From 3da442701aa1cf8c14614725ad03e020effd2cc9 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 18 Mar 2026 14:06:10 +0100
Subject: [PATCH] dovecot: restore compat for RSA key material

In TLS1.2 available cipher suites depend on the available key material,
so the last round of cipher suites updates broke TLS1.2 support with RSA
key pairs.

The NixOS ACME module has been defaulting to EC256 (and earlier EC384)
key material, so I assume this did not affect many setups in practice.
---
 mail-server/dovecot.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 2780e66..7831b0f 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -382,9 +382,14 @@ in
             "TLS_CHACHA20_POLY1305_SHA256"
             "TLS_AES_256_GCM_SHA384"
             # TLS1.2
+            # EC key material
             "ECDHE-ECDSA-AES128-GCM-SHA256"
             "ECDHE-ECDSA-CHACHA20-POLY1305"
             "ECDHE-ECDSA-AES256-GCM-SHA384"
+            # RSA key material
+            "ECDHE-RSA-AES128-GCM-SHA256"
+            "ECDHE-RSA-CHACHA20-POLY1305"
+            "ECDHE-RSA-AES256-GCM-SHA384"
           ]
         }
         ssl_curve_list = X25519MLKEM768:X25519:prime256v1:secp384r1