Disable TLS behind proxies and relays

This commit is contained in:
Gonne 2024-10-12 13:56:34 +02:00
parent 081b9a9d34
commit 101638c413

View file

@ -29,8 +29,6 @@ in {
postfix = { postfix = {
enable = true; enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"]; relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
config = { config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
@ -48,25 +46,17 @@ in {
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise. # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
settings.mta.verp_confirmations = "no"; settings.mta.verp_confirmations = "no";
}; };
nginx.virtualHosts.${cfg.hostName} = {
enableACME = true; # Get certificates (primarily for postfix)
forceSSL = false; # Don't use HTTPS behind the proxy
};
}; };
environment.persistence.${config.impermanence.name} = { environment.persistence.${config.impermanence.name} = {
directories = [ directories = [
"/var/lib/acme" # Persist TLS keys and account
"/var/lib/mailman" "/var/lib/mailman"
"/var/lib/mailman-web" "/var/lib/mailman-web"
]; ];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
}; };
security.acme.defaults.email = cfg.siteOwner; networking.firewall.allowedTCPPorts = [25 80];
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443];
# Update HRZ allowlist # Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/