|
|
|
@@ -4,62 +4,90 @@ Release Notes
|
|
|
|
|
NixOS 26.05
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
- Certificate handling was simplified. We recommend setting
|
|
|
|
|
:option:`mailserver.x509.useACMEHost` to a ``security.acme.certs``
|
|
|
|
|
configuration. If that does not fit your requirements, configure certificate
|
|
|
|
|
and private key using :option:`mailserver.x509.certificateFile` and
|
|
|
|
|
:option:`mailserver.x509.privateKeyFile` instead. Support for automatic
|
|
|
|
|
creation of self-signed certificates has been removed.
|
|
|
|
|
Check the updated `setup guide`_ for a basic ACME HTTP-01 example.
|
|
|
|
|
- `DKIM key management`_ is now available with multiple concurrent selectors per
|
|
|
|
|
domain enabling proper DKIM key rotation. While we still generate a default
|
|
|
|
|
key for backwards compatibility we now also support passing pre-created
|
|
|
|
|
key material. If your DKIM keys were automatically created before the 25.11
|
|
|
|
|
release they are 1024 bit RSA keys and should be rotated out.
|
|
|
|
|
See :option:`mailserver.dkim.domains` for further relevant options.
|
|
|
|
|
- Cleartext password files can now be configured for login accounts. This
|
|
|
|
|
is an alternative to hashed passwords that integrates well with workflows
|
|
|
|
|
established by `agenix`_/`sops-nix`_ that instead rely on encryption. This
|
|
|
|
|
option prevents files from leaking in to the Nix store.
|
|
|
|
|
See :option:`mailserver.accounts.<name>.passwordFile`.
|
|
|
|
|
- TLS configurations have been updated:
|
|
|
|
|
Features
|
|
|
|
|
^^^^^^^^
|
|
|
|
|
|
|
|
|
|
- TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.
|
|
|
|
|
- Postfix and Dovecot allow for the ``SecP256r1MLKEM768``
|
|
|
|
|
key exchange, as specified in the ongoing
|
|
|
|
|
`standardization effort <https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__.
|
|
|
|
|
- Postfix no longer supports uncommon, deprecated, and obsolete TLS signature
|
|
|
|
|
algorithms.
|
|
|
|
|
- :ref:`DKIM key management <dkim>` now supports multiple selectors per domain,
|
|
|
|
|
enabling :ref:`key rotation <dkim-key-rotation>`. Pre-created key material is
|
|
|
|
|
also supported. Existing automatically generated DKIM keys from before 25.11
|
|
|
|
|
use 1024-bit RSA and should be rotated. See :option:`mailserver.dkim.domains`.
|
|
|
|
|
|
|
|
|
|
- LDAP setups require a migration of Dovecot home directories to
|
|
|
|
|
`UUID based home directories`_. The exact UUID attribute can be customized
|
|
|
|
|
through :option:`mailserver.ldap.attributes.uuid`.
|
|
|
|
|
- The default login username for LDAP users has changed from the ``mail`` to
|
|
|
|
|
the ``uid`` attribute. This allows users to login with their account name
|
|
|
|
|
rather than their email address, which is more convenient and consistent
|
|
|
|
|
with typical LDAP practices. The exact attribute can be customized through
|
|
|
|
|
- Certificate handling was simplified. We recommend using the NixOS
|
|
|
|
|
ACME module (``security.acme.certs``) and referencing a certificate
|
|
|
|
|
configuration by name. Alternatively, certificate and private key can be
|
|
|
|
|
managed manually. Configure either :option:`mailserver.x509.useACMEHost`
|
|
|
|
|
or :option:`mailserver.x509.certificateFile` and
|
|
|
|
|
:option:`mailserver.x509.privateKeyFile`. See the updated :ref:`setup guide
|
|
|
|
|
<setup-guide>` for a basic ACME HTTP-01 example.
|
|
|
|
|
|
|
|
|
|
- Local mail accounts can now use managed cleartext passwords. This integrates
|
|
|
|
|
well with secret management tools such as `agenix`_ and `sops-nix`_ while
|
|
|
|
|
avoiding password leakage into the world-readable Nix store. See
|
|
|
|
|
:option:`mailserver.accounts.<name>.passwordFile`.
|
|
|
|
|
|
|
|
|
|
- Blocked sender responses can now be customized. This is useful if you require GDPR
|
|
|
|
|
compliance. See :option:`mailserver.rejectSenderMessage`.
|
|
|
|
|
|
|
|
|
|
Security
|
|
|
|
|
^^^^^^^^
|
|
|
|
|
|
|
|
|
|
- TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.
