nixos/redmine: Can't send email via system-sendmail + Postfix due to hardening (since NixOS 24.11)

[pvgoran]

Nixpkgs version

• Stable (24.11)

Describe the bug

When Redmine is configured to use system-sendmail (email_delivery.delivery_method = ":sendmail";, email_delivery.sendmail_settings.location = "${pkgs.system-sendmail}/bin/sendmail";) and Postfix is installed, Redmine can't send email messages.

Steps to reproduce

• Configure NixOS with services.redmine.enable = true; and services.postfix.enable = true; and other options necessary to run Redmine and Postfix.
• Configure Redmine with:

  services.redmine.settings = {
    default = {
      email_delivery.delivery_method = ":sendmail";
      email_delivery.sendmail_settings.location = "${pkgs.system-sendmail}/bin/sendmail";
    };
  };
  

• Try to send a test email in Redmine from Administration => Settings => Email notifications.

Expected behaviour

Test email sent successfully.

Screenshots

No response

Relevant log output

Feb 20 15:11:19 hostname bundle[196708]: sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
Feb 20 15:11:19 hostname postfix/sendmail[196708]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol

Additional context

No response

System metadata

• system: "x86_64-linux"
• host os: Linux 6.6.75, NixOS, 24.11 (Vicuna), 24.11.714614.c618e28f7025
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.24.12
• channels(root): "nixos-19.09.2370.e10c65cdb35"
• nixpkgs: /run/current-system/nixpkgs

Notify maintainers

@felixsinger

Note for maintainers: Please tag this issue in your pull request description. (i.e. Resolves #ISSUE.)

I assert that this issue is relevant for Nixpkgs

• I assert that this is a bug and not a support request.
• I assert that this is not a duplicate of an existing issue.
• I assert that I have read the NixOS Code of Conduct and agree to abide by it.

Is this issue important to you?

Add a 👍 reaction to issues you find important.

[pvgoran]

Email sending worked before NixOS 24.11. It was broken by commit 0f599d1. I was able to restore the functionality by tuning the systemd service configuration like this:

systemd.services.redmine.serviceConfig.NoNewPrivileges = lib.mkForce false;
systemd.services.redmine.serviceConfig.RestrictAddressFamilies = lib.mkForce [];

Commit 1631e60 added more hardening options, but it isn't included in NixOS 24.11. I didn't check if my systemd service configuration modifications still allow sendmail to to be used by Redmine after this commit.

[pvgoran]

Similar issues: #103446, #384535.

[felixsinger]

Thanks for reaching out. I will look into it.