From ecbe7073303b67e2ec745829654ac0d3c082c65f Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sat, 25 Apr 2026 15:29:06 +0200
Subject: [PATCH] postfix/dovecot: support SecP256r1MLKME768 key exchange

Added support means we allow it, but for now we don't prefer it, since it
has not seen much use yet. For Postfix that means it lands below the two
groups that already send a key share and save us a roundtrip.

https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html
---
 mail-server/dovecot.nix | 1 +
 mail-server/postfix.nix | 1 +
 2 files changed, 2 insertions(+)

diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 3f8d8af..941a4fc 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -312,6 +312,7 @@ in
           ssl_curve_list = lib.concatStringsSep ":" [
             "X25519MLKEM768"
             "X25519"
+            "SecP256r1MLKEM768"
             "prime256v1"
             "secp384r1"
           ];
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 2ec2050..aa02d37 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -436,6 +436,7 @@ in
                 Groups = mkGroupString [
                   [ "*X25519MLKEM768" ]
                   [ "*X25519" ]
+                  [ "SecP256r1MLKEM768" ]
                   [
                     "P-256"
                     "P-384"