|
|
|
|
|
|
|
|
|
|
- Postfix and Dovecot now support negotiation of the ``SecP256r1MLKEM768``
|
|
|
|
|
key agreement mechanism. The `standardization process
|
|
|
|
|
<https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__ is ongoing.
|
|
|
|
|
|
|
|
|
|
- Deprecated and obsolete TLS signature algorithms were removed from Postfix.
|
|
|
|
|
|
|
|
|
|
Sieve
|
|
|
|
|
^^^^^
|
|
|
|
|
|
|
|
|
|
- **Migration**: When ManageSieve is enabled, user-created Sieve scripts must
|
|
|
|
|
be migrated into their Dovecot home directory. See the :ref:`migration guide
|
|
|
|
|
<migration-5>`.
|
|
|
|
|
|
|
|
|
|
LDAP
|
|
|
|
|
^^^^
|
|
|
|
|
|
|
|
|
|
- **Migration**: Dovecot home directories for LDAP users must be migrated to
|
|
|
|
|
UUID-based directory names. The UUID attribute can be customized through
|
|
|
|
|
:option:`mailserver.ldap.attributes.uuid`. See the :ref:`migration guide
|
|
|
|
|
<migration-4>`.
|
|
|
|
|
|
|
|
|
|
- The LDAP configuration has been revamped. Option names have been simplified,
|
|
|
|
|
examples and documentation improved. The :ref:`LDAP documentation <ldap-top>`
|
|
|
|
|
was written from the ground up.
|
|
|
|
|
|
|
|
|
|
- The default LDAP login attribute changed from ``mail`` to ``uid``.
|
|
|
|
|
This allows users to login with their account name rather than
|
|
|
|
|
their email address, which is more convenient and consistent with
|
|
|
|
|
typical LDAP practices. The exact attribute can be customized through
|
|
|
|
|
:option:`mailserver.ldap.attributes.username`.
|
|
|
|
|
- Local and LDAP accounts can now co-exist. For overlapping names and addresses
|
|
|
|
|
|
|
|
|
|
- Local and LDAP accounts can now coexist. For overlapping accounts and addresses
|
|
|
|
|
the local account will always win.
|
|
|
|
|
- Custom reject messages for blocked senders are now possible by setting
|
|
|
|
|
:option:`mailserver.rejectSenderMessage` to e.g. comply with GDPR.
|
|
|
|
|
- The following integrations are deprecated and will be removed before the next
|
|
|
|
|
release:
|
|
|
|
|
|
|
|
|
|
- :option:`mailserver.borgbackup.enable`
|
|
|
|
|
- :option:`mailserver.backup.enable`
|
|
|
|
|
- :option:`mailserver.monitoring.enable`
|
|
|
|
|
- Setups with :option:`mailserver.enableManageSieve` enabled require a
|
|
|
|
|
migration of the `Sieve script directories into Dovecot home directories`_.
|
|
|
|
|
|
|
|
|
|
.. _setup guide: setup-guide.html#setup-the-server
|
|
|
|
|
.. _DKIM key management: dkim.html
|
|
|
|
|
Internals
|
|
|
|
|
^^^^^^^^^
|
|
|
|
|
|
|
|
|
|
- Dovecot has been updated from 2.3 to 2.4 and now relies on the structured settings option.
|
|
|
|
|
|
|
|
|
|
Deprecations
|
|
|
|
|
^^^^^^^^^^^^
|
|
|
|
|
|
|
|
|
|
The following integrations are deprecated and will be removed before the next
|
|
|
|
|
release:
|
|
|
|
|
|
|
|
|
|
- :option:`mailserver.borgbackup.enable`
|
|
|
|
|
- :option:`mailserver.backup.enable`
|
|
|
|
|
- :option:`mailserver.monitoring.enable`
|
|
|
|
|
|
|
|
|
|
.. _key rotation: dkim.html#dkim-key-rotation
|
|
|
|
|
.. _agenix: https://github.com/ryantm/agenix
|
|
|
|
|
.. _sops-nix: https://github.com/Mic92/sops-nix
|
|
|
|
|
.. _AEAD: https://en.wikipedia.org/wiki/Authenticated_encryption
|
|
|
|
|
.. _ECDHE: https://www.rfc-editor.org/rfc/rfc8422
|
|
|
|
|
.. _UUID based home directories: migrations.html#dovecot-ldap-uuid-based-home-directories
|
|
|
|
|
.. _Sieve script directories into Dovecot home directories: migrations.html#sieve-script-directory-migration
|
|
|
|
|
|
|
|
|
|
NixOS 25.11
|
|
|
|
|
-----------
|
|
|
|
|
Martin Weinelt