mailsystem: {dovecot,postfix}: Update allowed protocols/ciphers

Take from simple-nixos-mailserver.
2025-12-28 19:02:21 +01:00 · 2025-12-28 19:02:21 +01:00 · 0fb4242c3b
commit 0fb4242c3b
parent 6b1f987f82
2 changed files with 45 additions and 4 deletions
--- a/mailsystem/dovecot.nix
+++ b/mailsystem/dovecot.nix
@ -204,7 +204,20 @@ in {
        mail_access_groups = ${cfg.vmailGroupName}
        ssl = required
        ssl_min_protocol = TLSv1.2
-        ssl_prefer_server_ciphers = yes
+        ssl_prefer_server_ciphers = no
+        ssl_cipher_list = ${
+          lib.concatStringsSep ":" [
+            # TLS1.3
+            "TLS_AES_128_GCM_SHA256"
+            "TLS_CHACHA20_POLY1305_SHA256"
+            "TLS_AES_256_GCM_SHA384"
+            # TLS1.2
+            "ECDHE-ECDSA-AES128-GCM-SHA256"
+            "ECDHE-ECDSA-CHACHA20-POLY1305"
+            "ECDHE-ECDSA-AES256-GCM-SHA384"
+          ]
+        }
+        ssl_curve_list = X25519MLKEM768:X25519:prime256v1:secp384r1

        service lmtp {
          unix_listener dovecot-lmtp {