Disable TLS behind proxies and relays

nixos/modules/mailman.nix

@@ -29,8 +29,6 @@ in {
       postfix = {
         enable = true;
         relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
-        sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
-        sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
         config = {
           transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
           local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
@@ -48,25 +46,17 @@ in {
         # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
         settings.mta.verp_confirmations = "no";
       };
-      nginx.virtualHosts.${cfg.hostName} = {
-        enableACME = true; # Get certificates (primarily for postfix)
-        forceSSL = false; # Don't use HTTPS behind the proxy
-      };
     };
 
     environment.persistence.${config.impermanence.name} = {
       directories = [
-        "/var/lib/acme" # Persist TLS keys and account
         "/var/lib/mailman"
         "/var/lib/mailman-web"
       ];
       files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
     };
 
-    security.acme.defaults.email = cfg.siteOwner;
-    security.acme.acceptTerms = true;
-
-    networking.firewall.allowedTCPPorts = [25 80 443];
+    networking.firewall.allowedTCPPorts = [25 80];
 
     # Update HRZ allowlist
     # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/