From 28a7bed3b99484e936125ba7a27c229f4f15bd1c Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Mon, 1 Dec 2025 22:24:57 +0100
Subject: [PATCH] feat(mail): update to 25.11 with TLS hardening

- Upgrade NixOS channel from 25.05 to 25.11
- Fix dovecot systemd service rename (dovecot2 -> dovecot)
- Convert postfix numeric settings to integers (25.11 requirement)
- Remove insecure 512-bit DH params, fix 2048-bit DH params
- Update postfix ciphers to modern ECDHE/DHE+AESGCM/CHACHA20
- Require TLS 1.2 minimum for OpenLDAP
- Remove weak ciphers (3DES, RC4, aNULL) from OpenLDAP
---
 hosts/mail/channel              |  2 +-
 hosts/mail/modules/dovecot.nix  |  6 +++---
 hosts/mail/modules/openldap.nix |  4 ++--
 hosts/mail/modules/postfix.nix  | 14 ++++++--------
 hosts/mail/modules/rspamd.nix   |  2 +-
 5 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/hosts/mail/channel b/hosts/mail/channel
index 93f5df5..57f31e7 100644
--- a/hosts/mail/channel
+++ b/hosts/mail/channel
@@ -1 +1 @@
-https://channels.nixos.org/nixos-25.05
+https://channels.nixos.org/nixos-25.11
diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix
index b7f25bd..252e015 100644
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@@ -240,11 +240,11 @@ in
 
   sops.secrets.dovecot-ldap-password = { };
 
-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
   '';
 
-  systemd.services.dovecot2 = {
+  systemd.services.dovecot = {
     wants = [ "acme-imap.${domain}.service" ];
     after = [ "acme-imap.${domain}.service" ];
   };
@@ -257,7 +257,7 @@ in
       "imap-test.${domain}"
       "imap-02.${domain}"
     ];
-    postRun = "systemctl --no-block restart dovecot2.service";
+    postRun = "systemctl --no-block restart dovecot.service";
   };
 
   networking.firewall.allowedTCPPorts = [
diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index 81e63e1..2a22cbb 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -17,10 +17,10 @@ in {
       olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
       olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
       olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
-      olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+      olcTLSCipherSuite = "HIGH:!aNULL:!MD5:!3DES:!RC4";
       olcTLSCRLCheck = "none";
       olcTLSVerifyClient = "never";
-      olcTLSProtocolMin = "3.1";
+      olcTLSProtocolMin = "3.3";
       olcSecurity = "tls=1";
     };
 
diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index 9226b99..ac71d35 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -128,16 +128,16 @@ in
       compatibility_level = "2";
 
       # bigger attachement size
-      mailbox_size_limit = "202400000";
-      message_size_limit = "51200000";
+      mailbox_size_limit = 202400000;
+      message_size_limit = 51200000;
       smtpd_helo_required = "yes";
       smtpd_delay_reject = "yes";
       strict_rfc821_envelopes = "yes";
 
       # send Limit
       smtpd_error_sleep_time = "1s";
-      smtpd_soft_error_limit = "10";
-      smtpd_hard_error_limit = "20";
+      smtpd_soft_error_limit = 10;
+      smtpd_hard_error_limit = 20;
 
       smtpd_use_tls = "yes";
       smtp_tls_note_starttls_offer = "yes";
@@ -151,14 +151,13 @@ in
       smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
       smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
 
-      smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
       smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;
 
       smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache'';
       smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
       smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
       smtpd_tls_mandatory_ciphers = "medium";
-      tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
+      tls_medium_cipherlist = "ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20";
 
       # authentication
       smtpd_sasl_auth_enable = "yes";
@@ -225,8 +224,7 @@ in
 
   security.dhparams = {
     enable = true;
-    params.postfix512.bits = 512;
-    params.postfix2048.bits = 1024;
+    params.postfix2048.bits = 2048;
   };
 
   security.acme.certs."mail.${domain}" = {
diff --git a/hosts/mail/modules/rspamd.nix b/hosts/mail/modules/rspamd.nix
index abab1e2..becc93b 100644
--- a/hosts/mail/modules/rspamd.nix
+++ b/hosts/mail/modules/rspamd.nix
@@ -119,7 +119,7 @@ in
 
   # systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
 
-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
     mkdir -p /var/lib/dovecot/sieve/
     for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
       dest="/var/lib/dovecot/sieve/$(basename $i)"