about summary refs log tree commit diff stats
path: root/modules/by-name/st/stalwart-mail/settings.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/by-name/st/stalwart-mail/settings.nix')
-rw-r--r--modules/by-name/st/stalwart-mail/settings.nix21
1 files changed, 13 insertions, 8 deletions
diff --git a/modules/by-name/st/stalwart-mail/settings.nix b/modules/by-name/st/stalwart-mail/settings.nix
index 1d63489..7032ae0 100644
--- a/modules/by-name/st/stalwart-mail/settings.nix
+++ b/modules/by-name/st/stalwart-mail/settings.nix
@@ -13,6 +13,11 @@
       })
       (lib.attrsToList cfg.security.dkimKeys))
     ++ [{"else" = false;}];
+
+  maybeVerificationMode =
+    if cfg.security != null
+    then cfg.security.verificationMode
+    else "disable";
 in {
   config.services.stalwart-mail.settings = lib.mkIf cfg.enable {
     # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.3
@@ -51,24 +56,24 @@ in {
       ];
     in {
       iprev = {
-        verify = ifNotSmpt cfg.security.verificationMode "disable";
+        verify = ifNotSmpt maybeVerificationMode "disable";
       };
       spf = {
         verify = {
-          ehlo = ifNotSmpt cfg.security.verificationMode "disable";
+          ehlo = ifNotSmpt maybeVerificationMode "disable";
 
-          mail-from = ifNotSmpt cfg.security.verificationMode "disable";
+          mail-from = ifNotSmpt maybeVerificationMode "disable";
         };
       };
       dmarc = {
-        verify = ifNotSmpt cfg.security.verificationMode "disable";
+        verify = ifNotSmpt maybeVerificationMode "disable";
       };
       arc = {
         seal = lib.mkIf (cfg.security != null) signaturesByDomain;
-        verify = ifNotSmpt cfg.security.verificationMode "disable";
+        verify = ifNotSmpt maybeVerificationMode "disable";
       };
       dkim = {
-        verify = ifNotSmpt cfg.security.verificationMode "disable";
+        verify = ifNotSmpt maybeVerificationMode "disable";
 
         # Ignore insecure dkim signed messages (i.e., messages containing both
         # signed and appended not-signed content.)
@@ -140,13 +145,13 @@ in {
       outbound = {
         tls = {
           starttls =
-            if cfg.security.verificationMode == "strict"
+            if maybeVerificationMode == "strict"
             then "require"
             else "optional";
           allow-invalid-certs = false;
           ip-strategy = "ipv6_then_ipv4";
           mta-sts =
-            if cfg.security.verificationMode == "strict"
+            if maybeVerificationMode == "strict"
             then "require"
             else "optional";
         };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-03-12 22:39:06 +0000