Release Notes ============= NixOS 26.05 ----------- - Certificate handling was simplified. We recommend setting :option:`mailserver.x509.useACMEHost` to a ``security.acme.certs`` configuration. If that does not fit your requirements, configure certificate and private key using :option:`mailserver.x509.certificateFile` and :option:`mailserver.x509.privateKeyFile` instead. Support for automatic creation of self-signed certificates has been removed. NixOS 25.11 ----------- - The ``systemName`` and ``systemDomain`` options have been introduced to have reusable configurations for automated reports (DMARC, TLSRPT). They come with reasonable defaults, but it is suggested to check and change them as needed. - Support for the `Sender Rewriting Scheme`_ has been added, which allows forwarding mail without breaking SPF by rewriting the envelope address. - The default key length for new DKIM RSA keys was increased to 2048 bits as recommended in `RFC 8301 3.2`_. We recommend rotating existing keys, as the RFC advises that signatures from 1024 bit keys should not be considered valid any longer. - IMAP access over port ``143/tcp`` is now default disabled in line with `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp`` instead. If you still require this feature you can reenable it using ``mailserver.enableImap``, but it is scheduled for removal after the 25.11 release. - SMTP server and client now support and prefer a hybrid key exchange (X25519MLKEM768) - SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line with `RFC 8314 3.3`_. If you still require this feature you can renable it using ``mailserver.enableSubmission``. - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the system domain. - DANE and MTA-STS are now validated for outgoing SMTP connections using `postfix-tlspol`_. - SMTP TLS connection reports (`RFC 8460`_) are now supported using `tlsrpt-reporter`_. They can be enabled with the ``mailserver.tlsrpt.enable`` option. .. _Sender Rewriting Scheme: srs.html .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2 .. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1 .. _RFC 8460: https://www.rfc-editor.org/rfc/rfc8460 .. _postfix-tlspol: https://github.com/Zuplu/postfix-tlspol .. _tlsrpt-reporter: https://github.com/sys4/tlsrpt-reporter NixOS 25.05 ----------- - OpenDKIM has been removed and DKIM signing is now handled by Rspamd, which only supports ``relaxed`` canoncalizaliaton. (`merge request `__) - Rspamd now connects to Redis over its Unix Domain Socket by default (`merge request `__) - If you need to revert TCP connections, configure ``mailserver.redis.address`` to reference the value of ``config.services.redis.servers.rspamd.bind``. - The integration with policyd-spf was removed and SPF handling is now fully based on Rspamd scoring. (`merge request `__) - Switch to the more efficient `fts-flatcurve` indexer for full text search (`merge request `__). This makes use of a new index, which will be automatically re-generated the next time a folder is searched. The operation is now quick enough to be performed "just-in-time". Alternatively, all indices can be immediately re-generated for all users and folders by running .. code-block:: bash doveadm fts rescan -u '*' && doveadm index -u '*' -q '*' The previous index (which is not automatically discarded to allow rollbacks) can be cleaned up by removing all the `xapian-indexes` directories within ``mailserver.indexDir``. - Individual domains can now be excluded from DMARC Reporting through ``mailserver.dmarcReporting.excludedDomains``. (`merge request `__) - Configuring ``mailserver.forwards`` is now possible when the setup relies on LDAP. (`merge request `__) - Support for TLS 1.1 was disabled in accordance with `Mozilla's recommendations `_. (`merge request `__) NixOS 24.11 ----------- - No new feature, only bug fixes and documentation improvements NixOS 24.05 ----------- - Add new option ``acmeCertificateName`` which can be used to support wildcard certificates NixOS 23.11 ----------- - Add basic support for LDAP users - Add support for regex (PCRE) aliases NixOS 23.05 ----------- - Existing ACME certificates can be reused without configuring NGINX - Certificate scheme is no longer a number, but a meaningful string instead NixOS 22.11 ----------- - Allow Rspamd to send DMARC reporting (`merge request `__) NixOS 22.05 ----------- - Make NixOS Mailserver options discoverable from search.nixos.org - Add a roundcube setup guide in the documentation NixOS 21.11 ----------- - Switch default DKIM body policy from simple to relaxed (`merge request `__) - Ensure locally-delivered mails have the X-Original-To header (`merge request `__) - NixOS Mailserver options are detailed in the `documentation `__ - New options ``dkimBodyCanonicalization`` and ``dkimHeaderCanonicalization`` - New option ``certificateDomains`` to generate certificate for additional domains (such as ``imap.example.com``) NixOS 21.05 ----------- - New `fullTextSearch` option to search in messages (based on Xapian) (`Merge Request `__) - Flake support (`Merge Request `__) - New `openFirewall` option defaulting to `true` - We moved from Freenode to Libera Chat NixOS 20.09 ----------- - IMAP and Submission with TLS wrapped-mode are now enabled by default on ports 993 and 465 respectively - OpenDKIM is now sandboxed with Systemd - New `forwards` option to forwards emails to external addresses (`Merge Request `__) - New `sendingFqdn` option to specify the fqdn of the machine sending email (`Merge Request `__) - Move the Gitlab wiki to `ReadTheDocs `_