postfix expects listed TLS-versions.

2020-12-27 17:41:00 +01:00 · 2020-12-27 17:41:00 +01:00 · 3049e878a0
parent 2fe2645da8
commit 3049e878a0
1 changed files with 8 additions and 8 deletions
--- a/tasks/postfix.yml
+++ b/tasks/postfix.yml
@ -35,16 +35,16 @@
    smtpd_tls_auth_only: 'yes'
    tls_ssl_options: NO_COMPRESSION
    # Some servers are crapy.  If we provide only TLSv1.2, he would try it unencrypted again.
-    smtpd_tls_mandatory_protocols: '>=TLSv1.2'
-    smtpd_tls_protocols: '>=TLSv1.2'
+    smtpd_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    smtpd_tls_protocols: 'TLSv1.2, TLSv1.3'
    # Same for sending mails: :/
-    smtp_tls_mandatory_protocols: '>=TLSv1.2'
-    smtp_tls_protocols: '>=TLSv1.2'
+    smtp_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    smtp_tls_protocols: 'TLSv1.2, TLSv1.3'
    # Internal/Clients must support better crypto:
-    lmtp_tls_mandatory_protocols: '>=TLSv1.2'
-    lmtp_tls_protocols: '>=TLSv1.2'
-    submission_tls_mandatory_protocols: '>=TLSv1.2'
-    submission_tls_protocols: '>=TLSv1.2'
+    lmtp_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    lmtp_tls_protocols: 'TLSv1.2, TLSv1.3'
+    submission_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    submission_tls_protocols: 'TLSv1.2, TLSv1.3'
    smtpd_tls_mandatory_ciphers: high
    #tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
    smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL