commit d94de05424b261ea60fbef606d15dc8bd6e42b5e · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2511.section.md

···

       46
       46
        
       

     

       47
       47
        
       - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.

     

       48
       48
        
       

     

       49
       49
       +
       - The Postfix module has been updated and likely requires configuration changes:

     

       50
       50
       +
         - The `services.postfix.sslCert` and `sslKey` options were removed and you now need to configure

     

       51
       51
       +
           - [services.postfix.config.smtpd_tls_chain_files](#opt-services.postfix.config.smtpd_tls_chain_files) for server certificates,

     

       52
       52
       +
           - [services.postfix.config.smtp_tls_chain_files](#opt-services.postfix.config) for client certificates.

     

       53
       53
       +
       

     

       49
       54
        
       ## Other Notable Changes {#sec-release-25.11-notable-changes}

     

       50
       55
        
       

     

       51
       56
        
       <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+67 -33

nixos/modules/services/mail/postfix.nix

···

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
        
       let

     

       8
       8
       +
         inherit (lib)

     

       9
       9
       +
           mkOption

     

       10
       10
       +
           types

     

       11
       11
       +
           ;

     

       8
       12
        
       

     

       9
       13
        
         cfg = config.services.postfix;

     

       10
       14
        
         user = cfg.user;

     
···

       47
       51
        
                 );

     

       48
       52
        
             mkEntry = name: value: "${escape name} =${mkVal value}";

     

       49
       53
        
           in

     

       50
       50
       -
           lib.concatStringsSep "\n" (lib.mapAttrsToList mkEntry cfg.config) + "\n" + cfg.extraConfig;

     

       54
       54
       +
           lib.concatStringsSep "\n" (

     

       55
       55
       +
             lib.mapAttrsToList mkEntry (lib.filterAttrsRecursive (_: value: value != null) cfg.config)

     

       56
       56
       +
           )

     

       57
       57
       +
           + "\n"

     

       58
       58
       +
           + cfg.extraConfig;

     

       51
       59
        
       

     

       52
       60
        
         masterCfOptions =

     

       53
       61
        
           {

     
···

       564
       572
        
             };

     

       565
       573
        
       

     

       566
       574
        
             config = lib.mkOption {

     

       567
       567
       -
               type =

     

       568
       568
       -
                 with lib.types;

     

       569
       569
       -
                 attrsOf (oneOf [

     

       570
       570
       -
                   bool

     

       571
       571
       -
                   int

     

       572
       572
       -
                   str

     

       573
       573
       -
                   (listOf str)

     

       574
       574
       -
                 ]);

     

       575
       575
       +
               type = lib.types.submodule {

     

       576
       576
       +
                 freeformType =

     

       577
       577
       +
                   with types;

     

       578
       578
       +
                   attrsOf (

     

       579
       579
       +
                     nullOr (oneOf [

     

       580
       580
       +
                       bool

     

       581
       581
       +
                       int

     

       582
       582
       +
                       str

     

       583
       583
       +
                       (listOf str)

     

       584
       584
       +
                     ])

     

       585
       585
       +
                   );

     

       586
       586
       +
                 options = {

     

       587
       587
       +
                   smtpd_tls_chain_files = mkOption {

     

       588
       588
       +
                     type = with types; listOf path;

     

       589
       589
       +
                     default = [ ];

     

       590
       590
       +
                     example = [

     

       591
       591
       +
                       "/var/lib/acme/mail.example.com/privkey.pem"

     

       592
       592
       +
                       "/var/lib/acme/mail.example.com/fullchain.pem"

     

       593
       593
       +
                     ];

     

       594
       594
       +
                     description = ''

     

       595
       595
       +
                       List of paths to the server private keys and certificates.

     

       596
       596
       +
       

     

       597
       597
       +
                       ::: {.caution}

     

       598
       598
       +
                       The order of items matters and a private key must always be followed by the corresponding certificate.

     

       599
       599
       +
                       :::

     

       600
       600
       +
       

     

       601
       601
       +
                       <https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files>

     

       602
       602
       +
                     '';

     

       603
       603
       +
                   };

     

       604
       604
       +
       

     

       605
       605
       +
                   smtpd_tls_security_level = mkOption {

     

       606
       606
       +
                     type = types.enum [

     

       607
       607
       +
                       "none"

     

       608
       608
       +
                       "may"

     

       609
       609
       +
                       "encrypt"

     

       610
       610
       +
                     ];

     

       611
       611
       +
                     default = if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none";

     

       612
       612
       +
                     defaultText = lib.literalExpression ''

     

       613
       613
       +
                       if config.services.postfix.config.smtpd_tls_chain_files != [ ] then "may" else "none"

     

       614
       614
       +
                     '';

     

       615
       615
       +
                     example = "may";

     

       616
       616
       +
                     description = ''

     

       617
       617
       +
                       The server TLS security level. Enable TLS by configuring at least `may`.

