postfix: remove option to toggle SMTP smuggling workarounnd

It has been default enabled since Postfix 3.9 and can still be configured
from the NixOS option mentioned in the removal warning.

Removing the option makes our interface leaner.

Information is based on https://www.postfix.org/smtp-smuggling.html#long.
This commit is contained in:
Martin Weinelt 2025-06-13 00:18:50 +02:00
parent 8b27add088
commit f1bd4b8215
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
2 changed files with 11 additions and 19 deletions

View file

@ -982,6 +982,14 @@ in
};
redis = {
configureLocally = mkOption {
type = types.bool;
default = true;
description = ''
Whether to provision a local Redis instance.
'';
};
address = mkOption {
type = types.str;
# read the default from nixos' redis module
@ -1021,21 +1029,6 @@ in
'';
};
smtpdForbidBareNewline = mkOption {
type = types.bool;
default = true;
description = ''
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
disconnects a remote SMTP client that sends a line ending in a 'bare
newline'.
This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
default to "yes" in Postfix 3.9.
https://www.postfix.org/smtp-smuggling.html
'';
};
sendingFqdn = mkOption {
type = types.str;
default = cfg.fqdn;
@ -1366,5 +1359,8 @@ in
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'')
(lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
'')
];
}

View file

@ -302,10 +302,6 @@ in
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
milter_protocol = "6";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
# Fix for https://www.postfix.org/smtp-smuggling.html
smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
smtpd_forbid_bare_newline_exclusions = "$mynetworks";
};
submissionOptions = submissionOptions;