fix dovecot 2.3 ssl_dh
This commit is contained in:
parent
b75575f02e
commit
f6546a1a8e
5 changed files with 36 additions and 0 deletions
21
default.nix
21
default.nix
|
@ -325,6 +325,27 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dovecot23 = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description =
|
||||||
|
''
|
||||||
|
Activate this if you use Dovecot 2.3, so SSL works.
|
||||||
|
TODO: Remove this!
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
dhParamBitLength = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 2048;
|
||||||
|
description =
|
||||||
|
''
|
||||||
|
Length of the Diffie Hillman prime used (in bits). It might be a good
|
||||||
|
idea to set this to 4096 for security purposed, but it will take a _very_
|
||||||
|
long time to create this prime on startup.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
debug = mkOption {
|
debug = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
|
|
|
@ -61,6 +61,7 @@ in
|
||||||
|
|
||||||
mail_access_groups = ${vmailGroupName}
|
mail_access_groups = ${vmailGroupName}
|
||||||
ssl = required
|
ssl = required
|
||||||
|
${lib.optionalString dovecot23 "ssl_dh = <${certificateDirectory}/dh.pem"}
|
||||||
|
|
||||||
service lmtp {
|
service lmtp {
|
||||||
unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
|
unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
|
||||||
|
|
|
@ -38,6 +38,14 @@ let
|
||||||
''
|
''
|
||||||
else "";
|
else "";
|
||||||
|
|
||||||
|
createDhParameterFile =
|
||||||
|
''
|
||||||
|
# Create a dh parameter file
|
||||||
|
${pkgs.openssl}/bin/openssl \
|
||||||
|
dhparam ${builtins.toString cfg.dhParamBitLength} \
|
||||||
|
> "${cfg.certificateDirectory}/dh.pem"
|
||||||
|
'';
|
||||||
|
|
||||||
createDomainDkimCert = dom:
|
createDomainDkimCert = dom:
|
||||||
let
|
let
|
||||||
dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
|
dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
|
||||||
|
@ -82,6 +90,8 @@ in
|
||||||
chmod 02770 "${mailDirectory}"
|
chmod 02770 "${mailDirectory}"
|
||||||
|
|
||||||
${create_certificate}
|
${create_certificate}
|
||||||
|
|
||||||
|
${lib.optionalString cfg.dovecot23 "${createDhParameterFile}"}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -27,6 +27,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "mail.example.com";
|
fqdn = "mail.example.com";
|
||||||
domains = [ "example.com" "example2.com" ];
|
domains = [ "example.com" "example2.com" ];
|
||||||
|
dhParamBitLength = 512;
|
||||||
|
dovecot23 = true;
|
||||||
|
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"user1@example.com" = {
|
"user1@example.com" = {
|
||||||
|
|
|
@ -27,6 +27,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "mail.example.com";
|
fqdn = "mail.example.com";
|
||||||
domains = [ "example.com" ];
|
domains = [ "example.com" ];
|
||||||
|
dhParamBitLength = 512;
|
||||||
|
dovecot23 = true;
|
||||||
|
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"user1@example.com" = {
|
"user1@example.com" = {
|
||||||
|
|
Loading…
Reference in a new issue