From f6546a1a8e3969981fef8f46cc8db740647d08df Mon Sep 17 00:00:00 2001
From: Robin Raymond <robin@robinraymond.de>
Date: Tue, 13 Feb 2018 13:18:31 +0100
Subject: [PATCH] fix dovecot 2.3 ssl_dh

---
 default.nix             | 21 +++++++++++++++++++++
 mail-server/dovecot.nix |  1 +
 mail-server/systemd.nix | 10 ++++++++++
 tests/extern.nix        |  2 ++
 tests/intern.nix        |  2 ++
 5 files changed, 36 insertions(+)

diff --git a/default.nix b/default.nix
index 1fc5e3a..f496144 100644
--- a/default.nix
+++ b/default.nix
@@ -325,6 +325,27 @@ in
       '';
     };
 
+    dovecot23 = mkOption {
+      type = types.bool;
+      default = false;
+      description =
+        ''
+        Activate this if you use Dovecot 2.3, so SSL works.
+        TODO: Remove this!
+        '';
+    };
+
+    dhParamBitLength = mkOption {
+      type = types.int;
+      default = 2048;
+      description =
+        ''
+        Length of the Diffie Hillman prime used (in bits). It might be a good
+        idea to set this to 4096 for security purposed, but it will take a _very_
+        long time to create this prime on startup.
+        '';
+    };
+
     debug = mkOption {
       type = types.bool;
       default = false;
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 0de7452..722bc9d 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -61,6 +61,7 @@ in
 
         mail_access_groups = ${vmailGroupName}
         ssl = required
+        ${lib.optionalString dovecot23 "ssl_dh = <${certificateDirectory}/dh.pem"}
 
         service lmtp {
           unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix
index cfc73d8..88f7baa 100644
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@@ -38,6 +38,14 @@ let
         ''
         else "";
 
+  createDhParameterFile =
+    ''
+      # Create a dh parameter file
+      ${pkgs.openssl}/bin/openssl \
+            dhparam ${builtins.toString cfg.dhParamBitLength} \
+            > "${cfg.certificateDirectory}/dh.pem"
+    '';
+
   createDomainDkimCert = dom:
     let
       dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
@@ -82,6 +90,8 @@ in
       chmod 02770 "${mailDirectory}"
 
         ${create_certificate}
+
+        ${lib.optionalString cfg.dovecot23 "${createDhParameterFile}"}
       '';
     };
 
diff --git a/tests/extern.nix b/tests/extern.nix
index 3f6c88b..53917f9 100644
--- a/tests/extern.nix
+++ b/tests/extern.nix
@@ -27,6 +27,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
               enable = true;
               fqdn = "mail.example.com";
               domains = [ "example.com" "example2.com" ];
+              dhParamBitLength = 512;
+              dovecot23 = true;
 
               loginAccounts = {
                   "user1@example.com" = {
diff --git a/tests/intern.nix b/tests/intern.nix
index 76832a8..8cff19e 100644
--- a/tests/intern.nix
+++ b/tests/intern.nix
@@ -27,6 +27,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
           enable = true;
           fqdn = "mail.example.com";
           domains = [ "example.com" ];
+          dhParamBitLength = 512;
+          dovecot23 = true;
 
           loginAccounts = {
               "user1@example.com" = {