From 21c0b67ac2228d78066e23d36ffa70ec9e446bcc Mon Sep 17 00:00:00 2001
From: yuri <yuri@nekover.se>
Date: Tue, 19 Sep 2023 17:13:36 +0200
Subject: [PATCH] Configure TLS settings on mail relay

---
 config/hosts/mail-2/postfix.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix
index eb88cdf..b7e54f3 100644
--- a/config/hosts/mail-2/postfix.nix
+++ b/config/hosts/mail-2/postfix.nix
@@ -15,6 +15,23 @@
       smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
       proxy_interfaces = 217.160.117.160
       relay_recipient_maps =
+      smtp_tls_ciphers = high
+      smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtp_tls_mandatory_ciphers = high
+      smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      smtpd_tls_auth_only = yes
+      smtpd_tls_ciphers = high
+      smtpd_tls_eecdh_grade = ultra
+      smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtpd_tls_loglevel = 1
+      smtpd_tls_mandatory_ciphers = high
+      smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      tls_preempt_cipherlist = yes
+      tls_random_source = dev:/dev/urandom
     '';
   };
 }