From e3ee0fcceb34b4e186062a4698b1b350092bdc78 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 9 Nov 2025 23:54:46 +0100 Subject: [PATCH 1/2] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8ea611305a7db12c49446f9c40c609614419ec4b' (2025-11-08) → 'github:NixOS/nixpkgs/e5d07586ec39f74b390308f2e00040c23bdef530' (2025-11-09) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 9e0be9d..09b3269 100644 --- a/flake.lock +++ b/flake.lock @@ -79,11 +79,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1762616480, - "narHash": "sha256-vLjEPWbntbVNKIDbQW7fUj6y3bkIJaSCuy6sJ2cXeNI=", + "lastModified": 1762721782, + "narHash": "sha256-ftv0n3xkKawHQgxZ6FGr2F1GdaYT/79aESm4t1LQ6X4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8ea611305a7db12c49446f9c40c609614419ec4b", + "rev": "e5d07586ec39f74b390308f2e00040c23bdef530", "type": "github" }, "original": { From a1532a552f5e366b67df0beaffe650ba8411a6c7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 9 Nov 2025 19:44:25 +0100 Subject: [PATCH 2/2] postfix: enable X25519MLKEM768 key exchange This migrates the key exchange curve group configuration into the OpenSSL configuration format, which is the only path forward to configure these. We now prefer a hybrid key exchange for TLS handshake and as a client we'll send key shares for that and pure X25519, while keeping backwards- compat for P256 and P384. The statistics for my personal mail server over the last month show a clear trend for X25519 key exchanges: 156 secp384r1 225 secp256r1 19541 x25519 --- docs/release-notes.rst | 2 ++ mail-server/postfix.nix | 32 ++++++++++++++++++++++++-------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 51c15bc..bd2e24a 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -16,6 +16,8 @@ NixOS 25.11 instead. If you still require this feature you can reenable it using ``mailserver.enableImap``, but it is scheduled for removal after the 25.11 release. +- SMTP server and client now support and prefer a hybrid key exchange + (X25519MLKEM768) - SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line with `RFC 8314 3.3`_. If you still require this feature you can renable it using ``mailserver.enableSubmission``. diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 7baa49c..84de67e 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -35,6 +35,8 @@ let inherit (lib.strings) concatStringsSep; cfg = config.mailserver; + iniFormat = pkgs.formats.iniWithGlobalSection { }; + # Merge several lookup tables. A lookup table is a attribute set where # - the key is an address (user@example.com) or a domain (@example.com) # - the value is a list of addresses @@ -386,15 +388,29 @@ in # Restrict and prioritize the following curves in the given order # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves - # https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7 - tls_eecdh_auto_curves = [ - "X25519" - "prime256v1" - "secp384r1" - ]; + tls_config_file = + let + mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups); + in + "${iniFormat.generate "postfix-openssl.cnf" { + globalSection.postfix = "postfix_settings"; + sections = { + postfix_settings.ssl_conf = "postfix_ssl_settings"; + postfix_ssl_settings.system_default = "baseline_postfix_settings"; + baseline_postfix_settings.Groups = mkGroupString [ + [ "*X25519MLKEM768" ] + [ "*X25519" ] + [ + "P-256" + "P-384" + ] + ]; + }; + }}"; + tls_config_name = "postfix"; - # Disable FFDHE on TLSv1.3 because it is slower than elliptic curves - # https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups + # Algorithm selection happens through `tls_config_file` instead. + tls_eecdh_auto_curves = [ ]; tls_ffdhe_auto_groups = [ ]; # As long as all cipher suites are considered safe, let the client use its preferred cipher