Fixes #1875 - Add Nginx SMTP dummy

[bwbroersma]

• Fixes Reverse mail server check on IP #1875

• When combining with Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 in our webserver #1886 two changes need to be made to also support post-quantum hybrid ECDHE-MLKEM in the SMTP STARTTLS dummy:

diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile
index 4aded1fe..dc488004 100644
--- a/docker/webserver.Dockerfile
+++ b/docker/webserver.Dockerfile
@@ -3,6 +3,8 @@ FROM nginx:1.29.1-alpine3.22
 RUN apk add \
   # for random quic host key
   openssl \
+  # install GNU sed which has -z support instead of busybox sed
+  sed \
   # for htpasswd
   apache2-utils \
   # for gixy and certbot install
diff --git a/docker/webserver/nginx_templates/smtp.mail-conf.template b/docker/webserver/nginx_templates/smtp.mail-conf.template
index 42a1f1bb..268721d4 100644
--- a/docker/webserver/nginx_templates/smtp.mail-conf.template
+++ b/docker/webserver/nginx_templates/smtp.mail-conf.template
@@ -7,6 +7,7 @@ include conf.d/letsencrypt.conf;
 
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1;
 
 server {
     listen        25;

docker exec -ti $(docker ps --filter name=internetnl-develop-webserver-1 -q) openssl s_client -starttls smtp -connect 127.0.0.1:25 -servername internet.test -groups X25519MLKEM768 |grep group

Negotiated TLS1.3 group: X25519MLKEM768

[aequitas]

@bwbroersma I'm currently reviewing, we might consider upstreaming a mail block implementation like how its done for streams: https://github.com/nginx/docker-nginx/blob/master/entrypoint/20-envsubst-on-templates.sh#L13 for the long term.

[aequitas]

I added a test, fixed the template variable substitution and simplified the template inclusion. 7220138

[beatquantum]

These are the curves I am using on nginx (without errors) and can be merged with your list above should you wish to future proof with pure PQC in addition to hybrids.

ssl_ecdh_curve MLKEM1024:MLKEM768:MLKEM512:SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768:secp521r1:secp384r1:x448:secp256r1:x25519;

[bwbroersma]

@beatquantum: NCSC-NL 2025-05 advise internet.nl follows is to only use hybrid PQC. Of course deviations from that can still be configured in a self hosted instance or fork.

• Note the main issue for this is Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 in our webserver #1886

[bwbroersma]

Todo:

• upstream mail to 20-envsubst-on-templates.sh of docker-nginx.
• centralize include for 3 lines with ssl_protocols, ssl_ciphers (in OpenSSL 3.5 this can be in IANA format) and ssl_ecdh_curve (similar to http.headers), rebase on Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 in our webserver #1886 and use include conf.d/tls.conf; in mail-block (and remove include conf.d/letsencrypt.conf; since ssl_certificate moved to tls.conf).