feat(mail): update to 25.11 with TLS hardening

- Upgrade NixOS channel from 25.05 to 25.11
- Fix dovecot systemd service rename (dovecot2 -> dovecot)
- Convert postfix numeric settings to integers (25.11 requirement)
- Remove insecure 512-bit DH params, fix 2048-bit DH params
- Update postfix ciphers to modern ECDHE/DHE+AESGCM/CHACHA20
- Require TLS 1.2 minimum for OpenLDAP
- Remove weak ciphers (3DES, RC4, aNULL) from OpenLDAP

hosts/mail/channel

@@ -1 +1 @@
-https://channels.nixos.org/nixos-25.05
+https://channels.nixos.org/nixos-25.11

hosts/mail/modules/dovecot.nix

@@ -240,11 +240,11 @@ in
 
   sops.secrets.dovecot-ldap-password = { };
 
-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
   '';
 
-  systemd.services.dovecot2 = {
+  systemd.services.dovecot = {
     wants = [ "acme-imap.${domain}.service" ];
     after = [ "acme-imap.${domain}.service" ];
   };
@@ -257,7 +257,7 @@ in
       "imap-test.${domain}"
       "imap-02.${domain}"
     ];
-    postRun = "systemctl --no-block restart dovecot2.service";
+    postRun = "systemctl --no-block restart dovecot.service";
   };
 
   networking.firewall.allowedTCPPorts = [

hosts/mail/modules/openldap.nix

@@ -17,10 +17,10 @@ in {
       olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
       olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
       olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
-      olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+      olcTLSCipherSuite = "HIGH:!aNULL:!MD5:!3DES:!RC4";
       olcTLSCRLCheck = "none";
       olcTLSVerifyClient = "never";
-      olcTLSProtocolMin = "3.1";
+      olcTLSProtocolMin = "3.3";
       olcSecurity = "tls=1";
     };
 

hosts/mail/modules/postfix.nix

@@ -128,16 +128,16 @@ in
       compatibility_level = "2";
 
       # bigger attachement size
-      mailbox_size_limit = "202400000";
+      mailbox_size_limit = 202400000;
-      message_size_limit = "51200000";
+      message_size_limit = 51200000;
       smtpd_helo_required = "yes";
       smtpd_delay_reject = "yes";
       strict_rfc821_envelopes = "yes";
 
       # send Limit
       smtpd_error_sleep_time = "1s";
-      smtpd_soft_error_limit = "10";
+      smtpd_soft_error_limit = 10;
-      smtpd_hard_error_limit = "20";
+      smtpd_hard_error_limit = 20;
 
       smtpd_use_tls = "yes";
       smtp_tls_note_starttls_offer = "yes";
@@ -151,14 +151,13 @@ in
       smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
       smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
 
-      smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
       smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;
 
       smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache'';
       smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
       smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
       smtpd_tls_mandatory_ciphers = "medium";
-      tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
+      tls_medium_cipherlist = "ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20";
 
       # authentication
       smtpd_sasl_auth_enable = "yes";
@@ -225,8 +224,7 @@ in
 
   security.dhparams = {
     enable = true;
-    params.postfix512.bits = 512;
+    params.postfix2048.bits = 2048;
-    params.postfix2048.bits = 1024;
   };
 
   security.acme.certs."mail.${domain}" = {

hosts/mail/modules/rspamd.nix

@@ -119,7 +119,7 @@ in
 
   # systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
 
-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
     mkdir -p /var/lib/dovecot/sieve/
     for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
       dest="/var/lib/dovecot/sieve/$(basename $i)"