Martin Weinelt fac7efe946

postfix: Support opportunistic DANE TLS ...

This migrates the security level for outgoing SMTP connections to
dane[1]. Either a server is configured for DANE or it now uses mandatory
unauthenticated TLS.

If DANE validation fails, the delivery will be tempfailed.

If DANE is invalid or unusable the connection will fall back to
unauthenticated mandatory TLS

This has been the default in various mail distributions:
- Mailcow since December 2016[2]
- mailinabox since July 2014[3]

[1] https://www.postfix.org/TLS_README.html#client_tls_dane
[2] 47a5166383
[3] e713af5f5a

2025-05-07 02:23:32 +02:00

..

dovecot

Remove use of the deprecated string type

2019-09-22 13:32:37 +00:00

assertions.nix

assertions: Allow mailserver.forwards with LDAP set up

2025-05-06 05:32:45 +02:00

borgbackup.nix

fix conditions for enabling services

2018-05-22 23:18:55 +02:00

clamav.nix

Remove non longer supported configurations (<21.05)

2021-07-24 09:57:44 +02:00

common.nix

remove new line character if use agenix

2024-12-16 17:07:10 +00:00

dovecot.nix

mail-server/dovecot: check if quota is non-null instead of string

2025-05-06 02:27:36 +00:00

environment.nix

Use rspamd for DKIM signing, drop OpenDKIM

2025-05-06 01:05:10 +02:00

kresd.nix

kresd: no need to explicitly set nameserver

2021-06-03 05:58:42 +00:00

monit.nix

fix conditions for enabling services

2018-05-22 23:18:55 +02:00

networking.nix

Allow using existing ACME certificates

2023-05-24 21:10:02 +00:00

nginx.nix

acme: Add new option acmeCertificateName

2024-05-31 09:53:32 +01:00

postfix.nix

postfix: Support opportunistic DANE TLS

2025-05-07 02:23:32 +02:00

rsnapshot.nix

fix conditions for enabling services

2018-05-22 23:18:55 +02:00

rspamd.nix

Use rspamd for DKIM signing, drop OpenDKIM

2025-05-06 01:05:10 +02:00

systemd.nix

Use rspamd for DKIM signing, drop OpenDKIM

2025-05-06 01:05:10 +02:00

users.nix

Use umask for race-free permission setting

2023-07-17 18:22:16 +02:00