fix(postfix): set smtp_tls_mandatory_protocols to require TLSv1.2 for outgoing connections

According to <https://www.postfix.org/postconf.5.html#smtp_tls_security_level> for outgoing connections with smtp_tls_security_level `encrypt` and higher (such as `verify` that we currently use) the setting `smtp_tls_mandatory_protocols` is used instead of `smtp_tls_protocols`. According to `postconf -d` (and `postconf` because the default is not changed) current setting value is `smtp_tls_mandatory_protocols = >=TLSv1`. But we only want to connect outside with TLS 1.2 and TLS 1.3. `smtp_tls_protocols` which was already set to `>= TLSv1.2` in commit 0155f32df6 only affected outgoing connections with the `may` level exception set for nauta.cu domain via `smtp_tls_policy_maps` which does not support STARTTLS at all.
2026-05-10 16:04:37 +00:00 · 2025-11-15 01:04:10 +00:00
parent 7b16f1330d
commit 3524b055db
1 changed files with 1 additions and 0 deletions
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -27,6 +27,7 @@ smtp_tls_servername = hostname
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = inline:{nauta.cu=may}
 smtp_tls_protocols = >=TLSv1.2
+smtp_tls_mandatory_protocols = >=TLSv1.2
 smtpd_tls_protocols = >=TLSv1.2

 # Disable anonymous cipher suites