Merge branch 'tls-updates' into 'main'

TLS updates

See merge request simple-nixos-mailserver/nixos-mailserver!518

docs/release-notes.rst

@@ -22,6 +22,15 @@ NixOS 26.05
   established by `agenix`_/`sops-nix`_ that instead rely on encryption. This
   option prevents files from leaking in to the Nix store.
   See :option:`mailserver.accounts.<name>.passwordFile`.
+- TLS configurations have been updated:
+
+  - TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.
+  - Postfix and Dovecot allow for the ``SecP256r1MLKEM768``
+    key exchange, as specified in the ongoing
+    `standardization effort <https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__.
+  - Postfix no longer supports uncommon, deprecated, and obsolete TLS signature
+    algorithms.
+
 - LDAP setups require a migration of Dovecot home directories to
   `UUID based home directories`_. The exact UUID attribute can be customized
   through :option:`mailserver.ldap.attributes.uuid`.
@@ -45,6 +54,8 @@ NixOS 26.05
 .. _DKIM key management: dkim.html
 .. _agenix: https://github.com/ryantm/agenix
 .. _sops-nix: https://github.com/Mic92/sops-nix
+.. _AEAD: https://en.wikipedia.org/wiki/Authenticated_encryption
+.. _ECDHE: https://www.rfc-editor.org/rfc/rfc8422
 .. _UUID based home directories: migrations.html#dovecot-ldap-uuid-based-home-directories
 
 NixOS 25.11

mail-server/dovecot.nix

@@ -312,6 +312,7 @@ in
           ssl_curve_list = lib.concatStringsSep ":" [
             "X25519MLKEM768"
             "X25519"
+            "SecP256r1MLKEM768"
             "prime256v1"
             "secp384r1"
           ];

mail-server/postfix.nix

@@ -399,10 +399,6 @@ in
         smtpd_tls_ciphers = "high";
         smtpd_tls_mandatory_ciphers = "high";
 
-        # Exclude cipher suites with undesirable properties
-        smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
-        smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
-
         # Enable DNSSEC/DANE support for outgoing SMTP connections
         # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
         smtp_dns_support_level = "dnssec";
@@ -416,13 +412,6 @@ in
         smtp_tls_ciphers = "high";
         smtp_tls_mandatory_ciphers = "high";
 
-        # Exclude ciphersuites with undesirable properties
-        smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
-        smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
-
-        # Restrict and prioritize the following curves in the given order
-        # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
-        # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
         tls_config_file =
           let
             mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups);
@@ -432,14 +421,52 @@ in
             sections = {
               postfix_settings.ssl_conf = "postfix_ssl_settings";
               postfix_ssl_settings.system_default = "baseline_postfix_settings";
-              baseline_postfix_settings.Groups = mkGroupString [
-                [ "*X25519MLKEM768" ]
-                [ "*X25519" ]
-                [
-                  "P-256"
-                  "P-384"
-                ]
-              ];
+              baseline_postfix_settings = {
+                # Allow all TLSv1.3 cipher suites
+                Ciphersuites = concatStringsSep ":" [
+                  "TLS_AES_256_GCM_SHA384"
+                  "TLS_AES_128_GCM_SHA256"
+                  "TLS_CHACHA20_POLY1305_SHA256"
+                ];
+
+                # Full list: openssl list -tls-groups
+                # Restrict and prioritize the following curves in the given order
+                # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
+                # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
+                Groups = mkGroupString [
+                  [ "*X25519MLKEM768" ]
+                  [ "*X25519" ]
+                  [ "SecP256r1MLKEM768" ]
+                  [
+                    "P-256"
+                    "P-384"
+                  ]
+                ];
+                SignatureAlgorithms = concatStringsSep ":" [
+                  # Full list: openssl list -tls-signature-algorithms
+                  # Reduced to algorithms with key material supported in CA/B
+                  # baseline requirements and excluding deprecated algorithms
+                  # like SHA1.
+
+                  # EcDSA certificates
+                  # https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71312-ecdsa
+                  "ecdsa_secp256r1_sha256"
+                  "ecdsa_secp384r1_sha384"
+                  "ecdsa_secp521r1_sha512"
+
+                  # RSA certificates
+                  # https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71311-rsa
+                  "rsa_pss_rsae_sha256"
+                  "rsa_pss_rsae_sha384"
+                  "rsa_pss_rsae_sha512"
+                  "rsa_pss_pss_sha256"
+                  "rsa_pss_pss_sha384"
+                  "rsa_pss_pss_sha512"
+                  "rsa_pkcs1_sha256"
+                  "rsa_pkcs1_sha384"
+                  "rsa_pkcs1_sha512"
+                ];
+              };
             };
           };
         tls_config_name = "postfix";
@@ -448,6 +475,16 @@ in
         tls_eecdh_auto_curves = [ ];
         tls_ffdhe_auto_groups = [ ];
 
+        # Require AEAD & ECDHE for TLSv1.2.
+        tls_high_cipherlist = concatStringsSep ":" [
+          "ECDHE-ECDSA-AES256-GCM-SHA384"
+          "ECDHE-RSA-AES256-GCM-SHA384"
+          "ECDHE-ECDSA-AES128-GCM-SHA256"
+          "ECDHE-RSA-AES128-GCM-SHA256"
+          "ECDHE-ECDSA-CHACHA20-POLY1305"
+          "ECDHE-RSA-CHACHA20-POLY1305"
+        ];
+
         # As long as all cipher suites are considered safe, let the client use its preferred cipher
         tls_preempt_cipherlist = false;