New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
postfix: Server certificate is used as client certificate too #88817
Comments
cc: @rickynils @globin |
Could you file a PR fixing this? You can add a release note entry, explaining how to get back to the old behaviour if someone is using this on purpose, but this really sounds like a bug. |
@flokli I currently working on a fix. The plan was to deprecate In addition I saw that postfix does not configure a trust store by default. Which prevent tls certification validation on server to server mail delivery. |
The change fixes NixOS#88817 and can be separated into following tasks: ## Encourage usage of encrypted connections for outgoing traffic This was done by configuring a trust store and enabling opportunistic usage of tls for outgoing traffic. ## Depreaction of old configuration ## Removed client certificate configuration on server certificate configuration Previously the ssl certificate and key were used for smtpd (incoming mail) and for smtp (ougoing) mail. Using a certifcate for outgoing mail traffic is quite uncommon and most likely not wanted when setting `sslCert`. The postfix documentation request to configure certificates for outgoing traffic only when you "must present client TLS certificates". `smtpd_tls_chain_files` was used in favour of `smtpd_tls_cert` and `smtpd_tls_key` since this is the postfix recommended configuration since `3.4`.
I marked this as stale due to inactivity. → More info |
The server certificate is also used as client certificate:
see
nixpkgs/nixos/modules/services/mail/postfix.nix
Lines 775 to 777 in e92b11d
Downstream bug: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/183
The text was updated successfully, but these errors were encountered: