From 101638c4135eb9e41bbc867dcc7d0097ce986808 Mon Sep 17 00:00:00 2001 From: Gonne Date: Sat, 12 Oct 2024 13:56:34 +0200 Subject: [PATCH] Disable TLS behind proxies and relays --- nixos/modules/mailman.nix | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 597a2f1..5cfa63d 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -29,8 +29,6 @@ in { postfix = { enable = true; relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"]; - sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem"; - sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem"; config = { transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; @@ -48,25 +46,17 @@ in { # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise. settings.mta.verp_confirmations = "no"; }; - nginx.virtualHosts.${cfg.hostName} = { - enableACME = true; # Get certificates (primarily for postfix) - forceSSL = false; # Don't use HTTPS behind the proxy - }; }; environment.persistence.${config.impermanence.name} = { directories = [ - "/var/lib/acme" # Persist TLS keys and account "/var/lib/mailman" "/var/lib/mailman-web" ]; files = ["/root/.ssh/known_hosts"]; # for the backup server bragi }; - security.acme.defaults.email = cfg.siteOwner; - security.acme.acceptTerms = true; - - networking.firewall.allowedTCPPorts = [25 80 443]; + networking.firewall.allowedTCPPorts = [25 80]; # Update HRZ allowlist # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/