fix: disable MTA-STS since we have dane and don't want a cert per subdomain

2025-10-10 14:50:40 +02:00 · 2024-11-30 15:38:32 +01:00 · 2024-11-30 15:38:32 +01:00 · db30ac20c1
commit db30ac20c1
parent 88e6b6e22f
1 changed files with 4 additions and 7 deletions
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@ -55,17 +55,12 @@ in
    enable = true;
    settings =
      let
-        case = field: check: value: data: {
-          "if" = field;
-          ${check} = value;
-          "then" = data;
-        };
        ifthen = field: data: {
          "if" = field;
          "then" = data;
        };
        otherwise = value: { "else" = value; };
-        is-smtp = case "listener" "eq" "smtp";
+        is-smtp = ifthen "listener = 'smtp'";
        is-authenticated = data: {
          "if" = "!is_empty(authenticated_as)";
          "then" = data;
@ -493,6 +488,9 @@ in
          ];
        };

+        # We have DANE and don't want to have a certificate for each domain we serve.
+        session.mta-sts.mode = "none";
+
        session.ehlo = {
          require = true;
          reject-non-fqdn = [
@ -538,7 +536,6 @@ in
        [
          "autoconfig.${primaryDomain}"
          "autodiscover.${primaryDomain}"
-          "mta-sts.${primaryDomain}"
        ]
        (_: {
          forceSSL = true;