From 64a12f24c2019b468b1edeb1c1b6f3a33dc020f2 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sun, 19 Nov 2023 19:27:03 +0100
Subject: [PATCH] Force TLS1.1 as minimum TLS version

---
 templates/postfix/main.cf.j2 | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2
index cf7ba19..b654a0b 100644
--- a/templates/postfix/main.cf.j2
+++ b/templates/postfix/main.cf.j2
@@ -41,9 +41,8 @@ smtpd_tls_key_file = {{ postfix_smtpd_tls_key_file }}
 smtpd_tls_ciphers = medium
 smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_exclude_ciphers = aNULL, eNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA, DHE-RSA-AES256-SHA
-#Einige berechtigte Mailserver nutzen nur TLSv1
-#smtpd_tls_mandatory_protocols = !TLSv1
-#smtpd_tls_protocols = !TLSv1
+smtpd_tls_mandatory_protocols = >=TLSv1.1
+smtpd_tls_protocols = >=TLSv1.1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_session_cache_timeout = 7200s
 smtpd_tls_loglevel = 1
@@ -58,8 +57,7 @@ smtp_tls_security_level = dane
 smtp_dns_support_level = dnssec
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_session_cache_timeout = 7200s
-#Some mailserver use only TLSv1. Hence we can't disable it.
-#smtp_tls_protocols = !TLSv1
+smtp_tls_protocols = >=TLSv1.1
 {% if postfix_smtp_tls_policy_maps is defined %}
 smtp_tls_policy_maps =
 {% for map in postfix_smtp_tls_policy_maps %}