Release Notes

NixOS 26.05

DKIM key management now supports multiple selectors per domain, enabling key rotation. Pre-created key material is also supported. Existing automatically generated DKIM keys from before 25.11 use 1024-bit RSA and should be rotated. See mailserver.dkim.domains.
Certificate handling was simplified. We recommend using the NixOS ACME module (security.acme.certs) and referencing a certificate configuration by name. Alternatively, certificate and private key can be managed manually. Configure either mailserver.x509.useACMEHost or mailserver.x509.certificateFile and mailserver.x509.privateKeyFile. See the updated setup guide for a basic ACME HTTP-01 example.
Local mail accounts can now use managed cleartext passwords. This integrates well with secret management tools such as agenix and sops-nix while avoiding password leakage into the world-readable Nix store. See mailserver.accounts.<name>.passwordFile.
Blocked sender responses can now be customized. This is useful if you require GDPR compliance. See mailserver.rejectSenderMessage.

TLSv1.2 cipher suites in Postfix now require AEAD and ECDHE.
Postfix and Dovecot now support negotiation of the SecP256r1MLKEM768 key agreement mechanism. The standardization process is ongoing.
Deprecated and obsolete TLS signature algorithms were removed from Postfix.

Migration: When ManageSieve is enabled, user-created Sieve scripts must be migrated into their Dovecot home directory. See the migration guide.

Migration: Dovecot home directories for LDAP users must be migrated to UUID-based directory names. The UUID attribute can be customized through mailserver.ldap.attributes.uuid. See the migration guide.
The LDAP configuration has been revamped. Option names have been simplified, examples and documentation improved. The LDAP documentation was written from the ground up.
The default LDAP login attribute changed from mail to uid. This allows users to login with their account name rather than their email address, which is more convenient and consistent with typical LDAP practices. The exact attribute can be customized through mailserver.ldap.attributes.username.
The LDAP bind password is now read verbatim without trimming whitespace. Any trailing newline is now preserved and may cause authentication failures.
Local and LDAP accounts can now coexist. For overlapping accounts and addresses the local account will always win.

Dovecot has been updated from 2.3 to 2.4 and now relies on the structured settings option.

The following integrations are deprecated and will be removed before the next release:

The systemName and systemDomain options have been introduced to have reusable configurations for automated reports (DMARC, TLSRPT). They come with reasonable defaults, but it is suggested to check and change them as needed.
Support for the Sender Rewriting Scheme has been added, which allows forwarding mail without breaking SPF by rewriting the envelope address.
The default key length for new DKIM RSA keys was increased to 2048 bits as recommended in RFC 8301 3.2. We recommend rotating existing keys, as the RFC advises that signatures from 1024 bit keys should not be considered valid any longer.
IMAP access over port 143/tcp is now default disabled in line with RFC 8314 4.1. Use IMAP over implicit TLS on port 993/tcp instead. If you still require this feature you can re-enable it using mailserver.enableImap, but it is scheduled for removal after the 25.11 release.
SMTP server and client now support and prefer a hybrid key exchange (X25519MLKEM768)
SMTP access over STARTTLS on port 587/tcp is now default disabled in line with RFC 8314 3.3. If you still require this feature you can re-enable it using mailserver.enableSubmission.
DMARC reports are now sent with the noreply-dmarc localpart from the system domain.
DANE and MTA-STS are now validated for outgoing SMTP connections using postfix-tlspol.
SMTP TLS connection reports (RFC 8460) are now supported using tlsrpt-reporter. They can be enabled with the mailserver.tlsrpt.enable option.

OpenDKIM has been removed and DKIM signing is now handled by Rspamd, which only supports relaxed canoncalizaliaton. (merge request)
Rspamd now connects to Redis over its Unix Domain Socket by default (merge request)
- If you need to revert TCP connections, configure mailserver.redis.address to reference the value of config.services.redis.servers.rspamd.bind.
The integration with policyd-spf was removed and SPF handling is now fully based on Rspamd scoring. (merge request)
Switch to the more efficient fts-flatcurve indexer for full text search (merge request).

This makes use of a new index, which will be automatically re-generated the next time a folder is searched. The operation is now quick enough to be performed "just-in-time". Alternatively, all indices can be immediately re-generated for all users and folders by running
```
doveadm fts rescan -u '*' && doveadm index -u '*' -q '*'
```
The previous index (which is not automatically discarded to allow rollbacks) can be cleaned up by removing all the xapian-indexes directories within mailserver.indexDir.
Individual domains can now be excluded from DMARC Reporting through mailserver.dmarcReporting.excludedDomains. (merge request)
Configuring mailserver.forwards is now possible when the setup relies on LDAP. (merge request)
Support for TLS 1.1 was disabled in accordance with Mozilla's recommendations. (merge request)

Add new option acmeCertificateName which can be used to support wildcard certificates

Switch default DKIM body policy from simple to relaxed (merge request)
Ensure locally-delivered mails have the X-Original-To header (merge request)
NixOS Mailserver options are detailed in the documentation
New options dkimBodyCanonicalization and dkimHeaderCanonicalization
New option certificateDomains to generate certificate for additional domains (such as imap.example.com)

New fullTextSearch option to search in messages (based on Xapian) (Merge Request)
Flake support (Merge Request)
New openFirewall option defaulting to true
We moved from Freenode to Libera Chat

IMAP and Submission with TLS wrapped-mode are now enabled by default on ports 993 and 465 respectively
OpenDKIM is now sandboxed with Systemd
New forwards option to forwards emails to external addresses (Merge Request)
New sendingFqdn option to specify the fqdn of the machine sending email (Merge Request)
Move the Gitlab wiki to ReadTheDocs