aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

postfix: enable X25519MLKEM768 key exchange

Browse Source 
This migrates the key exchange curve group configuration into the OpenSSL
configuration format, which is the only path forward to configure these.

We now prefer a hybrid key exchange for TLS handshake and as a client
we'll send key shares for that and pure X25519, while keeping backwards-
compat for P256 and P384.

The statistics for my personal mail server over the last month show a
clear trend for X25519 key exchanges:

    156 secp384r1
    225 secp256r1
    19541 x25519
This commit is contained in:
Martin Weinelt
2025-11-09 19:44:25 +01:00
parent e3ee0fcceb
commit a1532a552f
2 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/release-notes.rst
View File

@@ -16,6 +16,8 @@ NixOS 25.11
instead. If you still require this feature you can reenable it using
``mailserver.enableImap``, but it is scheduled for removal after the 25.11
release.
- SMTP server and client now support and prefer a hybrid key exchange
(X25519MLKEM768)
- SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line
with `RFC 8314 3.3`_. If you still require this feature you can renable it using
``mailserver.enableSubmission``.