aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'pq-support' into 'master'

Browse Source 
postfix: enable X5519MLKEM768 key exchange

See merge request simple-nixos-mailserver/nixos-mailserver!463
This commit is contained in:
Martin Weinelt
2025-11-10 00:01:28 +00:00
parent 44dd1778a0 a1532a552f
commit 5965fae920
3 changed files with 29 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/release-notes.rst
View File

@@ -16,6 +16,8 @@ NixOS 25.11
instead. If you still require this feature you can reenable it using instead. If you still require this feature you can reenable it using
``mailserver.enableImap``, but it is scheduled for removal after the 25.11 ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
release. release.
- SMTP server and client now support and prefer a hybrid key exchange
(X25519MLKEM768)
- SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line - SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line
with `RFC 8314 3.3`_. If you still require this feature you can renable it using with `RFC 8314 3.3`_. If you still require this feature you can renable it using
``mailserver.enableSubmission``. ``mailserver.enableSubmission``.

6
flake.lock generated
View File

@@ -79,11 +79,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1762616480, "lastModified": 1762721782,
"narHash": "sha256-vLjEPWbntbVNKIDbQW7fUj6y3bkIJaSCuy6sJ2cXeNI=", "narHash": "sha256-ftv0n3xkKawHQgxZ6FGr2F1GdaYT/79aESm4t1LQ6X4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8ea611305a7db12c49446f9c40c609614419ec4b", "rev": "e5d07586ec39f74b390308f2e00040c23bdef530",
"type": "github" "type": "github"
}, },
"original": { "original": {

30
mail-server/postfix.nix
View File

@@ -35,6 +35,8 @@ let
inherit (lib.strings) concatStringsSep; inherit (lib.strings) concatStringsSep;
cfg = config.mailserver; cfg = config.mailserver;
iniFormat = pkgs.formats.iniWithGlobalSection { };
# Merge several lookup tables. A lookup table is a attribute set where # Merge several lookup tables. A lookup table is a attribute set where
# - the key is an address (user@example.com) or a domain (@example.com) # - the key is an address (user@example.com) or a domain (@example.com)
# - the value is a list of addresses # - the value is a list of addresses
@@ -386,15 +388,29 @@ in
# Restrict and prioritize the following curves in the given order # Restrict and prioritize the following curves in the given order
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
# https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
# https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7 tls_config_file =
tls_eecdh_auto_curves = [ let
"X25519" mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups);
"prime256v1" in
"secp384r1" "${iniFormat.generate "postfix-openssl.cnf" {
globalSection.postfix = "postfix_settings";
sections = {
postfix_settings.ssl_conf = "postfix_ssl_settings";
postfix_ssl_settings.system_default = "baseline_postfix_settings";
baseline_postfix_settings.Groups = mkGroupString [
[ "*X25519MLKEM768" ]
[ "*X25519" ]
[
"P-256"
"P-384"
]
]; ];
};
}}";
tls_config_name = "postfix";
# Disable FFDHE on TLSv1.3 because it is slower than elliptic curves # Algorithm selection happens through `tls_config_file` instead.
# https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups tls_eecdh_auto_curves = [ ];
tls_ffdhe_auto_groups = [ ]; tls_ffdhe_auto_groups = [ ];
# As long as all cipher suites are considered safe, let the client use its preferred cipher # As long as all cipher suites are considered safe, let the client use its preferred cipher