From 54f37811dd45075c285b8ddc3034f8061ea83f6c Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Mon, 22 Sep 2025 03:45:22 +0200
Subject: [PATCH] Disable plaintext access per RFC 8314

This deprecates the `enableImap` and `enablePop` options and opens them
up for future removal.
---
 default.nix            | 6 +++++-
 docs/release-notes.rst | 6 ++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/default.nix b/default.nix
index cc21e26..2e2be2e 100644
--- a/default.nix
+++ b/default.nix
@@ -851,9 +851,11 @@ in
 
     enableImap = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
       description = ''
         Whether to enable IMAP with STARTTLS on port 143.
+
+        The use of this port is deprecated per RFC 8314 4.1.
       '';
     };
 
@@ -894,6 +896,8 @@ in
       default = false;
       description = ''
         Whether to enable POP3 with STARTTLS on port on port 110.
+
+        The use of this port is deprecated per RFC 8314 4.1.
       '';
     };
 
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 7a48dd4..cc6fc6b 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -13,8 +13,14 @@ NixOS 25.11
   1024 bit keys should not be considered valid any longer.
 - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
   system domain.
+- IMAP access over port ``143/tcp`` is now default disabled in line with
+  `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp`` instead.
+  If you still require this feature you can reenable it using
+  ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
+  release.
 
 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
+.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
 
 NixOS 25.05
 -----------