From 3049e878a0bc8c427fbd2bad33e513975056c2b6 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac@denkn.at>
Date: Sun, 27 Dec 2020 17:41:00 +0100
Subject: [PATCH] postfix expects listed TLS-versions.

---
 tasks/postfix.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tasks/postfix.yml b/tasks/postfix.yml
index 9cd1966..6615082 100644
--- a/tasks/postfix.yml
+++ b/tasks/postfix.yml
@@ -35,16 +35,16 @@
     smtpd_tls_auth_only: 'yes'
     tls_ssl_options: NO_COMPRESSION
     # Some servers are crapy.  If we provide only TLSv1.2, he would try it unencrypted again.
-    smtpd_tls_mandatory_protocols: '>=TLSv1.2'
-    smtpd_tls_protocols: '>=TLSv1.2'
+    smtpd_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    smtpd_tls_protocols: 'TLSv1.2, TLSv1.3'
     # Same for sending mails: :/
-    smtp_tls_mandatory_protocols: '>=TLSv1.2'
-    smtp_tls_protocols: '>=TLSv1.2'
+    smtp_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    smtp_tls_protocols: 'TLSv1.2, TLSv1.3'
     # Internal/Clients must support better crypto:
-    lmtp_tls_mandatory_protocols: '>=TLSv1.2'
-    lmtp_tls_protocols: '>=TLSv1.2'
-    submission_tls_mandatory_protocols: '>=TLSv1.2'
-    submission_tls_protocols: '>=TLSv1.2'
+    lmtp_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    lmtp_tls_protocols: 'TLSv1.2, TLSv1.3'
+    submission_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3'
+    submission_tls_protocols: 'TLSv1.2, TLSv1.3'
     smtpd_tls_mandatory_ciphers: high
     #tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
     smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL