From 8d6b14c82cf7a1c68e588c44739bd71a6ce1fa90 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 24 Apr 2026 21:32:17 +0200 Subject: [PATCH 1/4] postfix: restrict TLS signing algorithms Prunes the list preset and removes SHA-1 to restore compatibility with NCSC TLS security guidelines. --- mail-server/postfix.nix | 49 ++++++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 0408138..77cce70 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -420,9 +420,6 @@ in smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL"; smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL"; - # Restrict and prioritize the following curves in the given order - # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. - # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves tls_config_file = let mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups); @@ -432,14 +429,44 @@ in sections = { postfix_settings.ssl_conf = "postfix_ssl_settings"; postfix_ssl_settings.system_default = "baseline_postfix_settings"; - baseline_postfix_settings.Groups = mkGroupString [ - [ "*X25519MLKEM768" ] - [ "*X25519" ] - [ - "P-256" - "P-384" - ] - ]; + baseline_postfix_settings = { + # Full list: openssl list -tls-groups + # Restrict and prioritize the following curves in the given order + # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. + # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves + Groups = mkGroupString [ + [ "*X25519MLKEM768" ] + [ "*X25519" ] + [ + "P-256" + "P-384" + ] + ]; + SignatureAlgorithms = concatStringsSep ":" [ + # Full list: openssl list -tls-signature-algorithms + # Reduced to algorithms with key material supported in CA/B + # baseline requirements and excluding deprecated algorithms + # like SHA1. + + # EcDSA certificates + # https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71312-ecdsa + "ecdsa_secp256r1_sha256" + "ecdsa_secp384r1_sha384" + "ecdsa_secp521r1_sha512" + + # RSA certificates + # https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71311-rsa + "rsa_pss_rsae_sha256" + "rsa_pss_rsae_sha384" + "rsa_pss_rsae_sha512" + "rsa_pss_pss_sha256" + "rsa_pss_pss_sha384" + "rsa_pss_pss_sha512" + "rsa_pkcs1_sha256" + "rsa_pkcs1_sha384" + "rsa_pkcs1_sha512" + ]; + }; }; }; tls_config_name = "postfix"; From 7909eabac28c298427514273bffb54d5cf9b2b88 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 24 Apr 2026 23:54:25 +0200 Subject: [PATCH 2/4] postfix: require AEAD & ECDHE cipher suites This drops ARIA, Camellia and AES-CBC support from TLSv1.2 cipher suites. When we explicitly restrict the cipherlist in Postfix, then we need to define TLSv1.3 cipher suites in our OpenSSL config file. --- mail-server/postfix.nix | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 77cce70..2ec2050 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -399,10 +399,6 @@ in smtpd_tls_ciphers = "high"; smtpd_tls_mandatory_ciphers = "high"; - # Exclude cipher suites with undesirable properties - smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL"; - smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL"; - # Enable DNSSEC/DANE support for outgoing SMTP connections # https://www.postfix.org/postconf.5.html#smtp_tls_security_level smtp_dns_support_level = "dnssec"; @@ -416,10 +412,6 @@ in smtp_tls_ciphers = "high"; smtp_tls_mandatory_ciphers = "high"; - # Exclude ciphersuites with undesirable properties - smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL"; - smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL"; - tls_config_file = let mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups); @@ -430,6 +422,13 @@ in postfix_settings.ssl_conf = "postfix_ssl_settings"; postfix_ssl_settings.system_default = "baseline_postfix_settings"; baseline_postfix_settings = { + # Allow all TLSv1.3 cipher suites + Ciphersuites = concatStringsSep ":" [ + "TLS_AES_256_GCM_SHA384" + "TLS_AES_128_GCM_SHA256" + "TLS_CHACHA20_POLY1305_SHA256" + ]; + # Full list: openssl list -tls-groups # Restrict and prioritize the following curves in the given order # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. @@ -475,6 +474,16 @@ in tls_eecdh_auto_curves = [ ]; tls_ffdhe_auto_groups = [ ]; + # Require AEAD & ECDHE for TLSv1.2. + tls_high_cipherlist = concatStringsSep ":" [ + "ECDHE-ECDSA-AES256-GCM-SHA384" + "ECDHE-RSA-AES256-GCM-SHA384" + "ECDHE-ECDSA-AES128-GCM-SHA256" + "ECDHE-RSA-AES128-GCM-SHA256" + "ECDHE-ECDSA-CHACHA20-POLY1305" + "ECDHE-RSA-CHACHA20-POLY1305" + ]; + # As long as all cipher suites are considered safe, let the client use its preferred cipher tls_preempt_cipherlist = false; From ecbe7073303b67e2ec745829654ac0d3c082c65f Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 25 Apr 2026 15:29:06 +0200 Subject: [PATCH 3/4] postfix/dovecot: support SecP256r1MLKME768 key exchange Added support means we allow it, but for now we don't prefer it, since it has not seen much use yet. For Postfix that means it lands below the two groups that already send a key share and save us a roundtrip. https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html --- mail-server/dovecot.nix | 1 + mail-server/postfix.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 3f8d8af..941a4fc 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -312,6 +312,7 @@ in ssl_curve_list = lib.concatStringsSep ":" [ "X25519MLKEM768" "X25519" + "SecP256r1MLKEM768" "prime256v1" "secp384r1" ]; diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 2ec2050..aa02d37 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -436,6 +436,7 @@ in Groups = mkGroupString [ [ "*X25519MLKEM768" ] [ "*X25519" ] + [ "SecP256r1MLKEM768" ] [ "P-256" "P-384" From 3ab15c2e300705e07b5e42a10b71fca49761e7cb Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 26 Apr 2026 01:47:39 +0200 Subject: [PATCH 4/4] docs/release-notes: add tls changes --- docs/release-notes.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index c7daaef..7835163 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -22,6 +22,15 @@ NixOS 26.05 established by `agenix`_/`sops-nix`_ that instead rely on encryption. This option prevents files from leaking in to the Nix store. See :option:`mailserver.accounts..passwordFile`. +- TLS configurations have been updated: + + - TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_. + - Postfix and Dovecot allow for the ``SecP256r1MLKEM768`` + key exchange, as specified in the ongoing + `standardization effort `__. + - Postfix no longer supports uncommon, deprecated, and obsolete TLS signature + algorithms. + - LDAP setups require a migration of Dovecot home directories to `UUID based home directories`_. The exact UUID attribute can be customized through :option:`mailserver.ldap.attributes.uuid`. @@ -45,6 +54,8 @@ NixOS 26.05 .. _DKIM key management: dkim.html .. _agenix: https://github.com/ryantm/agenix .. _sops-nix: https://github.com/Mic92/sops-nix +.. _AEAD: https://en.wikipedia.org/wiki/Authenticated_encryption +.. _ECDHE: https://www.rfc-editor.org/rfc/rfc8422 .. _UUID based home directories: migrations.html#dovecot-ldap-uuid-based-home-directories NixOS 25.11