mailsystem: {dovecot,postfix}: Update allowed protocols/ciphers

Take from simple-nixos-mailserver.
2025-12-28 19:02:21 +01:00 · 2025-12-28 19:02:21 +01:00 · 0fb4242c3b
commit 0fb4242c3b
parent 6b1f987f82
2 changed files with 45 additions and 4 deletions
--- a/mailsystem/postfix.nix
+++ b/mailsystem/postfix.nix
@ -44,8 +44,8 @@ with (import ./common.nix {inherit config pkgs;}); let
    /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}>
  '';

-  tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-  tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
+  tls_protocols = ">=TLSv1.2";
+  tls_exclude_ciphers = "SHA1, eNULL, aNULL";
 in {
  config = lib.mkIf cfg.enable {
    assertions = let
@ -141,7 +141,35 @@ in {
        smtp_tls_mandatory_exclude_ciphers = tls_exclude_ciphers;
        smtp_tls_exclude_ciphers = tls_exclude_ciphers;

-        tls_preempt_cipherlist = true;
+        # As long as all cipher suites are considered safe, let the client use its preferred cipher
+        tls_preempt_cipherlist = false;
+
+        # Restrict and prioritize the following curves in the given order
+        # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
+        # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
+        tls_config_file = let
+          mkGroupString = groups: lib.concatStringsSep " / " (map (lib.concatStringsSep ":") groups);
+        in
+          (pkgs.formats.iniWithGlobalSection {}).generate "postfix-openssl.cnf" {
+            globalSection.postfix = "postfix_settings";
+            sections = {
+              postfix_settings.ssl_conf = "postfix_ssl_settings";
+              postfix_ssl_settings.system_default = "baseline_postfix_settings";
+              baseline_postfix_settings.Groups = mkGroupString [
+                ["*X25519MLKEM768"]
+                ["*X25519"]
+                [
+                  "P-256"
+                  "P-384"
+                ]
+              ];
+            };
+          };
+        tls_config_name = "postfix";
+
+        # Algorithm selection happens through `tls_config_file` instead.
+        tls_eecdh_auto_curves = [];
+        tls_ffdhe_auto_groups = [];

        # Allowing AUTH on a non-encrypted connection poses a security risk
        smtpd_tls_auth_only = true;