From a74c9a1e87538126204c8653f9fe8e2c1b80a9f0 Mon Sep 17 00:00:00 2001
From: Pierre Jaury <pierre@jaury.eu>
Date: Mon, 23 Jan 2017 21:29:02 +0100
Subject: [PATCH] Apply strong TLS to opportunistic encryption as well

---
 postfix/conf/main.cf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf
index 8545da30..366bee37 100644
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@@ -29,6 +29,10 @@ relayhost = {{ RELAYHOST }}
 # TLS
 ###############
 
+# General TLS configuration
+tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+tls_preempt_cipherlist = yes
+
 # Only one key/certificate pair is used, SNI not being supported by all
 # services and not a strong requirement. Also, TLS is enforced for submission
 # and smtps in master.cf.
@@ -40,9 +44,11 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 # Server-side TLS is hardened, it should be up to the client to update his or
 # her TLS stack in order to connect to the mail server. Hardening is based on
 # https://bettercrypto.org/static/applied-crypto-hardening.pdf
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_ciphers = high
 smtpd_tls_mandatory_ciphers = high
-tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+
 
 # Outgoing TLS is more flexible because 1. not all receiving servers will
 # support TLS, 2. not all will have and up-to-date TLS stack.