postfix: tls++ like in ssl-config.mozilla.org intermediate

2021-01-14 23:35:02 +01:00 · 2021-01-14 23:35:02 +01:00 · ad48d5243b
parent cf9084c620
commit ad48d5243b
1 changed files with 6 additions and 5 deletions
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@ -23,10 +23,9 @@ queue_run_delay = 5m
 ## TLS settings
 ###

-tls_preempt_cipherlist = yes
+tls_preempt_cipherlist = no
 tls_ssl_options = NO_COMPRESSION
-tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
-
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

 ### Outbound SMTP connections (Postfix as sender)

@ -45,8 +44,10 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

 ### Inbound SMTP connections
 smtpd_tls_security_level = may
-smtpd_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_ciphers = high
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

 smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem