From a4f5536f12d30d683072c65c21da4afc31d95cb0 Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <grimpen@uni-bremen.de>
Date: Tue, 17 Sep 2024 16:53:39 +0000
Subject: [PATCH] Stricter TLS ciphersuites for Postfix (SMTP)

---
 roles/postfix/vars/main.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/roles/postfix/vars/main.yml b/roles/postfix/vars/main.yml
index 55fdfc4..5d0df07 100644
--- a/roles/postfix/vars/main.yml
+++ b/roles/postfix/vars/main.yml
@@ -353,6 +353,14 @@ postfix_config:
     value: 'aNULL'
     state: present
 
+  - name: smtpd_tls_mandatory_protocols
+    value: 'TLSv1.2 TLSv1.3'
+    state: present
+
+  - name: smtpd_tls_protocols
+    value: 'TLSv1.2 TLSv1.3'
+    state: present
+
   - name: smtpd_tls_received_header
     value: 'yes'
     state: present
@@ -370,7 +378,8 @@ postfix_config:
     state: present
 
   - name: tls_high_cipherlist
-    value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
+    value: |-
+      'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
     state: present
 
   - name: tls_ssl_options