postfix: remove option to toggle SMTP smuggling workarounnd
It has been default enabled since Postfix 3.9 and can still be configured from the NixOS option mentioned in the removal warning. Removing the option makes our interface leaner. Information is based on https://www.postfix.org/smtp-smuggling.html#long.
This commit is contained in:
parent
8b27add088
commit
f1bd4b8215
2 changed files with 11 additions and 19 deletions
26
default.nix
26
default.nix
|
@ -982,6 +982,14 @@ in
|
|||
};
|
||||
|
||||
redis = {
|
||||
configureLocally = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to provision a local Redis instance.
|
||||
'';
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
# read the default from nixos' redis module
|
||||
|
@ -1021,21 +1029,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
smtpdForbidBareNewline = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
|
||||
disconnects a remote SMTP client that sends a line ending in a 'bare
|
||||
newline'.
|
||||
|
||||
This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
|
||||
default to "yes" in Postfix 3.9.
|
||||
|
||||
https://www.postfix.org/smtp-smuggling.html
|
||||
'';
|
||||
};
|
||||
|
||||
sendingFqdn = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.fqdn;
|
||||
|
@ -1366,5 +1359,8 @@ in
|
|||
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
|
||||
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
|
||||
'')
|
||||
(lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
|
||||
The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
|
||||
'')
|
||||
];
|
||||
}
|
||||
|
|
|
@ -302,10 +302,6 @@ in
|
|||
non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||
milter_protocol = "6";
|
||||
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
|
||||
|
||||
# Fix for https://www.postfix.org/smtp-smuggling.html
|
||||
smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
|
||||
smtpd_forbid_bare_newline_exclusions = "$mynetworks";
|
||||
};
|
||||
|
||||
submissionOptions = submissionOptions;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue