Allow TLSv1 for compatibility with older devices

(cherry picked from commit 1415623586)

docs/migrations.rst

@@ -42,7 +42,7 @@ For remediating this issue the following steps are required:
 
    .. code-block:: bash
 
-      wget https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/raw/master/migrations/nixos-mailserver-migration-03.py
+      wcurl https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/raw/master/migrations/nixos-mailserver-migration-03.py
       chmod +x nixos-mailserver-migration-03.py
 
 2. Stop the ``dovecot2.service``.
@@ -59,13 +59,16 @@ For remediating this issue the following steps are required:
    - ``--layout default`` unless ``useFSLayout`` is enabled, then ``--layout folder``
    - The value of ``mailserver.mailDirectory``, which defaults to ``/var/vmail``
 
+   The script should be run under the user who owns the ``mailDirectory``.
+   If run as root it will try to switch into the appropriate user by itself.
+
    The script will not modify your data unless called with ``--execute``.
 
    Example:
 
    .. code-block:: bash
 
-      sudo -u virtualMail ./nixos-mailserver-migration-03.py --layout default /var/vmail
+      ./nixos-mailserver-migration-03.py --layout default /var/vmail
 
 5. Review the commands. They should be
 

flake.lock

@@ -79,16 +79,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763553727,
-        "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=",
+        "lastModified": 1764020296,
+        "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "094318ea16502a7a81ce90dd3638697020f030a2",
+        "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-25.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -12,7 +12,7 @@
       inputs.flake-compat.follows = "flake-compat";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11-small";
     blobs = {
       url = "gitlab:simple-nixos-mailserver/blobs";
       flake = false;
@@ -33,7 +33,7 @@
       pkgs = nixpkgs.legacyPackages.${system};
       releases = [
         {
-          name = "unstable";
+          name = "nixos-25.11";
           nixpkgs = nixpkgs;
           pkgs = nixpkgs.legacyPackages.${system};
         }

mail-server/dovecot.nix

@@ -360,9 +360,9 @@ in
 
         # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7
         ssl = required
-        ssl_min_protocol = TLSv1.2
+        ssl_min_protocol = TLSv1
         ssl_prefer_server_ciphers = no
-        ssl_curve_list = X25519:prime256v1:secp384r1
+        ssl_curve_list = X25519MLKEM768:X25519:prime256v1:secp384r1
 
         service lmtp {
           unix_listener dovecot-lmtp {

mail-server/postfix.nix

@@ -375,8 +375,8 @@ in
         smtpd_tls_auth_only = true;
 
         # TLS versions supported for the SMTP server
-        smtpd_tls_protocols = ">=TLSv1.2";
-        smtpd_tls_mandatory_protocols = ">=TLSv1.2";
+        smtpd_tls_protocols = ">=TLSv1";
+        smtpd_tls_mandatory_protocols = ">=TLSv1";
 
         # Require ciphersuites that OpenSSL classifies as "High"
         smtpd_tls_ciphers = "high";

migrations/nixos-mailserver-migration-03.py

@@ -113,6 +113,10 @@ def main(vmail_root: Path, layout: FolderLayout, dry_run: bool = True):
     for path in maybe_delete:
         print(f"# rm {str(path)}")
 
+    if dry_run:
+        print("\nNo changes were made.")
+        print("Run the script with `--execute` to apply the listed changes.")
+
 
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(