From a1532a552f5e366b67df0beaffe650ba8411a6c7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 9 Nov 2025 19:44:25 +0100 Subject: [PATCH] postfix: enable X25519MLKEM768 key exchange This migrates the key exchange curve group configuration into the OpenSSL configuration format, which is the only path forward to configure these. We now prefer a hybrid key exchange for TLS handshake and as a client we'll send key shares for that and pure X25519, while keeping backwards- compat for P256 and P384. The statistics for my personal mail server over the last month show a clear trend for X25519 key exchanges: 156 secp384r1 225 secp256r1 19541 x25519 --- docs/release-notes.rst | 2 ++ mail-server/postfix.nix | 32 ++++++++++++++++++++++++-------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 51c15bc..bd2e24a 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -16,6 +16,8 @@ NixOS 25.11 instead. If you still require this feature you can reenable it using ``mailserver.enableImap``, but it is scheduled for removal after the 25.11 release. +- SMTP server and client now support and prefer a hybrid key exchange + (X25519MLKEM768) - SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line with `RFC 8314 3.3`_. If you still require this feature you can renable it using ``mailserver.enableSubmission``. diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 7baa49c..84de67e 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -35,6 +35,8 @@ let inherit (lib.strings) concatStringsSep; cfg = config.mailserver; + iniFormat = pkgs.formats.iniWithGlobalSection { }; + # Merge several lookup tables. A lookup table is a attribute set where # - the key is an address (user@example.com) or a domain (@example.com) # - the value is a list of addresses @@ -386,15 +388,29 @@ in # Restrict and prioritize the following curves in the given order # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves - # https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7 - tls_eecdh_auto_curves = [ - "X25519" - "prime256v1" - "secp384r1" - ]; + tls_config_file = + let + mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups); + in + "${iniFormat.generate "postfix-openssl.cnf" { + globalSection.postfix = "postfix_settings"; + sections = { + postfix_settings.ssl_conf = "postfix_ssl_settings"; + postfix_ssl_settings.system_default = "baseline_postfix_settings"; + baseline_postfix_settings.Groups = mkGroupString [ + [ "*X25519MLKEM768" ] + [ "*X25519" ] + [ + "P-256" + "P-384" + ] + ]; + }; + }}"; + tls_config_name = "postfix"; - # Disable FFDHE on TLSv1.3 because it is slower than elliptic curves - # https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups + # Algorithm selection happens through `tls_config_file` instead. + tls_eecdh_auto_curves = [ ]; tls_ffdhe_auto_groups = [ ]; # As long as all cipher suites are considered safe, let the client use its preferred cipher