Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'smptp-smuggling-cleanup' into 'master'

Browse source 
postfix: remove option to toggle SMTP smuggling workarounnd

See merge request simple-nixos-mailserver/nixos-mailserver!411
This commit is contained in:
Martin Weinelt 2025-06-12 22:57:43 +00:00
commit 3f1c6960d3
2 changed files with 11 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

26
default.nix
View file

@ -982,6 +982,14 @@ in
}; };
redis = { redis = {
configureLocally = mkOption {
type = types.bool;
default = true;
description = ''
Whether to provision a local Redis instance.
'';
};
address = mkOption { address = mkOption {
type = types.str; type = types.str;
# read the default from nixos' redis module # read the default from nixos' redis module
@ -1021,21 +1029,6 @@ in
''; '';
}; };
smtpdForbidBareNewline = mkOption {
type = types.bool;
default = true;
description = ''
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
disconnects a remote SMTP client that sends a line ending in a 'bare
newline'.
This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
default to "yes" in Postfix 3.9.
https://www.postfix.org/smtp-smuggling.html
'';
};
sendingFqdn = mkOption { sendingFqdn = mkOption {
type = types.str; type = types.str;
default = cfg.fqdn; default = cfg.fqdn;
@ -1366,5 +1359,8 @@ in
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] '' (lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization. DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
'')
]; ];
} }

4
mail-server/postfix.nix
View file

@ -304,10 +304,6 @@ in
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ]; non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
milter_protocol = "6"; milter_protocol = "6";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
# Fix for https://www.postfix.org/smtp-smuggling.html
smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
smtpd_forbid_bare_newline_exclusions = "$mynetworks";
}; };
submissionOptions = submissionOptions; submissionOptions = submissionOptions;