preisi/mailnix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mailsystem: {dovecot,postfix}: Update allowed protocols/ciphers

Browse source 
Take from simple-nixos-mailserver.
This commit is contained in:
Thomas Preisner 2025-12-28 19:02:21 +01:00
parent 6b1f987f82
commit 0fb4242c3b
2 changed files with 45 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

15
mailsystem/dovecot.nix
View file

@ -204,7 +204,20 @@ in {
mail_access_groups = ${cfg.vmailGroupName} mail_access_groups = ${cfg.vmailGroupName}
ssl = required ssl = required
ssl_min_protocol = TLSv1.2 ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = no
ssl_cipher_list = ${
lib.concatStringsSep ":" [
# TLS1.3
"TLS_AES_128_GCM_SHA256"
"TLS_CHACHA20_POLY1305_SHA256"
"TLS_AES_256_GCM_SHA384"
# TLS1.2
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-ECDSA-AES256-GCM-SHA384"
]
}
ssl_curve_list = X25519MLKEM768:X25519:prime256v1:secp384r1
service lmtp { service lmtp {
unix_listener dovecot-lmtp { unix_listener dovecot-lmtp {

34
mailsystem/postfix.nix
View file

@ -44,8 +44,8 @@ with (import ./common.nix {inherit config pkgs;}); let
/^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}> /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}>
''; '';
tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; tls_protocols = ">=TLSv1.2";
tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; tls_exclude_ciphers = "SHA1, eNULL, aNULL";
in { in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = let assertions = let
@ -141,7 +141,35 @@ in {
smtp_tls_mandatory_exclude_ciphers = tls_exclude_ciphers; smtp_tls_mandatory_exclude_ciphers = tls_exclude_ciphers;
smtp_tls_exclude_ciphers = tls_exclude_ciphers; smtp_tls_exclude_ciphers = tls_exclude_ciphers;
tls_preempt_cipherlist = true; # As long as all cipher suites are considered safe, let the client use its preferred cipher
tls_preempt_cipherlist = false;
# Restrict and prioritize the following curves in the given order
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
# https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
tls_config_file = let
mkGroupString = groups: lib.concatStringsSep " / " (map (lib.concatStringsSep ":") groups);
in
(pkgs.formats.iniWithGlobalSection {}).generate "postfix-openssl.cnf" {
globalSection.postfix = "postfix_settings";
sections = {
postfix_settings.ssl_conf = "postfix_ssl_settings";
postfix_ssl_settings.system_default = "baseline_postfix_settings";
baseline_postfix_settings.Groups = mkGroupString [
["*X25519MLKEM768"]
["*X25519"]
[
"P-256"
"P-384"
]
];
};
};
tls_config_name = "postfix";
# Algorithm selection happens through `tls_config_file` instead.
tls_eecdh_auto_curves = [];
tls_ffdhe_auto_groups = [];
# Allowing AUTH on a non-encrypted connection poses a security risk # Allowing AUTH on a non-encrypted connection poses a security risk
smtpd_tls_auth_only = true; smtpd_tls_auth_only = true;