From 3f526c08e8d2dc53343f5c12d4e53aecf7ea2172 Mon Sep 17 00:00:00 2001
From: Alvar Penning <post@0x21.biz>
Date: Sat, 23 Dec 2023 20:15:16 +0100
Subject: [PATCH] postfix: SMTP Smuggling Protection

Enable Postfix SMTP Smuggling protection, introduced in Postfix 3.8.4,
which is, currently, only available within the nixpkgs' master branch.

- https://github.com/NixOS/nixpkgs/pull/276104
- https://github.com/NixOS/nixpkgs/pull/276264

For information about SMTP Smuggling:

- https://www.postfix.org/smtp-smuggling.html
- https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
---
 default.nix             | 15 +++++++++++++++
 mail-server/postfix.nix |  1 +
 2 files changed, 16 insertions(+)

diff --git a/default.nix b/default.nix
index fdfaee3..3abdfbc 100644
--- a/default.nix
+++ b/default.nix
@@ -955,6 +955,21 @@ in
       '';
     };
 
+    smtpdForbidBareNewline = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server
+        disconnects a remote SMTP client that sends a line ending in a 'bare
+        newline'.
+
+        This feature was added in Postfix 3.8.4 against SMTP Smuggling and will
+        default to "yes" in Postfix 3.9.
+
+        https://www.postfix.org/smtp-smuggling.html
+      '';
+    };
+
     sendingFqdn = mkOption {
       type = types.str;
       default = cfg.fqdn;
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 9362e2c..4967e2d 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -309,6 +309,7 @@ in
         milter_protocol = "6";
         milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
 
+        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
       };
 
       submissionOptions = submissionOptions;