Disable TLS behind proxies and relays
This commit is contained in:
parent
ace96d5f7c
commit
e7154785dd
1 changed files with 1 additions and 11 deletions
|
@ -29,8 +29,6 @@ in {
|
|||
postfix = {
|
||||
enable = true;
|
||||
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
|
||||
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
|
||||
config = {
|
||||
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
|
@ -48,25 +46,17 @@ in {
|
|||
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
||||
settings.mta.verp_confirmations = "no";
|
||||
};
|
||||
nginx.virtualHosts.${cfg.hostName} = {
|
||||
enableACME = true; # Get certificates (primarily for postfix)
|
||||
forceSSL = false; # Don't use HTTPS behind the proxy
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence.${config.impermanence.name} = {
|
||||
directories = [
|
||||
"/var/lib/acme" # Persist TLS keys and account
|
||||
"/var/lib/mailman"
|
||||
"/var/lib/mailman-web"
|
||||
];
|
||||
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||
};
|
||||
|
||||
security.acme.defaults.email = cfg.siteOwner;
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
||||
networking.firewall.allowedTCPPorts = [25 80];
|
||||
|
||||
# Update HRZ allowlist
|
||||
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||
|
|
Loading…
Reference in a new issue