postfix: remove option to toggle SMTP smuggling workarounnd

It has been default enabled since Postfix 3.9 and can still be configured from the NixOS option mentioned in the removal warning. Removing the option makes our interface leaner. Information is based on https://www.postfix.org/smtp-smuggling.html#long.
2025-06-13 00:18:50 +02:00 · 2025-06-13 00:18:50 +02:00 · f1bd4b8215
commit f1bd4b8215
parent 8b27add088
2 changed files with 11 additions and 19 deletions
--- a/default.nix
+++ b/default.nix
@ -982,6 +982,14 @@ in
    };

    redis = {
+      configureLocally = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to provision a local Redis instance.
+        '';
+      };
+
      address = mkOption {
        type = types.str;
        # read the default from nixos' redis module
@ -1021,21 +1029,6 @@ in
      '';
    };

-    smtpdForbidBareNewline = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
-        disconnects a remote SMTP client that sends a line ending in a 'bare
-        newline'.
-
-        This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
-        default to "yes" in Postfix 3.9.
-
-        https://www.postfix.org/smtp-smuggling.html
-      '';
-    };
-
    sendingFqdn = mkOption {
      type = types.str;
      default = cfg.fqdn;
@ -1366,5 +1359,8 @@ in
    (lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
      DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
    '')
+    (lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
+      The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
+    '')
  ];
 }
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -302,10 +302,6 @@ in
        non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
        milter_protocol = "6";
        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
-
-        # Fix for https://www.postfix.org/smtp-smuggling.html
-        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
-        smtpd_forbid_bare_newline_exclusions = "$mynetworks";
      };

      submissionOptions = submissionOptions;