From 90823b79844ff53d4762cbf6d966f31ab3e197b6 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Tue, 20 Dec 2022 08:55:44 +0100
Subject: [PATCH] bundles/postfix: lessen smtpd security restrictions

---
 bundles/postfix/files/main.cf | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf
index 403c2ea..bb647fc 100644
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@@ -48,13 +48,17 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
 smtpd_data_restrictions = reject_unauth_pipelining
+
+# generated using mozilla ssl generator, using "old" configuration.
+# we need this to support CentOS 7 systems, sadly ...
+# https://ssl-config.mozilla.org/#server=postfix&version=3.5.13&config=old&openssl=1.1.1k&guideline=5.6
 smtpd_tls_security_level = may
-smtpd_tls_mandatory_ciphers = high
-smtpd_tls_exclude_ciphers = aNULL,LOW,EXP,MEDIUM,ADH,AECDH,MD5,DSS,ECDSA,CAMELLIA128,3DES,CAMELLIA256,RSA+AES,eNULL
-smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-smtpd_tls_ciphers = medium
 smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
+tls_preempt_cipherlist = yes
 </%text>
 
 relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf