Force TLS1.1 as minimum TLS version

2023-11-19 19:27:03 +01:00 · 2023-11-19 19:27:03 +01:00 · 64a12f24c2
parent e565f74dd6
commit 64a12f24c2
1 changed files with 3 additions and 5 deletions
--- a/templates/postfix/main.cf.j2
+++ b/templates/postfix/main.cf.j2
@ -41,9 +41,8 @@ smtpd_tls_key_file = {{ postfix_smtpd_tls_key_file }}
 smtpd_tls_ciphers = medium
 smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_exclude_ciphers = aNULL, eNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA, DHE-RSA-AES256-SHA
-#Einige berechtigte Mailserver nutzen nur TLSv1
-#smtpd_tls_mandatory_protocols = !TLSv1
-#smtpd_tls_protocols = !TLSv1
+smtpd_tls_mandatory_protocols = >=TLSv1.1
+smtpd_tls_protocols = >=TLSv1.1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_session_cache_timeout = 7200s
 smtpd_tls_loglevel = 1
@ -58,8 +57,7 @@ smtp_tls_security_level = dane
 smtp_dns_support_level = dnssec
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_session_cache_timeout = 7200s
-#Some mailserver use only TLSv1. Hence we can't disable it.
-#smtp_tls_protocols = !TLSv1
+smtp_tls_protocols = >=TLSv1.1
 {% if postfix_smtp_tls_policy_maps is defined %}
 smtp_tls_policy_maps =
 {% for map in postfix_smtp_tls_policy_maps %}