureLocally = mkOption { + type = types.bool; + default = true; + description = '' + Whether to provision a local Redis instance. + ''; + }; + address = mkOption { type = types.str; # read the default from nixos' redis module @@ -1021,21 +1029,6 @@ in ''; }; - smtpdForbidBareNewline = mkOption { - type = types.bool; - default = true; - description = '' - With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server - disconnects a remote SMTP client that sends a line ending in a 'bare - newline'. - - This feature was added in Postfix 3.8.4 against SMTP Smuggling and will - default to "yes" in Postfix 3.9. - - https://www.postfix.org/smtp-smuggling.html - ''; - }; - sendingFqdn = mkOption { type = types.str; default = cfg.fqdn; @@ -1366,5 +1359,8 @@ in (lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] '' DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization. '') + (lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] '' + The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default. + '') ]; } diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 5d7f9a2..76f65a9 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -304,10 +304,6 @@ in non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ]; milter_protocol = "6"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}"; - - # Fix for https://www.postfix.org/smtp-smuggling.html - smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline; - smtpd_forbid_bare_newline_exclusions = "$mynetworks"; }; submissionOptions = submissionOptions;