simple-nixos-mailserver/docs/release-notes.rst

Release Notes
=============

NixOS 26.05
-----------

Features
^^^^^^^^

- :ref:`DKIM key management <dkim>` now supports multiple selectors per domain,
  enabling :ref:`key rotation <dkim-key-rotation>`. Pre-created key material is
  also supported. Existing automatically generated DKIM keys from before 25.11
  use 1024-bit RSA and should be rotated. See :option:`mailserver.dkim.domains`.

- Certificate handling was simplified. We recommend using the NixOS
  ACME module (``security.acme.certs``) and referencing a certificate
  configuration by name. Alternatively, certificate and private key can be
  managed manually. Configure either :option:`mailserver.x509.useACMEHost`
  or :option:`mailserver.x509.certificateFile` and
  :option:`mailserver.x509.privateKeyFile`. See the updated :ref:`setup guide
  <setup-guide>` for a basic ACME HTTP-01 example.

- Local mail accounts can now use managed cleartext passwords. This integrates
  well with secret management tools such as `agenix`_ and `sops-nix`_ while
  avoiding password leakage into the world-readable Nix store. See
  :option:`mailserver.accounts.<name>.passwordFile`.

- Blocked sender responses can now be customized. This is useful if you require GDPR
  compliance. See :option:`mailserver.rejectSenderMessage`.

Security
^^^^^^^^

- TLSv1.2 cipher suites in Postfix now require `AEAD`_ and `ECDHE`_.

- Postfix and Dovecot now support negotiation of the ``SecP256r1MLKEM768``
  key agreement mechanism. The `standardization process
  <https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/>`__ is ongoing.

- Deprecated and obsolete TLS signature algorithms were removed from Postfix.

Sieve
^^^^^

- **Migration**: When ManageSieve is enabled, user-created Sieve scripts must
  be migrated into their Dovecot home directory. See the :ref:`migration guide
  <migration-5>`.

LDAP
^^^^

- **Migration**: Dovecot home directories for LDAP users must be migrated to
  UUID-based directory names. The UUID attribute can be customized through
  :option:`mailserver.ldap.attributes.uuid`. See the :ref:`migration guide
  <migration-4>`.

- The LDAP configuration has been revamped. Option names have been simplified,
  examples and documentation improved. The :ref:`LDAP documentation <ldap-top>`
  was written from the ground up.

- The default LDAP login attribute changed from ``mail`` to ``uid``.
  This allows users to login with their account name rather than
  their email address, which is more convenient and consistent with
  typical LDAP practices. The exact attribute can be customized through
  :option:`mailserver.ldap.attributes.username`.

- Local and LDAP accounts can now coexist. For overlapping accounts and addresses
  the local account will always win.


Internals
^^^^^^^^^

- Dovecot has been updated from 2.3 to 2.4 and now relies on the structured settings option.

Deprecations
^^^^^^^^^^^^

The following integrations are deprecated and will be removed before the next
release:

- :option:`mailserver.borgbackup.enable`
- :option:`mailserver.backup.enable`
- :option:`mailserver.monitoring.enable`

.. _key rotation: dkim.html#dkim-key-rotation
.. _agenix: https://github.com/ryantm/agenix
.. _sops-nix: https://github.com/Mic92/sops-nix
.. _AEAD: https://en.wikipedia.org/wiki/Authenticated_encryption
.. _ECDHE: https://www.rfc-editor.org/rfc/rfc8422

NixOS 25.11
-----------

- The ``systemName`` and ``systemDomain`` options have been introduced to have
  reusable configurations for automated reports (DMARC, TLSRPT). They come with
  reasonable defaults, but it is suggested to check and change them as needed.
- Support for the `Sender Rewriting Scheme`_ has been added, which allows
  forwarding mail without breaking SPF by rewriting the envelope address.
- The default key length for new DKIM RSA keys was increased to 2048 bits as
  recommended in `RFC 8301 3.2`_.
  We recommend rotating existing keys, as the RFC advises that signatures from
  1024 bit keys should not be considered valid any longer.
- IMAP access over port ``143/tcp`` is now default disabled in line
  with `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp``
  instead. If you still require this feature you can re-enable it using
  ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
  release.
- SMTP server and client now support and prefer a hybrid key exchange
  (X25519MLKEM768)
- SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line
  with `RFC 8314 3.3`_. If you still require this feature you can re-enable it
  using ``mailserver.enableSubmission``.
- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
  system domain.
- DANE and MTA-STS are now validated for outgoing SMTP connections using
  `postfix-tlspol`_.
- SMTP TLS connection reports (`RFC 8460`_) are now supported using
  `tlsrpt-reporter`_. They can be enabled with the ``mailserver.tlsrpt.enable``
  option.

