From 3ab15c2e300705e07b5e42a10b71fca49761e7cb Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 26 Apr 2026 01:47:39 +0200
Subject: [PATCH] docs/release-notes: add tls changes

---
 docs/release-notes.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index c7daaef..7835163 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -22,6 +22,15 @@ NixOS 26.05
   established by `agenix`_/`sops-nix`_ that instead rely on encryption. This
   option prevents files from leaking in to the Nix store.
   See :option:`mailserver.accounts.<name>.passwordFile`.
+- TLS configurations have been updated:
+
+  - TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.
+  - Postfix and Dovecot allow for the ``SecP256r1MLKEM768``
+    key exchange, as specified in the ongoing
+    `standardization effort <https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__.
+  - Postfix no longer supports uncommon, deprecated, and obsolete TLS signature
+    algorithms.
+
 - LDAP setups require a migration of Dovecot home directories to
   `UUID based home directories`_. The exact UUID attribute can be customized
   through :option:`mailserver.ldap.attributes.uuid`.
@@ -45,6 +54,8 @@ NixOS 26.05
 .. _DKIM key management: dkim.html
 .. _agenix: https://github.com/ryantm/agenix
 .. _sops-nix: https://github.com/Mic92/sops-nix
+.. _AEAD: https://en.wikipedia.org/wiki/Authenticated_encryption
+.. _ECDHE: https://www.rfc-editor.org/rfc/rfc8422
 .. _UUID based home directories: migrations.html#dovecot-ldap-uuid-based-home-directories
 
 NixOS 25.11