From f1bd4b821510eec7d38f39f9ddce5106e679afd1 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Fri, 13 Jun 2025 00:18:50 +0200
Subject: [PATCH] postfix: remove option to toggle SMTP smuggling workarounnd

It has been default enabled since Postfix 3.9 and can still be configured
from the NixOS option mentioned in the removal warning.

Removing the option makes our interface leaner.

Information is based on https://www.postfix.org/smtp-smuggling.html#long.
---
 default.nix             | 26 +++++++++++---------------
 mail-server/postfix.nix |  4 ----
 2 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/default.nix b/default.nix
index 71effa0..afe77b8 100644
--- a/default.nix
+++ b/default.nix
@@ -982,6 +982,14 @@ in
     };
 
     redis = {
+      configureLocally = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to provision a local Redis instance.
+        '';
+      };
+
       address = mkOption {
         type = types.str;
         # read the default from nixos' redis module
@@ -1021,21 +1029,6 @@ in
       '';
     };
 
-    smtpdForbidBareNewline = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
-        disconnects a remote SMTP client that sends a line ending in a 'bare
-        newline'.
-
-        This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
-        default to "yes" in Postfix 3.9.
-
-        https://www.postfix.org/smtp-smuggling.html
-      '';
-    };
-
     sendingFqdn = mkOption {
       type = types.str;
       default = cfg.fqdn;
@@ -1366,5 +1359,8 @@ in
     (lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
       DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
     '')
+    (lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
+      The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
+    '')
   ];
 }
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index d1c59b2..2546dd5 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -302,10 +302,6 @@ in
         non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
         milter_protocol = "6";
         milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
-
-        # Fix for https://www.postfix.org/smtp-smuggling.html
-        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
-        smtpd_forbid_bare_newline_exclusions = "$mynetworks";
       };
 
       submissionOptions = submissionOptions;