fix dovecot 2.3 ssl_dh

This commit is contained in:
Robin Raymond 2018-02-13 13:18:31 +01:00
parent b75575f02e
commit f6546a1a8e
5 changed files with 36 additions and 0 deletions

View file

@ -325,6 +325,27 @@ in
''; '';
}; };
dovecot23 = mkOption {
type = types.bool;
default = false;
description =
''
Activate this if you use Dovecot 2.3, so SSL works.
TODO: Remove this!
'';
};
dhParamBitLength = mkOption {
type = types.int;
default = 2048;
description =
''
Length of the Diffie Hillman prime used (in bits). It might be a good
idea to set this to 4096 for security purposed, but it will take a _very_
long time to create this prime on startup.
'';
};
debug = mkOption { debug = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;

View file

@ -61,6 +61,7 @@ in
mail_access_groups = ${vmailGroupName} mail_access_groups = ${vmailGroupName}
ssl = required ssl = required
${lib.optionalString dovecot23 "ssl_dh = <${certificateDirectory}/dh.pem"}
service lmtp { service lmtp {
unix_listener /var/lib/postfix/queue/private/dovecot-lmtp { unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {

View file

@ -38,6 +38,14 @@ let
'' ''
else ""; else "";
createDhParameterFile =
''
# Create a dh parameter file
${pkgs.openssl}/bin/openssl \
dhparam ${builtins.toString cfg.dhParamBitLength} \
> "${cfg.certificateDirectory}/dh.pem"
'';
createDomainDkimCert = dom: createDomainDkimCert = dom:
let let
dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key"; dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
@ -82,6 +90,8 @@ in
chmod 02770 "${mailDirectory}" chmod 02770 "${mailDirectory}"
${create_certificate} ${create_certificate}
${lib.optionalString cfg.dovecot23 "${createDhParameterFile}"}
''; '';
}; };

View file

@ -27,6 +27,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
enable = true; enable = true;
fqdn = "mail.example.com"; fqdn = "mail.example.com";
domains = [ "example.com" "example2.com" ]; domains = [ "example.com" "example2.com" ];
dhParamBitLength = 512;
dovecot23 = true;
loginAccounts = { loginAccounts = {
"user1@example.com" = { "user1@example.com" = {

View file

@ -27,6 +27,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
enable = true; enable = true;
fqdn = "mail.example.com"; fqdn = "mail.example.com";
domains = [ "example.com" ]; domains = [ "example.com" ];
dhParamBitLength = 512;
dovecot23 = true;
loginAccounts = { loginAccounts = {
"user1@example.com" = { "user1@example.com" = {