.. _Sender Rewriting Scheme: srs.html
.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
.. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
.. _RFC 8460: https://www.rfc-editor.org/rfc/rfc8460
.. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol
.. _tlsrpt-reporter: https://github.com/sys4/tlsrpt-reporter

NixOS 25.05
-----------

- OpenDKIM has been removed and DKIM signing is now handled by Rspamd, which only supports ``relaxed`` canoncalizaliaton.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/374>`__)
- Rspamd now connects to Redis over its Unix Domain Socket by default
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/375>`__)

  - If you need to revert TCP connections, configure ``mailserver.redis.address`` to reference the value of ``config.services.redis.servers.rspamd.bind``.
- The integration with policyd-spf was removed and SPF handling is now fully based on Rspamd scoring.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/380>`__)
- Switch to the more efficient `fts-flatcurve` indexer for full text search
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/361>`__).

  This makes use of a new index, which will be automatically re-generated the
  next time a folder is searched.
  The operation is now quick enough to be performed "just-in-time".
  Alternatively, all indices can be immediately re-generated for all users and
  folders by running

  .. code-block:: bash

    doveadm fts rescan -u '*' && doveadm index -u '*' -q '*'

  The previous index (which is not automatically discarded to allow rollbacks)
  can be cleaned up by removing all the `xapian-indexes` directories within
  ``mailserver.indexDir``.
- Individual domains can now be excluded from DMARC Reporting through ``mailserver.dmarcReporting.excludedDomains``.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/297>`__)
- Configuring ``mailserver.forwards`` is now possible when the setup relies on LDAP.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/313>`__)
- Support for TLS 1.1 was disabled in accordance with `Mozilla's recommendations <https://ssl-config.mozilla.org/#server=postfix>`_.
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/234>`__)

NixOS 24.11
-----------

- No new feature, only bug fixes and documentation improvements

NixOS 24.05
-----------

- Add new option ``acmeCertificateName`` which can be used to support
  wildcard certificates

NixOS 23.11
-----------

- Add basic support for LDAP users
- Add support for regex (PCRE) aliases

NixOS 23.05
-----------

- Existing ACME certificates can be reused without configuring NGINX
- Certificate scheme is no longer a number, but a meaningful string instead

NixOS 22.11
-----------

- Allow Rspamd to send DMARC reporting
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/244>`__)

NixOS 22.05
-----------

- Make NixOS Mailserver options discoverable from search.nixos.org
- Add a roundcube setup guide in the documentation

NixOS 21.11
-----------

- Switch default DKIM body policy from simple to relaxed
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/247>`__)
- Ensure locally-delivered mails have the X-Original-To header
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/243>`__)
- NixOS Mailserver options are detailed in the `documentation
  <https://nixos-mailserver.readthedocs.io/en/latest/options.html>`__
- New options ``dkimBodyCanonicalization`` and
  ``dkimHeaderCanonicalization``
- New option ``certificateDomains`` to generate certificate for
  additional domains (such as ``imap.example.com``)

NixOS 21.05
-----------

- New `fullTextSearch` option to search in messages (based on Xapian)
  (`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/212>`__)
- Flake support
  (`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/200>`__)
- New `openFirewall` option defaulting to `true`
- We moved from Freenode to Libera Chat

NixOS 20.09
-----------

- IMAP and Submission with TLS wrapped-mode are now enabled by default
  on ports 993 and 465 respectively
- OpenDKIM is now sandboxed with Systemd
- New `forwards` option to forwards emails to external addresses
  (`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/193>`__)
- New `sendingFqdn` option to specify the fqdn of the machine sending
  email (`Merge Request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/187>`__)
- Move the Gitlab wiki to `ReadTheDocs
  <https://nixos-mailserver.readthedocs.io/en/latest/>`_