postfix: enable X25519MLKEM768 key exchange

This migrates the key exchange curve group configuration into the OpenSSL configuration format, which is the only path forward to configure these. We now prefer a hybrid key exchange for TLS handshake and as a client we'll send key shares for that and pure X25519, while keeping backwards- compat for P256 and P384. The statistics for my personal mail server over the last month show a clear trend for X25519 key exchanges: 156 secp384r1 225 secp256r1 19541 x25519
2025-11-09 19:44:25 +01:00
parent e3ee0fcceb
commit a1532a552f
2 changed files with 26 additions and 8 deletions
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -16,6 +16,8 @@ NixOS 25.11
  instead. If you still require this feature you can reenable it using
  ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
  release.
+- SMTP server and client now support and prefer a hybrid key exchange
+  (X25519MLKEM768)
 - SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line
  with `RFC 8314 3.3`_. If you still require this feature you can renable it using
  ``mailserver.enableSubmission``.
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -35,6 +35,8 @@ let
  inherit (lib.strings) concatStringsSep;
  cfg = config.mailserver;

+  iniFormat = pkgs.formats.iniWithGlobalSection { };
+
  # Merge several lookup tables. A lookup table is a attribute set where
  # - the key is an address (user@example.com) or a domain (@example.com)
  # - the value is a list of addresses
@@ -386,15 +388,29 @@ in
        # Restrict and prioritize the following curves in the given order
        # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
        # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
-        # https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7
-        tls_eecdh_auto_curves = [
-          "X25519"
-          "prime256v1"
-          "secp384r1"
+        tls_config_file =
+          let
+            mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups);
+          in
+          "${iniFormat.generate "postfix-openssl.cnf" {
+            globalSection.postfix = "postfix_settings";
+            sections = {
+              postfix_settings.ssl_conf = "postfix_ssl_settings";
+              postfix_ssl_settings.system_default = "baseline_postfix_settings";
+              baseline_postfix_settings.Groups = mkGroupString [
+                [ "*X25519MLKEM768" ]
+                [ "*X25519" ]
+                [
+                  "P-256"
+                  "P-384"
+                ]
              ];
+            };
+          }}";
+        tls_config_name = "postfix";

-        # Disable FFDHE on TLSv1.3 because it is slower than elliptic curves
-        # https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups
+        # Algorithm selection happens through `tls_config_file` instead.
+        tls_eecdh_auto_curves = [ ];
        tls_ffdhe_auto_groups = [ ];

        # As long as all cipher suites are considered safe, let the client use its preferred cipher