From 9ddf60d0fc8c912ca667c333959cfbbe615d7720 Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Fri, 8 Dec 2023 22:13:18 +0100
Subject: [PATCH] postfix: enforce TLS 1.2, disallow some insecure TLS ciphers

---
 cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index e46f13a3..2864ff31 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -23,6 +23,8 @@ smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.mail_domain }}