feat(mail): update to 25.11 with TLS hardening

- Upgrade NixOS channel from 25.05 to 25.11 - Fix dovecot systemd service rename (dovecot2 -> dovecot) - Convert postfix numeric settings to integers (25.11 requirement) - Remove insecure 512-bit DH params, fix 2048-bit DH params - Update postfix ciphers to modern ECDHE/DHE+AESGCM/CHACHA20 - Require TLS 1.2 minimum for OpenLDAP - Remove weak ciphers (3DES, RC4, aNULL) from OpenLDAP
2025-12-01 22:24:57 +01:00
parent 170becceb0
commit 28a7bed3b9
5 changed files with 13 additions and 15 deletions
--- a/hosts/mail/modules/rspamd.nix
+++ b/hosts/mail/modules/rspamd.nix
@@ -119,7 +119,7 @@ in

  # systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];

-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
    mkdir -p /var/lib/dovecot/sieve/
    for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
      dest="/var/lib/dovecot/sieve/$(basename $i)"