From 7909eabac28c298427514273bffb54d5cf9b2b88 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Fri, 24 Apr 2026 23:54:25 +0200
Subject: [PATCH] postfix: require AEAD & ECDHE cipher suites

This drops ARIA, Camellia and AES-CBC support from TLSv1.2 cipher suites.

When we explicitly restrict the cipherlist in Postfix, then we need to
define TLSv1.3 cipher suites in our OpenSSL config file.
---
 mail-server/postfix.nix | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 77cce70..2ec2050 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -399,10 +399,6 @@ in
         smtpd_tls_ciphers = "high";
         smtpd_tls_mandatory_ciphers = "high";
 
-        # Exclude cipher suites with undesirable properties
-        smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
-        smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
-
         # Enable DNSSEC/DANE support for outgoing SMTP connections
         # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
         smtp_dns_support_level = "dnssec";
@@ -416,10 +412,6 @@ in
         smtp_tls_ciphers = "high";
         smtp_tls_mandatory_ciphers = "high";
 
-        # Exclude ciphersuites with undesirable properties
-        smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
-        smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
-
         tls_config_file =
           let
             mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups);
@@ -430,6 +422,13 @@ in
               postfix_settings.ssl_conf = "postfix_ssl_settings";
               postfix_ssl_settings.system_default = "baseline_postfix_settings";
               baseline_postfix_settings = {
+                # Allow all TLSv1.3 cipher suites
+                Ciphersuites = concatStringsSep ":" [
+                  "TLS_AES_256_GCM_SHA384"
+                  "TLS_AES_128_GCM_SHA256"
+                  "TLS_CHACHA20_POLY1305_SHA256"
+                ];
+
                 # Full list: openssl list -tls-groups
                 # Restrict and prioritize the following curves in the given order
                 # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
@@ -475,6 +474,16 @@ in
         tls_eecdh_auto_curves = [ ];
         tls_ffdhe_auto_groups = [ ];
 
+        # Require AEAD & ECDHE for TLSv1.2.
+        tls_high_cipherlist = concatStringsSep ":" [
+          "ECDHE-ECDSA-AES256-GCM-SHA384"
+          "ECDHE-RSA-AES256-GCM-SHA384"
+          "ECDHE-ECDSA-AES128-GCM-SHA256"
+          "ECDHE-RSA-AES128-GCM-SHA256"
+          "ECDHE-ECDSA-CHACHA20-POLY1305"
+          "ECDHE-RSA-CHACHA20-POLY1305"
+        ];
+
         # As long as all cipher suites are considered safe, let the client use its preferred cipher
         tls_preempt_cipherlist = false;