From fac7efe94617d812a422d60b5434aca80eb1a80c Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 7 May 2025 02:23:32 +0200
Subject: [PATCH] postfix: Support opportunistic DANE TLS

This migrates the security level for outgoing SMTP connections to
dane[1]. Either a server is configured for DANE or it now uses mandatory
unauthenticated TLS.

If DANE validation fails, the delivery will be tempfailed.

If DANE is invalid or unusable the connection will fall back to
unauthenticated mandatory TLS

This has been the default in various mail distributions:
- Mailcow since December 2016[2]
- mailinabox since July 2014[3]

[1] https://www.postfix.org/TLS_README.html#client_tls_dane
[2] https://github.com/mailcow/mailcow-dockerized/commit/47a5166383a4ecae780ffd6ad2081dc3f070bd45
[3] https://github.com/mail-in-a-box/mailinabox/commit/e713af5f5aeca202c2bf88be324472b3ef898dc7
---
 mail-server/postfix.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index da06111..35462a0 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -245,6 +245,11 @@ in
         # Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
         lmtp_destination_recipient_limit = "1";
 
+        # Opportunistic DANE support
+        # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
+        smtp_dns_support_level = "dnssec";
+        smtp_tls_security_level = "dane";
+
         # sasl with dovecot
         smtpd_sasl_type = "dovecot";
         smtpd_sasl_path = "/run/dovecot2/auth";