From 9ddf60d0fc8c912ca667c333959cfbbe615d7720 Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Fri, 8 Dec 2023 22:13:18 +0100
Subject: [PATCH 1/4] postfix: enforce TLS 1.2, disallow some insecure TLS
 ciphers

---
 cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index e46f13a3..2864ff31 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -23,6 +23,8 @@ smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.mail_domain }}

From 8d5f91bf986524a87faec7af453b4bd281b4bd5f Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Fri, 26 Jan 2024 19:42:18 +0000
Subject: [PATCH 2/4] postfix: use new syntax for TLS version

---
 cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index 2864ff31..690cc661 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -23,7 +23,7 @@ smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = >=TLSv1.2
 smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

From 6bc21869129b37b7c4fbd3d63a5338fb770e3a58 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Fri, 26 Jan 2024 19:45:53 +0000
Subject: [PATCH 3/4] postfix: set tls_preempt_cipherlist

---
 cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index 690cc661..e5a02dd9 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -26,6 +26,14 @@ smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
 smtpd_tls_protocols = >=TLSv1.2
 smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
 
+# Override client's preference order.
+# <https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist>
+#
+# This is mostly to ensure cipher suites with forward secrecy
+# are preferred over non cipher suites without forward secrecy.
+# See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
+tls_preempt_cipherlist = yes
+
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.mail_domain }}
 alias_maps = hash:/etc/aliases

From 5bbb3d9b216b3f567d187648fc8ed6d8b4d54182 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Fri, 26 Jan 2024 19:52:15 +0000
Subject: [PATCH 4/4] Rewrite and document `smtpd_tls_exclude_ciphers`

---
 cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index e5a02dd9..21c869ea 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -24,7 +24,22 @@ smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
 smtpd_tls_protocols = >=TLSv1.2
-smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
+
+# Disable anonymous cipher suites
+# and known insecure algorithms.
+#
+# Disabling anonymous ciphers
+# does not generally improve security
+# because clients that want to verify certificate
+# will not select them anyway,
+# but makes cipher suite list shorter and security scanners happy.
+# See <https://www.postfix.org/TLS_README.html> for discussion.
+#
+# Only ancient insecure ciphers should be disabled here
+# as MTA clients that do not support more secure cipher
+# likely do not support MTA-STS either and will
+# otherwise fall back to using plaintext connection.
+smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 
 # Override client's preference order.
 # <https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist>