diff --git a/default.nix b/default.nix
index d8e5dd1..cc56700 100644
--- a/default.nix
+++ b/default.nix
@@ -425,6 +425,11 @@ in
           example = "/run/my-secret";
           description = ''
             File containing the password required to bind against the LDAP server.
+
+            :::{warning}
+            The password file is read verbatim. Any trailing newline will become
+            part of the password and may cause authentication failures.
+            :::
           '';
         };
       };
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index e38a088..a120f20 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -64,6 +64,9 @@ LDAP
   typical LDAP practices. The exact attribute can be customized through
   :option:`mailserver.ldap.attributes.username`.
 
+- The LDAP bind password is now read verbatim without trimming whitespace. Any
+  trailing newline is now preserved and may cause authentication failures.
+
 - Local and LDAP accounts can now coexist. For overlapping accounts and addresses
   the local account will always win.