     

       618
       618
       +
       

     

       619
       619
       +
                       <https://www.postfix.org/postconf.5.html#smtpd_tls_security_level>

     

       620
       620
       +
                     '';

     

       621
       621
       +
                   };

     

       622
       622
       +
                 };

     

       623
       623
       +
               };

     

       624
       624
       +
       

     

       575
       625
        
               description = ''

     

       576
       626
        
                 The main.cf configuration file as key value set.

     

       627
       627
       +
       

     

       628
       628
       +
                 Null values will not be rendered.

     

       577
       629
        
               '';

     

       578
       630
        
               example = {

     

       579
       631
        
                 mail_owner = "postfix";

     
···

       597
       649
        
               description = ''

     

       598
       650
        
                 File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This sets [smtp_tls_CAfile](https://www.postfix.org/postconf.5.html#smtp_tls_CAfile). Defaults to system trusted certificates (see `security.pki.*` options).

     

       599
       651
        
               '';

     

       600
       600
       -
             };

     

       601
       601
       -
       

     

       602
       602
       -
             sslCert = lib.mkOption {

     

       603
       603
       -
               type = lib.types.str;

     

       604
       604
       -
               default = "";

     

       605
       605
       -
               description = "SSL certificate to use.";

     

       606
       606
       -
             };

     

       607
       607
       -
       

     

       608
       608
       -
             sslKey = lib.mkOption {

     

       609
       609
       -
               type = lib.types.str;

     

       610
       610
       -
               default = "";

     

       611
       611
       -
               description = "SSL key to use.";

     

       612
       652
        
             };

     

       613
       653
        
       

     

       614
       654
        
             recipientDelimiter = lib.mkOption {

     
···

       974
       1014
        
                 // lib.optionalAttrs (cfg.tlsTrustedAuthorities != "") {

     

       975
       1015
        
                   smtp_tls_CAfile = cfg.tlsTrustedAuthorities;

     

       976
       1016
        
                   smtp_tls_security_level = lib.mkDefault "may";

     

       977
       977
       -
                 }

     

       978
       978
       -
                 // lib.optionalAttrs (cfg.sslCert != "") {

     

       979
       979
       -
                   smtp_tls_cert_file = cfg.sslCert;

     

       980
       980
       -
                   smtp_tls_key_file = cfg.sslKey;

     

       981
       981
       -
       

     

       982
       982
       -
                   smtp_tls_security_level = lib.mkDefault "may";

     

       983
       983
       -
       

     

       984
       984
       -
                   smtpd_tls_cert_file = cfg.sslCert;

     

       985
       985
       -
                   smtpd_tls_key_file = cfg.sslKey;

     

       986
       986
       -
       

     

       987
       987
       -
                   smtpd_tls_security_level = lib.mkDefault "may";

     

       988
       988
       -
       

     

       989
       1017
        
                 };

     

       990
       1018
        
       

     

       991
       1019
        
               services.postfix.masterConfig =

     
···

       1149
       1177
        
         imports = [

     

       1150
       1178
        
           (lib.mkRemovedOptionModule [ "services" "postfix" "sslCACert" ]

     

       1151
       1179
        
             "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig."

     

       1180
       1180
       +
           )

     

       1181
       1181
       +
           (lib.mkRemovedOptionModule [ "services" "postfix" "sslCert" ]

     

       1182
       1182
       +
             "services.postfix.sslCert was removed. Use services.postfix.config.smtpd_tls_chain_files for the server certificate, or services.postfix.config.smtp_tls_chain_files for the client certificate."

     

       1183
       1183
       +
           )

     

       1184
       1184
       +
           (lib.mkRemovedOptionModule [ "services" "postfix" "sslKey" ]

     

       1185
       1185
       +
             "services.postfix.sslKey was removed. Use services.postfix.config.smtpd_tls_chain_files for server private key, or services.postfix.config.smtp_tls_chain_files for the client private key."

     

       1152
       1186
        
           )

     

       1153
       1187
        
       

     

       1154
       1188
        
           (lib.mkChangedOptionModule

+4 -2

nixos/tests/postfix.nix

···

       14
       14
        
               enableSubmission = true;

     

       15
       15
        
               enableSubmissions = true;

     

       16
       16
        
               tlsTrustedAuthorities = "${certs.ca.cert}";

     

       17
       17
       -
               sslCert = "${certs.${domain}.cert}";

     

       18
       18
       -
               sslKey = "${certs.${domain}.key}";

     

       17
       17
       +
               config.smtpd_tls_chain_files = [

     

       18
       18
       +
                 certs.${domain}.key

     

       19
       19
       +
                 certs.${domain}.cert

     

       20
       20
       +
               ];

     

       19
       21
        
               submissionsOptions = {

     

       20
       22
        
                 smtpd_sasl_auth_enable = "yes";

     

       21
       23
        
                 smtpd_client_restrictions = "permit";