docs: rewrite 26.05 release notes
This commit is contained in:
Martin Weinelt
+74
-46
@@ -4,62 +4,90 @@ Release Notes
|
||||
NixOS 26.05
|
||||
-----------
|
||||
|
||||
- Certificate handling was simplified. We recommend setting
|
||||
:option:`mailserver.x509.useACMEHost` to a ``security.acme.certs``
|
||||
configuration. If that does not fit your requirements, configure certificate
|
||||
and private key using :option:`mailserver.x509.certificateFile` and
|
||||
:option:`mailserver.x509.privateKeyFile` instead. Support for automatic
|
||||
creation of self-signed certificates has been removed.
|
||||
Check the updated `setup guide`_ for a basic ACME HTTP-01 example.
|
||||
- `DKIM key management`_ is now available with multiple concurrent selectors per
|
||||
domain enabling proper DKIM key rotation. While we still generate a default
|
||||
key for backwards compatibility we now also support passing pre-created
|
||||
key material. If your DKIM keys were automatically created before the 25.11
|
||||
release they are 1024 bit RSA keys and should be rotated out.
|
||||
See :option:`mailserver.dkim.domains` for further relevant options.
|
||||
- Cleartext password files can now be configured for login accounts. This
|
||||
is an alternative to hashed passwords that integrates well with workflows
|
||||
established by `agenix`_/`sops-nix`_ that instead rely on encryption. This
|
||||
option prevents files from leaking in to the Nix store.
|
||||
See :option:`mailserver.accounts.<name>.passwordFile`.
|
||||
- TLS configurations have been updated:
|
||||
Features
|
||||
^^^^^^^^
|
||||
|
||||
- TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.
|
||||
- Postfix and Dovecot allow for the ``SecP256r1MLKEM768``
|
||||
key exchange, as specified in the ongoing
|
||||
`standardization effort <https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__.
|
||||
- Postfix no longer supports uncommon, deprecated, and obsolete TLS signature
|
||||
algorithms.
|
||||
- :ref:`DKIM key management <dkim>` now supports multiple selectors per domain,
|
||||
enabling :ref:`key rotation <dkim-key-rotation>`. Pre-created key material is
|
||||
also supported. Existing automatically generated DKIM keys from before 25.11
|
||||
use 1024-bit RSA and should be rotated. See :option:`mailserver.dkim.domains`.
|
||||
|
||||
- LDAP setups require a migration of Dovecot home directories to
|
||||
`UUID based home directories`_. The exact UUID attribute can be customized
|
||||
through :option:`mailserver.ldap.attributes.uuid`.
|
||||
- The default login username for LDAP users has changed from the ``mail`` to
|
||||
the ``uid`` attribute. This allows users to login with their account name
|
||||
rather than their email address, which is more convenient and consistent
|
||||
with typical LDAP practices. The exact attribute can be customized through
|
||||
- Certificate handling was simplified. We recommend using the NixOS
|
||||
ACME module (``security.acme.certs``) and referencing a certificate
|
||||
configuration by name. Alternatively, certificate and private key can be
|
||||
managed manually. Configure either :option:`mailserver.x509.useACMEHost`
|
||||
or :option:`mailserver.x509.certificateFile` and
|
||||
:option:`mailserver.x509.privateKeyFile`. See the updated :ref:`setup guide
|
||||
<setup-guide>` for a basic ACME HTTP-01 example.
|
||||
|
||||
- Local mail accounts can now use managed cleartext passwords. This integrates
|
||||
well with secret management tools such as `agenix`_ and `sops-nix`_ while
|
||||
avoiding password leakage into the world-readable Nix store. See
|
||||
:option:`mailserver.accounts.<name>.passwordFile`.
|
||||
|
||||
- Blocked sender responses can now be customized. This is useful if you require GDPR
|
||||
compliance. See :option:`mailserver.rejectSenderMessage`.
|
||||
|
||||
Security
|
||||
^^^^^^^^
|
||||
|
||||
- TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.
|
||||
|
||||
- Postfix and Dovecot now support negotiation of the ``SecP256r1MLKEM768``
|
||||
key agreement mechanism. The `standardization process
|
||||
<https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__ is ongoing.
|
||||
|
||||
- Deprecated and obsolete TLS signature algorithms were removed from Postfix.
|
||||
|
||||
Sieve
|
||||
^^^^^
|
||||
|
||||
- **Migration**: When ManageSieve is enabled, user-created Sieve scripts must
|
||||
be migrated into their Dovecot home directory. See the :ref:`migration guide
|
||||
<migration-5>`.
|
||||
|
||||
LDAP
|
||||
^^^^
|
||||
|
||||
- **Migration**: Dovecot home directories for LDAP users must be migrated to
|
||||
UUID-based directory names. The UUID attribute can be customized through
|
||||
:option:`mailserver.ldap.attributes.uuid`. See the :ref:`migration guide
|
||||
<migration-4>`.
|
||||
|
||||
- The LDAP configuration has been revamped. Option names have been simplified,
|
||||
examples and documentation improved. The :ref:`LDAP documentation <ldap-top>`
|
||||
was written from the ground up.
|
||||
|
||||
- The default LDAP login attribute changed from ``mail`` to ``uid``.
|
||||
This allows users to login with their account name rather than
|
||||
their email address, which is more convenient and consistent with
|
||||
typical LDAP practices. The exact attribute can be customized through
|
||||
:option:`mailserver.ldap.attributes.username`.
|
||||
- Local and LDAP accounts can now co-exist. For overlapping names and addresses
|
||||
|
||||
- Local and LDAP accounts can now coexist. For overlapping accounts and addresses
|
||||
the local account will always win.
|
||||
- Custom reject messages for blocked senders are now possible by setting
|
||||
:option:`mailserver.rejectSenderMessage` to e.g. comply with GDPR.
|
||||
- The following integrations are deprecated and will be removed before the next
|
||||
release:
|
||||
|
||||
- :option:`mailserver.borgbackup.enable`
|
||||
- :option:`mailserver.backup.enable`
|
||||
- :option:`mailserver.monitoring.enable`
|
||||
- Setups with :option:`mailserver.enableManageSieve` enabled require a
|
||||
migration of the `Sieve script directories into Dovecot home directories`_.
|
||||
|
||||
.. _setup guide: setup-guide.html#setup-the-server
|
||||
.. _DKIM key management: dkim.html
|
||||
Internals
|
||||
^^^^^^^^^
|
||||
|
||||
- Dovecot has been updated from 2.3 to 2.4 and now relies on the structured settings option.
|
||||
|
||||
Deprecations
|
||||
^^^^^^^^^^^^
|
||||
|
||||
The following integrations are deprecated and will be removed before the next
|
||||
release:
|
||||
|
||||
- :option:`mailserver.borgbackup.enable`
|
||||
- :option:`mailserver.backup.enable`
|
||||
- :option:`mailserver.monitoring.enable`
|
||||
|
||||
.. _key rotation: dkim.html#dkim-key-rotation
|
||||
.. _agenix: https://github.com/ryantm/agenix
|
||||
.. _sops-nix: https://github.com/Mic92/sops-nix
|
||||
.. _AEAD: https://en.wikipedia.org/wiki/Authenticated_encryption
|
||||
.. _ECDHE: https://www.rfc-editor.org/rfc/rfc8422
|
||||
.. _UUID based home directories: migrations.html#dovecot-ldap-uuid-based-home-directories
|
||||
.. _Sieve script directories into Dovecot home directories: migrations.html#sieve-script-directory-migration
|
||||
|
||||
NixOS 25.11
|
||||
-----------
|
||||
|
||||
Reference in New Issue
Block a user