From 08ddca07c8a2d9f4b6fef583c07b6e8b21e9233b Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@holzmarkt.com>
Date: Sun, 9 Feb 2025 03:12:18 +0100
Subject: [PATCH] Require TLSv1.2 for submission

---
 templates/postfix/master.cf.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2
index 4046367..ca84896 100644
--- a/templates/postfix/master.cf.j2
+++ b/templates/postfix/master.cf.j2
@@ -19,6 +19,9 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_cert_file=$mua_tls_cert_file
   -o smtpd_tls_key_file=$mua_tls_key_file
+  -o smtpd_tls_mandatory_protocols=>=TLSv1.2
+  -o smtpd_tls_mandatory_ciphers=high
+  -o tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   -o syslog_name=postfix/submission
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no