From e540dc864cc9bf0618b31e47a5eb59b7ad1152cb Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 12 Jun 2025 01:01:38 +0200
Subject: [PATCH] postfix: configure cert/key using smtpd_tls_chain_files

The sslCert and sslKey options are going away, because they do too much,
e.g. provision the keypair for client certificate authentication, which
is not at all what we want or need.
---
 mail-server/postfix.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index d1c59b2..2106ea0 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -207,13 +207,16 @@ in
       mapFiles."denied_recipients" = denied_recipients_file;
       mapFiles."reject_senders" = reject_senders_file;
       mapFiles."reject_recipients" = reject_recipients_file;
-      sslCert = certificatePath;
-      sslKey = keyPath;
       enableSubmission = cfg.enableSubmission;
       enableSubmissions = cfg.enableSubmissionSsl;
       virtual = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix forwards]);
 
       config = {
+        smtpd_tls_chain_files = [
+          "${keyPath}"
+          "${certificatePath}"
+        ];
+
         # Extra Config
         mydestination = "";
         recipient_delimiter = cfg.recipientDelimiter;